2020-07-19

2020-07-19 Sunday - Reseaching - Authentication Strategies for B2B Azure hosted APIs (i.e. North-South)

Photo by Jen Theodore on Unsplash
https://unsplash.com/photos/CiMITAJtb6I


This post is a a bit of a brain dump of research I'm doing this weekend on Azure Cloud API Authentication strategies - when you wish to expose a public B2B API for your business partners to consume (i.e. a North-South API Authentication problem).

For the moment, this post will be a bit of a mess - truly a brain dump. But, there are some excellent tidbits in this initial posting to give you a clear path to finding the right answer.  I'lll hopefully have time to come back and clean this up later - but no promises.

For the moment, consider this posting to be guidance for "recommended background reading".

Note: as a convention in writing notes for my personal use, I designate the very interesting bits with three asterisks (***)

Important, Read First

***
Microsoft identity platform and the OAuth 2.0 client credentials flow
https://docs.microsoft.com/en-us/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow

"You can use the OAuth 2.0 client credentials grant specified in RFC 6749, sometimes called two-legged OAuth, to access web-hosted resources by using the identity of an application. This type of grant is commonly used for server-to-server interactions that must run in the background, without immediate interaction with a user. These types of applications are often referred to as daemons or service accounts."

"The OAuth 2.0 client credentials grant flow permits a web service (confidential client) to use its own credentials, instead of impersonating a user, to authenticate when calling another web service. In this scenario, the client is typically a middle-tier web service, a daemon service, or a web site."

"For a higher level of assurance, the Microsoft identity platform also allows the calling service to use a certificate (instead of a shared secret) as a credential."

"In the more typical three-legged OAuth, a client application is granted permission to access a resource on behalf of a specific user. The permission is delegated from the user to the application, usually during the consent process. However, in the client credentials (two-legged OAuth) flow, permissions are granted directly to the application itself. When the app presents a token to a resource, the resource enforces that the app itself has authorization to perform an action and not the user."

***
"An app typically receives direct authorization to access a resource in one of two ways:
  • Through an access control list (ACL) at the resource
  • Through application permission assignment in Azure AD"

"These two methods are the most common in Azure AD and we recommend them for clients and resources that perform the client credentials flow. "

"A resource can also choose to authorize its clients in other ways. Each resource server can choose the method that makes the most sense for its application."

***
Microsoft identity platform application authentication certificate credentials
 

Relevant RFCs

RFC 6749 The OAuth 2.0 Authorization Framework
https://tools.ietf.org/html/rfc6749

RFC 6750 The OAuth 2.0 Authorization Framework: Bearer Token Usage
https://tools.ietf.org/html/rfc6750
RFC 7519 JSON Web Token (JWT)
https://tools.ietf.org/html/rfc7519
RFC 8725 JSON Web Token Best Current Practices
https://tools.ietf.org/html/rfc8725
RFC 5246 The Transport Layer Security (TLS) Protocol Version 1.2
https://tools.ietf.org/html/rfc5246


Additional Background Reading

Quickstart: Register an application with the Microsoft identity platform
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app

Azure API Management
https://docs.microsoft.com/en-us/rest/api/apimanagement/

Azure API Management REST API Authentication
https://docs.microsoft.com/en-us/rest/api/apimanagement/apimanagementrest/azure-api-management-rest-api-authentication

Authorization Server
https://docs.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/authorizationserver

Certificate
https://docs.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/certificate

Gateway
https://docs.microsoft.com/en-us/rest/api/apimanagement/2019-12-01/gateway

Microsoft Azure Well-Architected Framework
https://docs.microsoft.com/en-us/azure/architecture/framework/

Cloud Design Patterns
https://docs.microsoft.com/en-us/azure/architecture/patterns/

Security patterns
https://docs.microsoft.com/en-us/azure/architecture/patterns/category/security

Federated Identity pattern
https://docs.microsoft.com/en-us/azure/architecture/patterns/federated-identity
"Implement an authentication mechanism that can use federated identity. Separate user authentication from the application code, and delegate authentication to a trusted identity provider. This can simplify development and allow users to authenticate using a wider range of identity providers (IdP) while minimizing the administrative overhead. It also allows you to clearly decouple authentication from authorization."

"The trusted identity providers include corporate directories, on-premises federation services, other security token services (STS) provided by business partners, or social identity providers that can authenticate users who have, for example, a Microsoft, Google, Yahoo!, or Facebook account."

https://docs.microsoft.com/en-us/azure/architecture/patterns/_images/federated-identity-overview.png
"This model is often called claims-based access control. Applications and services authorize access to features and functionality based on the claims contained in the token. The service that requires authentication must trust the IdP. The client application contacts the IdP that performs the authentication. If the authentication is successful, the IdP returns a token containing the claims that identify the user to the STS (note that the IdP and STS can be the same service). The STS can transform and augment the claims in the token based on predefined rules, before returning it to the client. The client application can then pass this token to the service as proof of its identity."

Valet Key pattern
https://docs.microsoft.com/en-us/azure/architecture/patterns/valet-key
"Use a token that provides clients with restricted direct access to a specific resource, in order to offload data transfer from the application. This is particularly useful in applications that use cloud-hosted storage systems or queues, and can minimize cost and maximize scalability and performance."

how expose a public api in azure
Quickstart: Configure an application to expose web APIs
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-expose-web-apis

Quickstart: Register an application with the Microsoft identity platform
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-register-app
"Your app is integrated with the Microsoft identity platform by registering it with an Azure Active Directory tenant. Enterprise developers and software-as-a-service (SaaS) providers can develop commercial cloud services or line-of-business applications that can be integrated with Microsoft identity platform. Integration provides secure sign-in and authorization for such services."
- Search for and select Azure Active Directory. Under Manage, select App registrations.
- Select New registration.
- In Register an application, enter a meaningful application name to display to users.

Quickstart: Configure a client application to access web APIs
https://docs.microsoft.com/en-us/azure/active-directory/develop/quickstart-configure-app-access-web-apis

Calling an ASP.NET Core Web API from a WPF application using Azure AD V2
https://docs.microsoft.com/en-us/samples/azure-samples/active-directory-dotnet-native-aspnetcore-v2/calling-an-aspnet-core-web-api-from-a-wpf-application-using-azure-ad-v2/


API Management
Hybrid, multi-cloud management platform for APIs across all environments
https://azure.microsoft.com/en-us/services/api-management/

https://azure.microsoft.com/en-us/services/api-management/#security
- "Keep all your APIs behind a single static IP or domain, and help protect them with keys, tokens, and IP filtering."
- "Enforce flexible and fine-grained quotas and rate limits. Modify the shape and behavior of your APIs using policies. And improve latency and scale your APIs with response caching."
- "Connect on-premises APIs to cloud services by creating a façade that lets you safely integrate on-premises and cloud environments."

***
Architect API integration in Azure
https://docs.microsoft.com/en-us/learn/paths/architect-api-integration/
"Learn how to architect API integration in Azure, and provide secure, scalable API access for your applications."

Import and publish an API
https://docs.microsoft.com/en-us/learn/modules/publish-manage-apis-with-azure-api-management/4-import-and-publish-an-api
"To make an API available through an API gateway, you need to import and publish the API."
***
"There are various API frameworks and standards. API Management provides you with several options for importing APIs."
- Blank API
- Open API
- WADL
- WSDL
- Logic App    
- API App    
- Function App
"There are several ways to import an API into Azure API Management."
"Using the Azure portal, you select APIs, and then + Add API. You start by selecting the API framework you'd like to import."



Control authentication for your APIs with Azure API Management
https://docs.microsoft.com/en-us/learn/modules/control-authentication-with-apim/
- "Use API keys to secure your APIs"
- "Use client certificate authentication to secure your APIs"

***
Use client certificates to secure access to an API
https://docs.microsoft.com/en-us/learn/modules/control-authentication-with-apim/4-secure-access-client-certs
"Certificates can be used to provide TLS mutual authentication between the client and the API gateway." 
"You can configure the API Management gateway to allow only requests with certificates containing a specific thumbprint. The authorization at the gateway level is handled through inbound policies." 
"Here, you will learn how to configure API Management to accept client certificates." 
"With TLS client authentication, the API Management gateway can inspect the certificate contained within the client request and check for properties like:"
"Client certificates are signed to ensure that they are not tampered with. When a partner sends you a certificate, verify that it comes from them and not an imposter. There are two common ways to verify a certificate:"
"Check who issued the certificate. If the issuer was a certificate authority that you trust, you can use the certificate. You can configure the trusted certificate authorities in the Azure portal to automate this process."
"If the certificate is issued by the partner, verify that it came from them. For example, if they deliver the certificate in person, you can be sure of its authenticity. These are known as self-signed certificates."
"Create these policies in the inbound processing policy file within the API Management gateway:"
***
Check the thumbprint of a client certificate
"Every client certificate includes a thumbprint, which is a hash, calculated from other certificate properties. The thumbprint ensures that the values in the certificate have not been altered since the certificate was issued by the certificate authority. You can check the thumbprint in your policy. The following example checks the thumbprint of the certificate passed in the request:"
***
Check the thumbprint against certificates uploaded to API Management
"In the previous example, only one thumbprint would work so only one certificate would be validated. Usually, each customer or partner company would pass a different certificate with a different thumbprint. To support this scenario, obtain the certificates from your partners and use the Client certificates page in the Azure portal to upload them to the API Management resource. Then add this code to your policy:"
Check the issuer and subject of a client certificate
"This example checks the issuer and subject of the certificate passed in the request:"

Protect your APIs on Azure API Management
https://docs.microsoft.com/en-us/learn/modules/protect-apis-on-api-management/
"Create an Azure API gateway"
"Import a RESTful API into the gateway"
"Implement policies to secure and throttle the requests"
"Call an API to test the applied policies"

AZ-400: Develop a security and compliance plan
https://docs.microsoft.com/en-us/learn/paths/az-400-develop-security-compliance-plan/
"Build strategies around security and compliance that enable you to authenticate and authorize your users, handle sensitive information, and enforce proper governance."

Secure your identities by using Azure Active Directory
https://docs.microsoft.com/en-us/learn/modules/intro-to-azure-ad/

Microsoft Azure Well-Architected Framework - Security
https://docs.microsoft.com/en-us/learn/paths/secure-your-cloud-apps/


Encryption
https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/5-encryption
Encrypting secrets
"Azure Key Vault is a cloud service that works as a secure secrets store. Key Vault allows you to create multiple secure containers, called vaults."
***
"Azure Key Vault can handle requesting and renewing Transport Layer Security (TLS) certificates, providing the features required for a robust certificate lifecycle management solution."


Network security
https://docs.microsoft.com/en-us/learn/modules/azure-well-architected-security/6-network-security

Using API gateways in microservices
https://docs.microsoft.com/en-us/azure/architecture/microservices/design/gateway
"If you don't deploy a gateway, clients must send requests directly to front-end services. However, there are some potential problems with exposing services directly to clients:"

***
Gateway Routing pattern
"Route requests to multiple services using a single endpoint. This pattern is useful when you wish to expose multiple services on a single endpoint and route to the appropriate service based on the request."
https://docs.microsoft.com/en-us/azure/architecture/patterns/gateway-routing
Choosing a gateway technology:
"Reverse proxy server. Nginx and HAProxy are popular reverse proxy servers that support features such as load balancing, SSL, and layer 7 routing. "
"Service mesh ingress controller."
"Azure Application Gateway. Application Gateway is a managed load balancing service that can perform layer-7 routing and SSL termination. It also provides a web application firewall (WAF)"
"Azure API Management. API Management is a turnkey solution for publishing APIs to external and internal customers. It provides features that are useful for managing a public-facing API, including rate limiting, IP restrictions, and authentication using Azure Active Directory or other identity providers. API Management doesn't perform any load balancing, so it should be used in conjunction with a load balancer such as Application Gateway or a reverse proxy."
   
   
***
Integrate API Management in an internal VNET with Application Gateway
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-integrate-internal-vnet-appgateway

***
"Azure Application Gateway and API Management are managed services."

***
Azure API Management and Application Gateway integration (2019)
https://medium.com/azure-architects/azure-api-management-and-application-gateway-integration-a31fde80f3db
"API Management deployed in “internal” VNET mode"
"Application Gateway (WAF) for exposing a subset of API’s externally"
   
Microsoft: API Management and App Gateway integration
https://miro.medium.com/max/955/1*1mBS7UOcQU2O8j3et9v7ig.png
***
"How are the API’s segregated so that only the ones deemed “external” are accessible via the Internet? Is it configured on API-M or the App Gateway?"
"It turns out the solution is a combination of both and is relatively simple -"

- "Within API-M, APIs are created with separate base URL’s i.e. /external and /internal"
- "Within Application Gateway, a path-based routing rule is created that redirects any API requests that contain /external to the API-M back-end"
"The same routing rule drops requests to any other API requests including /internal"


Publishing internal APIs to external consumers
https://docs.microsoft.com/en-us/azure/architecture/example-scenario/apps/publish-internal-apis-externally
"In this scenario, an organization has hosted multiple APIs using Application Service Environments(ILB ASE) and would like to consolidate these APIs internally using Azure API Management (APIM) deployed inside a Virtual Network. The internal API Management instance could also be exposed to external users to allow for utilization of the full potential of the APIs. This external exposure could be achieved using an Application Gateways forwarding requests to the internal API Management service, which in turn consumes the APIs deployed in the ASE."

***
See diagram:        
https://docs.microsoft.com/en-us/azure/architecture/example-scenario/apps/media/architecture-publish-internal-apis-externally.png
The data flows as follows:
- Developers check in code to a GitHub repository connected to CI/CD pipeline Agent installed on an Azure VM
- The agent pushes the build to the API application hosted on ILB ASE
-API Management consumes the above APIs via HOST Headers specified in API Management policy    
- API Management uses the App Service Environment's DNS name for all the APIs
- Application Gateway exposes API Management's developer and API portal
- Azure Private DNS is used to route the traffic internally between ASE, API Management, and 

Application Gateway
"External Users uses exposed Dev Portal to consume the APIs via Application Gateway's public IP"
"Azure Virtual Network enables Azure resources to securely communicate with each other, the internet, and on-premises networks."
"Azure Private DNS allows domain names to be resolved in a virtual network without needing to add a custom DNS solution."

"Azure API Management helps organizations publish APIs to external, partner, and internal developers to use their data and services."

"Application Gateway is a web traffic load balancer that enables you to manage traffic to your web applications."

"Internal Load Balancer App Service Environment is an Azure App Service feature that provides a fully isolated and dedicated environment for securely running App Service apps at high scale."

"Azure DevOps is a service for managing your development lifecycle and includes features for planning and project management, code management, build, and release."
"Application Insights is an extensible Application Performance Management (APM) service for web developers on multiple platforms."

"Azure Cosmos DB is Microsoft's globally distributed, multi-model database service."
KM Note: I submited Issue #2245 - the documentation states "SSL", but it should be "TLS"
https://github.com/MicrosoftDocs/architecture-center/issues/2245
       
       
How to Expose Services with Azure API Management
https://spr.com/how-to-expose-services-with-azure-api-management/

Azure Tips and Tricks
https://microsoft.github.io/AzureTipsAndTricks/
Getting started with Azure API Management       
https://microsoft.github.io/AzureTipsAndTricks/blog/tip197.html

Azure REST APIs with Postman
https://microsoft.github.io/AzureTipsAndTricks/blog/tip223.html

Taking a peek at Azure Key Vault Part 1 of 2
https://microsoft.github.io/AzureTipsAndTricks/blog/tip180.html

Taking a peek at Azure Key Vault Part 2 of 2
https://microsoft.github.io/AzureTipsAndTricks/blog/tip181.html
   

No comments:

Copyright

© 2001-2021 International Technology Ventures, Inc., All Rights Reserved.