Azure API Management - How to secure Subscription key

Question

Technical stack

• API deployed in WebApp
• API Management deployed and WebApp is configured as Web service URL.
• UI developed in Angular application which calls API Management endpoints to display data on UI.
• IP Authentication is implemented to make sure only allowed users has access to UI & API
• Subscription is enabled at Product level and key is shared with client for API call
• Separate product is created for UI and subscription key is used in UI to call API and display data

Now in this case, subscription key will be visible thru Browser -> Inspect -> Network tab

We want to make sure that user can't use UI key to make API call Using Proxy will hide the key but now anyone can call proxy url to get data.

How to make it secure?

Answer 1

As mentioned by nmbrphi, garethb, we can't control what end user see in browser network tab.

And as we do not have user authentication available in system and only have IP authentication, can't control usage of UI key directly from API.

To make sure we have more secured UI call, we have implemented custom logic which can be used for any javascript application

Reference http://billpatrianakos.me/blog/2013/09/12/securing-api-keys-in-a-client-side-javascript-app/

This helped me to at least distinguish UI calling API and API directly called from other application/tools like postman.

Thanks all for your help.

Answer 2

Did you find any solution ? I used nginx as proxy server and kept subscription key there as proxy_set_header subscription-key abc-def when calling microservice. This way subscription key wont be exposed to UI and will be forwarded to API Management Service via nginx.

Answer 3

Store your keys on Azure Key vault and access from your front end application, https://medium.com/@ayanfecrown/azure-key-vault-node-js-step-by-step-tutorial-af131a78e220