How Credential Manager in API Management can help you manage, store, and control access to your API
Published Nov 15 2023 08:30 AM 4,029 Views
Microsoft

We're excited to introduce the rebranding and feature enhancements of Azure API Management's Credential Manager, previously known as Authorizations. In addition, Credential Manager now includes capabilities for user-delegated permissions.

 

OAuth 2.0 - A Secure and Standardized Protocol for Authorization:

Authentication and authorization are two critical processes that help ensure secure access to your APIs. Authentication is the process of verifying the identity of a user, while authorization is the process of granting or denying access to the resource based on the authenticated user’s identity and permissions. Implementation can be very complex, but it is essential for ensuring secure access to digital systems and resources. 
 
OAuth 2.0 is an industry-standard protocol for authorization that provides a secure and standardized way for users to grant third-party applications access to their resources without sharing their credentials. In the context of authentication and authorization, OAuth 2.0 can be used to provide secure access to digital systems and resources. It involves the use of access tokens, which are pieces of data that represent the authorization to access resources on behalf of the end-user.
oauthflow.png


The Challenge We Address with Credential Manager:

Developers aim to build client applications, such as static web apps, that enable users to log in and authenticate themselves. These applications should tailor the displayed data based on the authenticated user. In many scenarios, users are required to reauthorize and reauthenticate every time they log in, leading to a cumbersome user experience. This complexity intensifies when dealing with multiple calls to different endpoints, each supporting distinct authentication providers (e.g. GitHub or Twitter or LinkedIn).
 
With Credential Manager, we offer a solution where users only need to log in and provide consent only once, and after that, connecting to a (third-party) API will just seamlessly function. Under the hood, Credential Manager facilitates the creation of connections on behalf of these logged-in users on the client side. These connections empower us to present user-specific context, and users are spared the need to log in repeatedly. You don't have to burden yourself with the storage and management of users' access tokens or credentials. Users will simply login and grant consent one time, and then API Management takes over the responsibility of handling, securely storing and refreshing their access tokens. With Credential Manager, when API Management receives an incoming call to be forwarded to an external service, it effortlessly appends the necessary access token/credential to the request (using policies). Think of it as a feature of a reverse proxy – an API Management server positioned in front of one or more servers, intercepting client requests and seamlessly attaching access tokens to your API calls.
 
Here's how the flow looks like for the first time:
Note: Pre-requisite for this flow is that a Credential Store has been created and configured.
credentialmanagerfirst.png

After creating a Credential Connections for a user for the first time, moving forward this step won't be necessary. Developers can use the already created Credential Connection when making API calls on-behalf of the users:

credentialmanagerfinal.png

 

Credential Manager - Step-By-Step explanation:

This central repository within API Management is dedicated to managing, storing, and controlling access to your API access tokens. It plays a role in creating secure and seamless connections among your services which can then be used during API runtime using the <get-authorization-context> policy. With Credential Manager, teams will be able to provide a more seamless experience for handling API access tokens. Here is a short description of steps involved:

 

  1. User Consent and Authentication:
    • Users log in to the client application.
    • As part of the initial steps, users provide consent to access (third-party) SaaS APIs.
  2. Credential Manager:
    • APIM acts as a centralized token manager.
    • Once users provide consent, APIM stores, manages and refreshes their access tokens securely.
  3. Incoming API Call:
    • When the client application initiates an API call to a third-party service, it sends the request to APIM.
  4. API Management Intercept:
    • API Management, acting as a reverse proxy, intercepts the incoming call to be forwarded to the external service.
  5. Token Attachment:
    • API Management, equipped with the user's previously stored and consented access token/credentials, automatically attaches (via policy) the necessary token to the API call.
  6. Forwarding to External Service:
    • APIM forwards the request to the external service with the attached access token/credentials.
  7. API Response:
    • The external service processes the request and sends back a response to API Management.
  8. Response to Client:
    • APIM receives the response and relays it to the client application - displaying information relevant to the user's access token from the API.

 

Be a Part of the Journey: Test Credential Manager and Share Your Feedback!

Get Involved!
We believe that user feedback is the cornerstone of progress, and we invite you to actively participate in our journey.
Try It Out!
Give Credential Manager a test drive - Your hands-on experience matters!
Share Your Thoughts!
Your insights are invaluable to us. We're eager to hear what you think about Credential Manager and to understand your needs. Is there something specific that would make you and your organization even more successful? Your feedback is the key to our continuous improvement. Feel free to fill out this Microsoft Form to share your thoughts or requirements!
Co-Authors
Version history
Last update:
‎Nov 14 2023 06:33 PM
Updated by: