RBAC with API Management
Extending our setup with API Management and Auth0 to create RBAC control over our operations in our API’s. The idea is to make sure that consumers can be granted access to specific operations in an API and not only to the whole API. This can be achieved in a number of ways and in this topic we will use Auth0 as the Identity Provider to help out with this, but you could use any other of your choice.
An Identity provider is a service that a user/application is signing in to (just like Azure AD) and this provider has functionality to provide needed information and grant access to requested resources that the IDP is handling. Just like the fact that you have access to a resource or resource group inside your subscription in Azure.
In API Management we have a trust setup as of the previus post Setup Auth0 with API Management. Then we add permissions to our representation of the Api Management instance in Auth0 and grant the conusmer only the permissions that we want to give. After the permissions is setup and granted we willenforce these permissions in our API Management instance via the validate-jwt policy.
The end scenario will look like the illustration bellow where we can grant access to some or all operations in our API.
I’ve created a video that will go thru all of this a link is provided bellow.
Links used in the video:
Summary:
There is alot of times where extra granularity is needed in the API’s exposed. It helps out with creating easier to use and more natural API’s. I can be a good selpoint if used to show that there are more features for premium customers. Regardless adding RBAC to your API’s will increase seurity and eas of use. It will also give you a possibility to move the approving of new customer out of the API Managament instance and become more of a business thing to increas new consumer adoption. The setup used in Auth0 is very powerfull and can be reflected on end users aswell and that can be very helpfull when adding more lightweight consumers with single purposes.
Posted in: •API Management | Tagged: | API Management | Integration | Serverless | Auth0 | IDP | OAuth
CATEGORIES
- Thinking
- OMS
- LogicApps
- API Management
- Azure Functions
- Key Vault
- Innovation
- Power Apps
- Flow
- ARM
- Application Insights
- Development
ARCHIVES
- March 2022
- January 2022
- November 2021
- October 2021
- January 2021
- June 2020
- August 2019
- February 2019
- January 2019
- December 2018
- August 2018
- May 2018
- March 2018
- February 2018
- January 2018
- December 2017
- November 2017
- October 2017
- September 2017
- August 2017
SUBSCRIBE TO MY FEED
Click here to subscribe to my RSS-feed →