Add support for Permissions API Key Authentication and remove Certificate Authentication

Azure / azure-saas

The Azure SaaS Development Kit (ASDK) provides a reference architecture, deployable reference implementation and tools to help developers, startups, ISVs and Enterprises deliver their applications as a SaaS service. A platform for platform creators.

332 stars 286 forks source link

This PR replaces mTLS Certificate authentication with API key authentication in the permissions API and updates all of it's consumers to allow for that. Resolves issue #196 . Changes made:

Added middleware in permissions API to check for and validate the presence of an API key on the x-api-key header
Reconfigured the HTTP Client in the Admin API to add the Permissions API key to the header of every request sent to it and remove the configuration of the client certificate
Updated the B2C XML policies to load in the API key from the policy keys and send it on the x-api-key header when making requests to the Permissions API
Updated the B2C-Create powershell script to:
- Generate a new API key
- Generate a new API Key policy key container
- No longer generate a self signed certificate and upload it to a policy key container
- Output the new API key values into the parameters.json
Updated and regenerated the Bicep IaC scripts to:
- Turn off requiring a certificate on the Permissions API app service
- Add a new key vault secret for the Permissions API Key in both the identity and main application key vaults
- No longer create secrets for the certificate thumbprint and value'
Updated all documentation to remove the reference of a self signed certificate and added in documentation explaining the use of an API key.

Also (not related to issue #196):

Updated build scripts to tag the latest container upon a new version tag being pushed

This PR replaces mTLS Certificate authentication with API key authentication in the permissions API and updates all of it's consumers to allow for that. Resolves issue #196 .

Changes made:

Added middleware in permissions API to check for and validate the presence of an API key on the x-api-key header

Reconfigured the HTTP Client in the Admin API to add the Permissions API key to the header of every request sent to it and remove the configuration of the client certificate

Updated the B2C XML policies to load in the API key from the policy keys and send it on the x-api-key header when making requests to the Permissions API

Updated the B2C-Create powershell script to:

Generate a new API key

Generate a new API Key policy key container

No longer generate a self signed certificate and upload it to a policy key container

Output the new API key values into the parameters.json

Updated and regenerated the Bicep IaC scripts to:

Turn off requiring a certificate on the Permissions API app service

Add a new key vault secret for the Permissions API Key in both the identity and main application key vaults

No longer create secrets for the certificate thumbprint and value'

Updated all documentation to remove the reference of a self signed certificate and added in documentation explaining the use of an API key.

Also (not related to issue #196):

Updated build scripts to tag the latest container upon a new version tag being pushed

Azure / azure-saas

Add support for Permissions API Key Authentication and remove Certificate Authentication #197