Open MassimoC opened 5 years ago
I'm trying to put my 2 cents here, don't shoot if I get it wrong :)
I would see the protection of an API with an API key and with IP filtering in combination with APIM, where you secure the API via IP filtering so that it can only be called via APIM.
How far do you want to go for the Certificate security (I suppose you're talking about mutual authentication here) ? I think this is something that will eventually end up in Arcus, so are you going to refer to Arcus here ?
I think it is a good idea to set up a sample on how to protect the API using IdentityServer. Have a client application that consumes the client; allow the user to login and have maybe different roles so that certain operations are allowed by role X and others not ?
Those sound like good suggestions if you ask me, but personally would split this item into an issue per type of security and take it piece by piece and determine the maturity level per approach.
Agree on all of the above where api key and identity server would be most important to me
Following the proposal of Frederik, can the guideline be something like this?
If you need to limit the access to the API
If you need give access to one or more applications on behalf of users
This assumes that you have an API gateway, which is not always the case. I personally find IP filtering a more advanced scenario as this is not always possible.
In terms of Shared Access Key & X509 client authentication, I would start with Shared Access Key and if there is a strong requirement and/or a gateway present use X509 client authentication instead.
Tagging Arcus Security issues for observability:
Attributes are now available btw
Secure the API access