Those who now want to offer an API or a service themselves face some challenges. The usual difficulties that services already cause within projects are intensified once again, since end customers are expected to work with them for a long time. They must be reasonably maintained and documented, as well as protected against unauthorized access, published, further developed and also billed.
It is recommended to enrich your service with existing services ("Services as a Service") and thus to achieve the separation of professionalism and organization. In our specific case, the service should only fulfill its (technical) task and do so as well as possible. We do not want to deal with user administration, the generation of subscription keys or the construction of a gateway. For this purpose, I combine two Microsoft products: Azure API Management as a platform for publishing my APIs and Azure Active Directory B2C for managing API users.
Azure Active Directory B2C (Azure AD B2C)
Azure Active Directory B2C is a cloud-based, fully-managed system and is used for identity and access management for end customers - in our case, customers of our API. The idea behind this is that the end customers of a product or SaaS solution can manage themselves and are maintained separately from the company's own Active Directory.
The Azure AD B2C therefore supports various identity providers from social networks - such as Facebook, Google, Microsoft, Amazon and Twitter - but also the registration with an own mail address. New users can also be created manually or a connection to the company's own Active Directory can be established.
The administrator of Azure AD B2C decides whether end users can use customizable pages for sign-up, sign-in or even profile edit.
Various tokens can now be generated for authorization via Azure AD B2C. The tokens are supplied with the web requests as JSON web tokens (bearers) and the application checks their validity. The .NET Framework and other providers offer various libraries for this purpose. With .NET Core, the AddAzureAdB2CBearer extension is delivered and added directly for this purpose. It makes contact with the Azure AD B2C and checks the validity of the tokens. More than the annotation [Authorize] via the class or function is not needed.
However, authentication can also be more complex. Instead of an access token, an ID token can be generated that represents the specific user, or the user's own claims can be included in the tokens, which are used for the check.
Who may do what?
Authentication is usually not the end of the story: Which user is allowed to call which API parts? How many calls do I allow? Or am I perhaps aiming for usage-based billing? I would have to develop all that. More simply, I don't. I save the code for authorization and use ready-made services to secure my API and log accesses. This is the moment when API management enters the stage....