Preventing Anonymous Usage with API Management Policy
Question
You are a developer for a SaaS company that offers many web services.
All web services for the company must meet the following requirements: -> Use API Management to access the services -> Use OpenID Connect for authentication -> Prevent anonymous usage A recent security audit found that several web services can be called without any authentication.
Which API Management policy should you implement?
Answers
Explanations
Click on the arrows to vote for the correct answer
A. B. C. D.D.
Add the validate-jwt policy to validate the OAuth token for every incoming request.
Incorrect Answers: A: The jsonp policy adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.
JSONP is a method used in JavaScript programs to request data from a server in a different domain.
JSONP bypasses the limitation enforced by most web browsers where access to web pages must be in the same domain.
JSONP - Adds JSON with padding (JSONP) support to an operation or an API to allow cross-domain calls from JavaScript browser-based clients.
https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aadThe correct API Management policy to implement in this scenario is "validate-jwt".
Explanation:
The scenario describes that several web services can be called without any authentication. This means that anonymous usage is allowed, which is not acceptable according to the requirements. To address this, an authentication mechanism needs to be implemented.
The requirement also states that OpenID Connect should be used for authentication. OpenID Connect is a widely used authentication protocol that is built on top of OAuth 2.0. It provides a way for users to authenticate with a service and obtain an access token that can be used to access protected resources.
API Management is a service provided by Microsoft Azure that allows developers to publish, manage, and secure APIs. One of the key features of API Management is the ability to apply policies to APIs. Policies are a set of rules that can be used to control how an API is accessed and used.
The "validate-jwt" policy is used to validate a JSON Web Token (JWT) that is used for authentication. In this case, the JWT would be issued by an identity provider that supports OpenID Connect. The policy can be configured to check various aspects of the JWT, such as the issuer, audience, and expiration time.
By applying the "validate-jwt" policy to the APIs that need to be secured, anonymous usage can be prevented and authentication can be enforced. This policy ensures that only requests with a valid JWT are allowed to access the API.
