I am having a Web API deployed in Azure App service. The Web API is protected using Azure AD. I am planning to use API Management for exposing the api to various users.
Right now, I have enabled basic authentication to the developer portal in API Management. Also, I have enabled OAuth 2.0 authentication for the back end server (user Authorization). So, if i login to the developer portal, i can see two fields - Subscription Key and Authorization. The Subscription key will be the developer's subscription to the portal and the Authorization will be the OAuth authorization which is required for the back end server.
Also, if api management url needs to be accessed by any users, the user need to pass the subscription key in the query string and the token in the authorization header (eg: a desktop client).
Is there any way to call the api managament url by just using the JWT token and not using the subscription key (but i would still need to know which developer/user had accessed the service). What I am looking forward is single token that can be used to authenticate the user to the developer portal and that can be used to authenticate to the back end api (either by translation to the back end server token or by any other means)
Thanks,
John
Subscription keys in APIM are tied to a user and product, thus if you change (or create new one) product to not require subscription (option available at creation time or in product settings) no subscription key would be needed to call any API included into such products.
The downside is that all such calls would be treated by APIM as anonymous and shown in analytics as such.