Challenges in Managing Client Secrets for High-Scale API Integrations in Azure API Management

Question

Currently, we are using an open-source API management application to manage APIs. This product primarily consists of two components: the Publisher, which is used to publish APIs, and the Store, which allows applications to subscribe to APIs. Once an application subscribes, the generated client ID and secret remain valid until the application is deleted.

However, when comparing this setup to Azure API Management, I observed some limitations in implementing these mechanism. In Azure API Management, after creating a client application, the secret generated has a maximum validity of 2 years under the custom date range option. After this period, new secrets need to be generated and distributed to all customers. Is this practical when dealing with API integrations involving a high number of customers?

Answer

Hi @Mithila Lishan,

Welcome to the Microsoft Q&A Platform! Thank you for asking your question here.

Managing client secrets for high-scale API integrations in Azure API Management (APIM) can indeed present some challenges, especially when compared to open-source solutions where secrets can remain valid indefinitely.

To mitigate that challenge we can implement automated workflows using Azure Key Vault and Azure Functions to handle secret rotation.

Please refer the below link for the documentation on the same.

https://video2.skills-academy.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients

If you find this answer helpful, please click "Accept Answer" and kindly upvote it.

Share via

Challenges in Managing Client Secrets for High-Scale API Integrations in Azure API Management

1 answer

Your answer