2

I've been recently struggling to use Microsoft's Azure platform (which has been an unfathomable pain in the ass). One early thing I noted was how the authentication was unexpectedly more difficult than I expected. Most web APIs I've used simply send some API key either in the URL or as an HTTP header.

I was under the impression that as long as you used HTTPS (or a similar form of encrypted communication), this would be plenty sufficient (and that was the gist I got from somewhat similar questions, like this one).

Yet, Microsoft seems to want me to use some very complicated Active Directory approach. What advantage does this have over a simple API key?

Community
  • 1
Kat
  • 411
  • 3
  • 12

1 Answers1

1

It's perfectly fine to send api keys as a header in the HTTPS request, since first SSL/TLS negotiation happens, and then the packet with the header is sent. The first packet to negotiate the SSL doesn't contain headers other than browser specific generic ones. This is secure and safe. AD however does have some power behind it, and in an all windows environment is actually a nifty tool to use.

As for specific advantages? See here for a good round up.

Some highlights:

Managing trusts: Access to multiple domains(forests too) from a single AD

Managing children: Changes to AD carry to all children of the AD

Managing users: Users in the AD are logged, kept track of, and kept secure across the AD, their domains, and anything else that is in the AD.

Robert Mennell
  • 6,978
  • 1
  • 14
  • 38