What are main difference between Subscription Key and OAth 2.0 in Azure API Management?

Question

I'm looking for a away to protect my APIs in APIM, I really don't understand the difference between Subscription Key and OAuth 2.0 using Access Token. Can we use OAuth2.0 instead of Subscription Key or use both ?

Answer 1

As per my understanding, In Simple:

Subscription keys are the common way to access the Azure APIs in APIM instance.

If the API requires subscription key to access it by the user, then we call it as secured API. Otherwise, it is unsecured API and mostly used by the public.

But for unsecured access to that certain APIs, configuring another mechanism to secure client access is recommended.

Those other mechanisms to secure access to APIs in APIM were OAuth 2.0, Client Certificates, and Restring caller IPs.

As DeepDave recommended this SO Thread states that,

It is not possible to use OAuth token to identify client, but you can use it for rate-limiting and logging (of sorts).

You can identify the users and their level of access (To how many products/APIs, they have access) easily by using subscription keys because they are associated on 3 scopes like Product level, All APIs level, or an individual level.

OAuth 2.0 provides extra layer of security both in Authentication and Authorization.

To Implement the other mechanisms like OAuth2.0 or other, these references are useful:

• Protect APIM using OAuth2.0
• API Protecting Mechanisms in Azure
• A Workaround of Protecting APIs in Azure API Management using OAuth 2.0 Client Credential Flow & test using Postman
• Extra layer of security to avoid unauthorized access to APIs using OAuth 2.0