API key authentication

[Benjiiim]

Following the question in the last community standup with @JerryNixon, @yorek and @seantleonard, I'm creating the discussion here. Please let me know if I should create an Issue or something instead. :-)

What about implementing a simple API key authentication (based on a API key such as x-api-key in the header) in DAB?

The simplicity of API Key Authentication make it very popular out there. I'm aware that API key authentication is not the most secure authentication mechanism but its simplicity can help in various scenarios: server to server communication, read-only APIs, public facing APIs, non critical APIs, ...

One workaround is to have Azure API Management in front of DAB to handle the API key authentication thanks to the subscription key feature. The communication between APIM and DAB can be secured through Azure AD/Entra ID authentication thanks to APIM Managed Identity.

[JerryNixon]

This is a good example of a good feature that isn't really right for DAB because APIM and other similar tools already do this. Like API key, Data API builder could implement a load balancer across Data API endpoints, but that - too - is more than what DAB should do. It is tempting to make DAB the answer to every question, but we need to reign in scope where we can.