Exam AZ-204 topic 4 question 6 discussion

A, C https://www.examtopics.com/exams/microsoft/az-203/view/15/ https://docs.microsoft.com/en-us/azure/api-management/api-management-authentication-policies

A, D The question states that the solution MUST use the HTTP authorization header. The only two options that do are Basic Authentication (where the header would be "Authorization: Basic <auth-base64-encoded-string> or "Bearer <bearer-token-string>).

From Chatgpt: A. Basic Authentication APIM can add a Basic Authorization header by encoding a username and password. D. OAuth Client Credential Grant APIM can be configured to obtain a token using client credentials flow and include a Bearer token in the Authorization header. B. Digest Authentication Not supported by Azure API Management. C. Certificate Authentication While APIM supports client certificate authentication, this is not implemented as an Authorization header, but at the TLS layer. Does not meet the requirement of adding an HTTP Authorization header.

Basic has security issues

A. Basic Authentication D. OAuth Client Credential Grant Basic Authentication and OAuth Client Credential Grant are two policies that can be used to include a valid HTTP authorization header in every request to the backend service. Basic Authentication sends a Base64-encoded string that contains a username and password for authentication. OAuth Client Credential Grant is used when the client is requesting access to the protected resources under its control (i.e., it's own credentials), or those of another resource owner which have been previously arranged with the authorization server (the client is not impersonating the resource owner). Digest Authentication and Certificate Authentication are not typically used for sending an HTTP authorization header.

The certificate doesn't use an authorization header, it is mutual TLS(Transport Layer Security)

A and D are correct , about C Certificate Authentication is a valid form of authentication, it is not typically supported by Azure API Management for backend services

A. Basic Authentication: You can use this policy to add the Authorization header with Basic credentials. D. OAuth Client Credential Grant: You can use this policy to acquire an OAuth token and add it to the Authorization header. While Certificate Authentication (C) does indeed provide a method of authentication, it does not directly involve setting an HTTP Authorization header in the way Basic Authentication and OAuth Client Credential Grant do.

It is A and C A, Basic Authentication: the Base064 encoded username and password are in the authentication header C, Certificate base authentication: the client certificate is in the authentication header

....................

OAuth Client Credentials Grant (D), when used, will use an Authorization header being sent containing a bearer token. Basic Authentication (A) will send an Authorization header. -- Client Certificate (C) could be passed through an HTTP header but not necessarily the Authorization header.

AD. The solution must use Authorization header Basic auth and OAUTH user Bearer token auth header.

I would go with A and D. A: allows you to require clients to include a valid username and password in the HTTP authorization header. While it's a simple method, it might not be the most secure option for modern applications, as the credentials are sent with each request in base64-encoded format. D: OAuth Client Credential Grant is a flow where a client (in this case, your API Management instance) uses its own credentials (client ID and client secret) to obtain an access token from an OAuth authorization server. This access token can be included in the authorization header of requests to the backend service. This method is more secure than Basic Authentication and provides better control over authentication and authorization. B: is a challenge-response mechanism that involves a server-provided nonce. It doesn't directly match the requirement for sending an HTTP authorization header with each request. C: Certificate Authentication involves using client certificates to authenticate the client to the server. While this can be secure, it's not the same as sending an HTTP authorization header.

got this question today, answer C,D without confidence - 7/30/2023, score 895/1000

I believe it is: A - Sets the HTTP Authorization header to a corresponding value in the policy request D - Authenticates to the backend with a valid HTTP authorization header https://learn.microsoft.com/en-us/azure/api-management/authentication-managed-identity-policy

This question was in today's exam on 10-June-2023

AD is correct. https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad#configure-a-jwt-validation-policy-to-pre-authorize-requests The following example policy, when added to the <inbound> policy section, checks the value of the audience claim in an access token obtained from Azure AD that is presented in the Authorization header. Straight from the documentation