I am currently working with Azure API managemnet where I am stuck at a wired junction. My client wants Product level authentication, so I have created one product and added a policy there. But, now for an particular api the it is not required.
I tried a lot of thing like, deleteing the authorization header but it is not working. can you please suggest a solution for this.
you can remove the base tag in the inbound section of the policy for that operation by doing that the policy applied at product level will not be executed for the particular operation.
reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-policies
Related
I deleted an API that had an outbound policy to replace the string ""
I subsequently recreated the API using the same API instance with definition "https://markcolorapi.azurewebsites.net/swagger/v1/swagger.json" which created a base definition without any policy statements.
For some reason, it still applies the outbound policy. I've checked the API as well as "All Operations" but I can't seem to find where it may be getting this rule from unless its a remnant of the one I deleted.
In Azure APIM you can apply policy at 4 levels:
Operation level
API level
Product level
Global level
If you want to verify the effective policy scope, you can select the operation and at the bottom you can see the 'calculate effective Policy' button. The effective policy will give you details about all the policies applied and from which scope they are applied.
I managed to configure in APIM a set of policies that do what I need (authentication). The config XML is long and dirty, but the rules should be applied to all APIs that require authentication, so I can just set them on 'All APIs' level. But of course not all APIs require authentication. The idea is to configure them using some kind of flow control policy so that they are applied only if API is tagged. But I didn't found a way how to get the APIs metadata.
So is there a way the read APIs metadata using APIM expressions? Or any other way to achieve the main goal?
Checking https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables again I see no way to query tag meta information while in a policy. Of course you could query tags for an API over API Management REST API itself on the way but I guess this would increase latency substantially.
For cases like this I would create an API product, put the authentication part into the product's policy and then only assign relevant APIs to this product.
I have the following setup in Azure API Management:
Two products: Internal and Starter.
One api: Finance, that is included in both the above products. The Finance api also has the Subscription required checkbox cleared, so a subscription is not required.
The Internal product has a policy that does JWT validation. The Starter product does not.
In the test tab of APIs, I can choose a product scope via the Apply Product Scope dropdown. Presumably this decides which product policies are applied.
When calling the API, if I don't supply a valid token, the JWT validation kicks in and rejects my request. However, since I have no subscription key to identify the product, it could be either the Internal or Starter product - how does the system determine it should apply the Internal policy containing the jwt-validation rule rather than the Starter policy which doesn't?
When request comes in, first API and operation are identified. Then APIM tries to identify subscription. If product subscription key is provided, it's used to identify product and it's policies are executed. If API subscription key is provided, it's checked to match identified API and no product policies would be executed at all.
If no subscription key is present in request, APIM checks if there is a product with Subscription required set to false, and if such product includes identified API. If there is such match, product will be used and it's policies executed. If no such match found, APIM will check if API has Subscription required set to false, and if so then call will proceed without product.
The Test tab uses a special key - master key, among other things this key allows you to force a certain product to be used for a call even if API is not included into one. This is mostly useful for testing purposes, and master key should not really be used in production.
The answer is that the Starter product, whilst testable in the API screens, was marked as "Requires Subscription" at the product level, which overrides the API level setting. Because of this it was not an eligible policy.
Trying to change this setting fails with the error Product cannot be made open since it has APIs that are already part of an open product. which makes sense and removes any ambiguity.
This is a follow up to the following question:
How to prevent Ocp-Apim-Trace: true and ocp-apim-trace-location in production?
My API consumers must have a subscription key to be able to use my API.
However, I do not want them to see the detail traces provided in ocp-apim-trace-location. The detail trace provides them visibility to my internal service URLs and details that can be a potential security risk.
How to eliminate tracing (prevent Ocp-Apim-Trace) when the call includes a subscription key?
There is no way to disable tracing funtionality, not sending this header will disable tracing collection for one request only. But do know, that only admin users are capable of collecting traces, if this header is supplied along with subscription key that does not belong to admin account (or no subscription key at all) no traces will be collected. The idea here is that traces may expose information service owner may not be willing to share with developers.
Actually, you could design APIs belong to an open product to be callable anonymously.
Create a new product and uncheck Require subscription in its settings. Any API added to such product will be callable without a key anonymously.
So that you could let your consumer anoymously call your API without subscription key and then eliminate tracing.
For more details, you could refer to this article.
I have multi-tenant application, which exposes some API for our customers to use. I would like to expose it using Azure API Management. Mostly to provide Development Portal to our customers, which I find very useful, and maybe use some other features.
If I understand correctly, our customers will set up their own subscription keys for authentication, which API Management proxy will validate.
Question: How can I link and identify user/subscription to the tenant of my application, to ensure that only data from this tenant are returned.
One direction I can see to explore is to use delegated sign up, which I guess will help me to link subscription to the tenant. But then still the question is how to get user id in my backend API?
Any direction to documentation or samples is very appreciated
You could create separate groups in APIM to represent your tenants and then put users into those groups using delegation hookups. Withing APIM policy in expressions you can reference context.User.Groups to list groups user making the call belongs to and forward that information to backend.
Alternatively you could use Note field to store tenant name and access it as context.User.Note. Or if you're willing to store mapping on your side the just take an id context.User.Id.
All of above could be passed as a header using set-header policy like:
<set-header name="userId">
<value>#(context.User.Id)</value>
</set-user>
All scenarios would require you to have delegation setup to fill this information automatically for every new user created.