I want to using access token to manage user who want to access my api on APIm and remove subscription key. Can we do that?
Both of them are header-based authentication but in Oauth the platform will provide the access token instead of you going to portal and getting the subscription key.
Refer the following documentation for more indepth explanation.
On the settings tab there is a setting to disable the API key called subscription required:
Adding JWT token validation can be added through a policy. There are examples in the documentation:
https://learn.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT
Related
This is app api permissions
api permission
This is OAuth 2.0 authorize URL:
https://login.microsoftonline.com/common/oauth2/v2.0/authorize?response_type=code&client_id=6cd61515-b6d8-486e-b729-8b2243f85e6d&scope=https%3A%2F%2Foutlook.office365.com%2FEWS.AccessAsUser.All&redirect_uri=https%3A%2F%2Foauth.pstmn.io%2Fv1%2Fbrowser-callback
I can get token using my work account.
work account
I can not get token using my personal account.
personal account
Anybody know why?
According to the answer in Microsoft Q&A, personal account is no longer supported by EWS, so the scope is invalid.
I'm looking for a away to protect my APIs in APIM, I really don't understand the difference between Subscription Key and OAuth 2.0 using Access Token. Can we use OAuth2.0 instead of Subscription Key or use both ?
As per my understanding,
In Simple:
Subscription keys are the common way to access the Azure APIs in APIM instance.
If the API requires subscription key to access it by the user, then we call it as secured API. Otherwise, it is unsecured API and mostly used by the public.
But for unsecured access to that certain APIs, configuring another mechanism to secure client access is recommended.
Those other mechanisms to secure access to APIs in APIM were OAuth 2.0, Client Certificates, and Restring caller IPs.
As DeepDave recommended this SO Thread states that,
It is not possible to use OAuth token to identify client, but you can use it for rate-limiting and logging (of sorts).
You can identify the users and their level of access (To how many products/APIs, they have access) easily by using subscription keys because they are associated on 3 scopes like Product level, All APIs level, or an individual level.
OAuth 2.0 provides extra layer of security both in Authentication and Authorization.
To Implement the other mechanisms like OAuth2.0 or other, these references are useful:
Protect APIM using OAuth2.0
API Protecting Mechanisms in Azure
A Workaround of Protecting APIs in Azure API Management using OAuth 2.0 Client Credential Flow & test using Postman
Extra layer of security to avoid unauthorized access to APIs using OAuth 2.0
I would like to avoid providing Subscription Key for a single endpoint in my API. So far I found that I can disable Subscription for whole Product or API, which is not what I want. Is this even possible?
The only way which comes to my mind is another API and Product with exposed inly this single endpoint (obviously without subscription).
Summarize from the comments, currently we can't implement your requirement of disable "subscription" for one endpoint of api in APIM.
The workaround is what you mentioned to create another api or product for the endpoint and disable the "subscription".
And another workaround is disable the "subscription" for all of endpoints in api, and add a query parameter(or header parameter) for the endpoint(except the only one endpoint) as "subscription key". Then check the subscription key in "inbound" policy of most endpoints.
For this feature, you can also create a ticket on azure feedback page to suggest azure develop team add it.
We have configured APIM and point it to API endpoints which is deployed in WebApp.
We have configured products, subscription keys, APIS, Operations for the same.
For APIM endpoints, it is necessary for developer to pass subscription key, if not passed, APIM will return HTTP 401 with below error message
Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription.
Is there any way, we can change this with custom message as required by business team?
Use choose policy inside on-error section to identify the scenario (you can inspect context.LastError.Reason), and return-response policy to provide custom response.
There is currently no way to do this. Please vote for this request on Azure's feedback forum:
Customize error schema messages
Edit: #Vitaliy Kurokhtin answer is a work-around, although you need to keep in mind where you define the error policy (All APIs level, API level, Operation level) will impact whether or not the On Error policy you defined will get invoked
Is it a must that Subscription Key sent as part of the request when call through API Managment? is there a way to disable this option?
Create a new product and uncheck "Require subscription" in its settings. Any API added to such product will be callable without a key, i.e. anonymously.