Is there a way to have an Inbound policy working at ALL APIs level, even for APIs and operations that are not directly defined within APIs?
For now it looks that a call to a non existing API/operation causes an error, which jumps into on-error part, ignoring all other steps...
Related
I am currently working with Azure API managemnet where I am stuck at a wired junction. My client wants Product level authentication, so I have created one product and added a policy there. But, now for an particular api the it is not required.
I tried a lot of thing like, deleteing the authorization header but it is not working. can you please suggest a solution for this.
you can remove the base tag in the inbound section of the policy for that operation by doing that the policy applied at product level will not be executed for the particular operation.
reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-policies
I'm using Open Source FHIR Server on Azure. I have an Azure API Manager and all access to the FHIR server has to go through this. I want some users only to do GETs but others to do GET, PUT, POST etc. I expected to apply a Product to each call within the API but it seems this level of fine grained control is not possible, Product applies across the whole API. What am I missing?
I deleted an API that had an outbound policy to replace the string ""
I subsequently recreated the API using the same API instance with definition "https://markcolorapi.azurewebsites.net/swagger/v1/swagger.json" which created a base definition without any policy statements.
For some reason, it still applies the outbound policy. I've checked the API as well as "All Operations" but I can't seem to find where it may be getting this rule from unless its a remnant of the one I deleted.
In Azure APIM you can apply policy at 4 levels:
Operation level
API level
Product level
Global level
If you want to verify the effective policy scope, you can select the operation and at the bottom you can see the 'calculate effective Policy' button. The effective policy will give you details about all the policies applied and from which scope they are applied.
I managed to configure in APIM a set of policies that do what I need (authentication). The config XML is long and dirty, but the rules should be applied to all APIs that require authentication, so I can just set them on 'All APIs' level. But of course not all APIs require authentication. The idea is to configure them using some kind of flow control policy so that they are applied only if API is tagged. But I didn't found a way how to get the APIs metadata.
So is there a way the read APIs metadata using APIM expressions? Or any other way to achieve the main goal?
Checking https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables again I see no way to query tag meta information while in a policy. Of course you could query tags for an API over API Management REST API itself on the way but I guess this would increase latency substantially.
For cases like this I would create an API product, put the authentication part into the product's policy and then only assign relevant APIs to this product.
Our application uses the drive.file scope to make sure we only can see files of our users that have been created by our application.
However, a 'list' call returns files that have been shared with the user even though they are not created by our application.
That can be easily verified in the "Try it!" section of files/list API documentation.
Authorize with drive.file scope and run a simple list query without any parameters. That should return an empty list but in my case returns dozens of files that have been shared with me.
There was the same issue before (a slight variation only affecting queries with q parameter set): Listing files with search query returns out-of-scope results (drive.files.list call, using drive.files scope)
It has been fixed in the meantime but now it seems to be back for all list queries. It's problematic not mainly because it breaks our app that expects nothing but its own files. There is the privacy problem because I can suddenly see the file names of our users' private data, which they have never agreed to.
I believe this issue is due to the behavior of API Explorer, not Drive API itself. If API Explorer already has a token with OAuth scopes capable of making the call, it will use that so if previously given API Explorer a scope that can see all user files, you'll get them all back. Try revoking ALL Explorer tokens for your account at:
https://accounts.google.com/b/0/IssuedAuthSubTokens?hl=en
then, after clearing all cookies/sessions for developers.google.com, try creating a new token with ony the drive.file scope and attempt your API call again.
You should also note that files that are publicly shared will be returned.