I deleted an API that had an outbound policy to replace the string ""
I subsequently recreated the API using the same API instance with definition "https://markcolorapi.azurewebsites.net/swagger/v1/swagger.json" which created a base definition without any policy statements.
For some reason, it still applies the outbound policy. I've checked the API as well as "All Operations" but I can't seem to find where it may be getting this rule from unless its a remnant of the one I deleted.
In Azure APIM you can apply policy at 4 levels:
Operation level
API level
Product level
Global level
If you want to verify the effective policy scope, you can select the operation and at the bottom you can see the 'calculate effective Policy' button. The effective policy will give you details about all the policies applied and from which scope they are applied.
Related
I am currently working with Azure API managemnet where I am stuck at a wired junction. My client wants Product level authentication, so I have created one product and added a policy there. But, now for an particular api the it is not required.
I tried a lot of thing like, deleteing the authorization header but it is not working. can you please suggest a solution for this.
you can remove the base tag in the inbound section of the policy for that operation by doing that the policy applied at product level will not be executed for the particular operation.
reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-policies
I managed to configure in APIM a set of policies that do what I need (authentication). The config XML is long and dirty, but the rules should be applied to all APIs that require authentication, so I can just set them on 'All APIs' level. But of course not all APIs require authentication. The idea is to configure them using some kind of flow control policy so that they are applied only if API is tagged. But I didn't found a way how to get the APIs metadata.
So is there a way the read APIs metadata using APIM expressions? Or any other way to achieve the main goal?
Checking https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables again I see no way to query tag meta information while in a policy. Of course you could query tags for an API over API Management REST API itself on the way but I guess this would increase latency substantially.
For cases like this I would create an API product, put the authentication part into the product's policy and then only assign relevant APIs to this product.
We have configured APIM and point it to API endpoints which is deployed in WebApp.
We have configured products, subscription keys, APIS, Operations for the same.
For APIM endpoints, it is necessary for developer to pass subscription key, if not passed, APIM will return HTTP 401 with below error message
Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription.
Is there any way, we can change this with custom message as required by business team?
Use choose policy inside on-error section to identify the scenario (you can inspect context.LastError.Reason), and return-response policy to provide custom response.
There is currently no way to do this. Please vote for this request on Azure's feedback forum:
Customize error schema messages
Edit: #Vitaliy Kurokhtin answer is a work-around, although you need to keep in mind where you define the error policy (All APIs level, API level, Operation level) will impact whether or not the On Error policy you defined will get invoked
I have the following setup in Azure API Management:
Two products: Internal and Starter.
One api: Finance, that is included in both the above products. The Finance api also has the Subscription required checkbox cleared, so a subscription is not required.
The Internal product has a policy that does JWT validation. The Starter product does not.
In the test tab of APIs, I can choose a product scope via the Apply Product Scope dropdown. Presumably this decides which product policies are applied.
When calling the API, if I don't supply a valid token, the JWT validation kicks in and rejects my request. However, since I have no subscription key to identify the product, it could be either the Internal or Starter product - how does the system determine it should apply the Internal policy containing the jwt-validation rule rather than the Starter policy which doesn't?
When request comes in, first API and operation are identified. Then APIM tries to identify subscription. If product subscription key is provided, it's used to identify product and it's policies are executed. If API subscription key is provided, it's checked to match identified API and no product policies would be executed at all.
If no subscription key is present in request, APIM checks if there is a product with Subscription required set to false, and if such product includes identified API. If there is such match, product will be used and it's policies executed. If no such match found, APIM will check if API has Subscription required set to false, and if so then call will proceed without product.
The Test tab uses a special key - master key, among other things this key allows you to force a certain product to be used for a call even if API is not included into one. This is mostly useful for testing purposes, and master key should not really be used in production.
The answer is that the Starter product, whilst testable in the API screens, was marked as "Requires Subscription" at the product level, which overrides the API level setting. Because of this it was not an eligible policy.
Trying to change this setting fails with the error Product cannot be made open since it has APIs that are already part of an open product. which makes sense and removes any ambiguity.
This is a follow up to the following question:
How to prevent Ocp-Apim-Trace: true and ocp-apim-trace-location in production?
My API consumers must have a subscription key to be able to use my API.
However, I do not want them to see the detail traces provided in ocp-apim-trace-location. The detail trace provides them visibility to my internal service URLs and details that can be a potential security risk.
How to eliminate tracing (prevent Ocp-Apim-Trace) when the call includes a subscription key?
There is no way to disable tracing funtionality, not sending this header will disable tracing collection for one request only. But do know, that only admin users are capable of collecting traces, if this header is supplied along with subscription key that does not belong to admin account (or no subscription key at all) no traces will be collected. The idea here is that traces may expose information service owner may not be willing to share with developers.
Actually, you could design APIs belong to an open product to be callable anonymously.
Create a new product and uncheck Require subscription in its settings. Any API added to such product will be callable without a key anonymously.
So that you could let your consumer anoymously call your API without subscription key and then eliminate tracing.
For more details, you could refer to this article.