This is a follow up to the following question:
How to prevent Ocp-Apim-Trace: true and ocp-apim-trace-location in production?
My API consumers must have a subscription key to be able to use my API.
However, I do not want them to see the detail traces provided in ocp-apim-trace-location. The detail trace provides them visibility to my internal service URLs and details that can be a potential security risk.
How to eliminate tracing (prevent Ocp-Apim-Trace) when the call includes a subscription key?
There is no way to disable tracing funtionality, not sending this header will disable tracing collection for one request only. But do know, that only admin users are capable of collecting traces, if this header is supplied along with subscription key that does not belong to admin account (or no subscription key at all) no traces will be collected. The idea here is that traces may expose information service owner may not be willing to share with developers.
Actually, you could design APIs belong to an open product to be callable anonymously.
Create a new product and uncheck Require subscription in its settings. Any API added to such product will be callable without a key anonymously.
So that you could let your consumer anoymously call your API without subscription key and then eliminate tracing.
For more details, you could refer to this article.
Related
I am currently working with Azure API managemnet where I am stuck at a wired junction. My client wants Product level authentication, so I have created one product and added a policy there. But, now for an particular api the it is not required.
I tried a lot of thing like, deleteing the authorization header but it is not working. can you please suggest a solution for this.
you can remove the base tag in the inbound section of the policy for that operation by doing that the policy applied at product level will not be executed for the particular operation.
reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-policies
I would like to avoid providing Subscription Key for a single endpoint in my API. So far I found that I can disable Subscription for whole Product or API, which is not what I want. Is this even possible?
The only way which comes to my mind is another API and Product with exposed inly this single endpoint (obviously without subscription).
Summarize from the comments, currently we can't implement your requirement of disable "subscription" for one endpoint of api in APIM.
The workaround is what you mentioned to create another api or product for the endpoint and disable the "subscription".
And another workaround is disable the "subscription" for all of endpoints in api, and add a query parameter(or header parameter) for the endpoint(except the only one endpoint) as "subscription key". Then check the subscription key in "inbound" policy of most endpoints.
For this feature, you can also create a ticket on azure feedback page to suggest azure develop team add it.
We have configured APIM and point it to API endpoints which is deployed in WebApp.
We have configured products, subscription keys, APIS, Operations for the same.
For APIM endpoints, it is necessary for developer to pass subscription key, if not passed, APIM will return HTTP 401 with below error message
Access denied due to invalid subscription key. Make sure to provide a valid key for an active subscription.
Is there any way, we can change this with custom message as required by business team?
Use choose policy inside on-error section to identify the scenario (you can inspect context.LastError.Reason), and return-response policy to provide custom response.
There is currently no way to do this. Please vote for this request on Azure's feedback forum:
Customize error schema messages
Edit: #Vitaliy Kurokhtin answer is a work-around, although you need to keep in mind where you define the error policy (All APIs level, API level, Operation level) will impact whether or not the On Error policy you defined will get invoked
I have the following setup in Azure API Management:
Two products: Internal and Starter.
One api: Finance, that is included in both the above products. The Finance api also has the Subscription required checkbox cleared, so a subscription is not required.
The Internal product has a policy that does JWT validation. The Starter product does not.
In the test tab of APIs, I can choose a product scope via the Apply Product Scope dropdown. Presumably this decides which product policies are applied.
When calling the API, if I don't supply a valid token, the JWT validation kicks in and rejects my request. However, since I have no subscription key to identify the product, it could be either the Internal or Starter product - how does the system determine it should apply the Internal policy containing the jwt-validation rule rather than the Starter policy which doesn't?
When request comes in, first API and operation are identified. Then APIM tries to identify subscription. If product subscription key is provided, it's used to identify product and it's policies are executed. If API subscription key is provided, it's checked to match identified API and no product policies would be executed at all.
If no subscription key is present in request, APIM checks if there is a product with Subscription required set to false, and if such product includes identified API. If there is such match, product will be used and it's policies executed. If no such match found, APIM will check if API has Subscription required set to false, and if so then call will proceed without product.
The Test tab uses a special key - master key, among other things this key allows you to force a certain product to be used for a call even if API is not included into one. This is mostly useful for testing purposes, and master key should not really be used in production.
The answer is that the Starter product, whilst testable in the API screens, was marked as "Requires Subscription" at the product level, which overrides the API level setting. Because of this it was not an eligible policy.
Trying to change this setting fails with the error Product cannot be made open since it has APIs that are already part of an open product. which makes sense and removes any ambiguity.
I have multi-tenant application, which exposes some API for our customers to use. I would like to expose it using Azure API Management. Mostly to provide Development Portal to our customers, which I find very useful, and maybe use some other features.
If I understand correctly, our customers will set up their own subscription keys for authentication, which API Management proxy will validate.
Question: How can I link and identify user/subscription to the tenant of my application, to ensure that only data from this tenant are returned.
One direction I can see to explore is to use delegated sign up, which I guess will help me to link subscription to the tenant. But then still the question is how to get user id in my backend API?
Any direction to documentation or samples is very appreciated
You could create separate groups in APIM to represent your tenants and then put users into those groups using delegation hookups. Withing APIM policy in expressions you can reference context.User.Groups to list groups user making the call belongs to and forward that information to backend.
Alternatively you could use Note field to store tenant name and access it as context.User.Note. Or if you're willing to store mapping on your side the just take an id context.User.Id.
All of above could be passed as a header using set-header policy like:
<set-header name="userId">
<value>#(context.User.Id)</value>
</set-user>
All scenarios would require you to have delegation setup to fill this information automatically for every new user created.