In Azure API Management How are product level policies resolved for APIs when subscriptions are not required?

Asked 15/8, 2019 at 15:36 Answered 19/8, 2019 at 0:2

I have the following setup in Azure API Management:

Two products: Internal and Starter.

One api: Finance, that is included in both the above products. The Finance api also has the Subscription required checkbox cleared, so a subscription is not required.

The Internal product has a policy that does JWT validation. The Starter product does not.

In the test tab of APIs, I can choose a product scope via the Apply Product Scope dropdown. Presumably this decides which product policies are applied.

When calling the API, if I don't supply a valid token, the JWT validation kicks in and rejects my request. However, since I have no subscription key to identify the product, it could be either the Internal or Starter product - how does the system determine it should apply the Internal policy containing the jwt-validation rule rather than the Starter policy which doesn't?

Angelicangelica answered 15/8, 2019 at 15:36 Comment(0)

When request comes in, first API and operation are identified. Then APIM tries to identify subscription. If product subscription key is provided, it's used to identify product and it's policies are executed. If API subscription key is provided, it's checked to match identified API and no product policies would be executed at all.

If no subscription key is present in request, APIM checks if there is a product with Subscription required set to false, and if such product includes identified API. If there is such match, product will be used and it's policies executed. If no such match found, APIM will check if API has Subscription required set to false, and if so then call will proceed without product.

The Test tab uses a special key - master key, among other things this key allows you to force a certain product to be used for a call even if API is not included into one. This is mostly useful for testing purposes, and master key should not really be used in production.

Weightless answered 19/8, 2019 at 0:2 Comment(3)

Thanks for the comprehensive explanation. – Angelicangelica 19/8, 2019 at 23:3

Are you able to specify where this is documented? – Selestina 17/4, 2020 at 9:49

I don't believe this is documented anywhere explicitly. – Weightless 17/4, 2020 at 15:28

The answer is that the Starter product, whilst testable in the API screens, was marked as "Requires Subscription" at the product level, which overrides the API level setting. Because of this it was not an eligible policy.

Trying to change this setting fails with the error Product cannot be made open since it has APIs that are already part of an open product. which makes sense and removes any ambiguity.

Angelicangelica answered 15/8, 2019 at 15:52 Comment(0)

Recommended topics

Hot tags