Can we have API management end point exposed with out the subscription key sent as a part of headers?
Can we expose api management endpoints in azure without the opim-subscription keys?
Asked Answered
Do you want API management, but let the API be completely open for all, or what is your intention? –
Musgrove
It is possible to achieve this, you can do so via the product the API is associated with.
In the Publisher Portal go to the products menu and select the product the API is associated with (or even set up a new product just for the usage without the subscription key). Then select the settings tab and uncheck the Require Subscription checkbox and then save the settings.
Updated following comment by @sdementen
Please be aware in doing so, you will loose all metrics associated with the different users and any other functions that you may wish to apply differently to different consumers.
This somehow doesn't work for me. I created API with one mocked operation in API management, created product which doesn't require subscription and added the API to this product. Now when I call this operation without Ocp-Apim-Subscription-Key header, I get HTTP 500 internal service error, and if I just add this header - it works. If I go to the product settings and check "Requires subscription" checkbox again - I get HTTP 401 "Access denied..." as expected. –
Melissiamelita
The last sentence may be a bit misleading. If you use an Open Product (i.e. a product without API key), but you require some other way to authenticate (basic auth, JWT, etc), you can still benefit from "rate limiting", "quotas", "metrics", etc. For instance, for logs, you can create via policies a header with the User identification (username, sub claim, etc) and sending this header to logs. For rate limiting, you can use as key for rate limiting, the username,etc –
Pleasantry
There is a very simple way to do this via the API Management interface.
On the APIs page, select your API, then click on the "Settings" tab. Scroll down to the "Subscription" section and uncheck the "Subscription required" option.
You will now be able to call your api without providing the subscription key either in the headers or as part of the querystring.
But this is for the entire api? How can we achieve this for just one endpoint –
Negotiant
Another option is to send the subscription key in the URL, if you go to the developer portal and download the Swagger document of your API, you will see this:
{
"name": "subscription-key",
"in": "query",
"description": "subscription key in url",
"type": "string"
},
{
"name": "Ocp-Apim-Subscription-Key",
"in": "header",
"description": "subscription key in header",
"type": "string"
}
API management also accepts a subscription key in the querystring.
Thank you!!! Ps, for anyone else reading, if passing the subscription key via the url, use Subscription-Key={yourkey} instead of Ocp-Apim-Subscription-Key={yourkey} –
Goosefish
I tried creating a new product that does not require a subscription. I updated one of my APIs such that it was only associated with this new product. When I tested it, I got an 400 level error (I think a 401) that complained about the request not having a subscription id.
I contacted Azure support about this, and found out that it is a known bug. Copy/pasting the response here:
While investigating your issue, it seems that your APIM service has encountered a known bug. Due to this bug, turning a product from closed (requiring a subscription) to open (does not require a subscription) does not always properly take effect. However, this can easily be fixed by rebooting the VM the APIM service is hosted on. You can do this by going to the VNET blade on the left side navigation menu under the APIM and pressing the "Apply network configuration" button at the top. This reboots the Dev SKU VM and should put you in the proper position to not need subscription keys.
Upon rebooting, the APIM should be down for about 5 minutes, with 15 minutes being the maximum it should take to reset the VNET. When the APIM comes back up, it may need an additional, small amount of time to settle itself(maybe 5-10 minutes) then it should be good to go as desired.
Microsoft has added a new scope for ocip-subscription-key in azure APIM which bypass the product scope. We can use this key in test console.
https://learn.microsoft.com/en-us/azure/api-management/api-management-subscriptions
Now problem is there is no way I can remove this key. If I send request from postman with this key in header my API bypass the Authorization header which is set at product level and calls my API.
I have restricted this header in my API with below code
<check-header name="Authorization" failed-check-httpcode="401" failed-check-error-message="Not authorized" ignore-case="false" />
<choose>
<when condition="@{
string[] value;
if (context.Request.Headers.TryGetValue("Ocp-Apim-Subscription-Key", out value))
{
if(value != null && value.Length > 0)
{
return true;
}
}
return false;
}">
<return-response response-variable-name="response">
<set-status code="401" reason="Unauthorized" />
<set-body>
{"statusCode": 401,"message": "Subscription key not allowed"}
</set-body>
</return-response>
</when>
</choose>
Here 1st I am checking that request should contain Authorization header. And after that I am sending error if request contains ocip-subscription-key.
Is there any better way I can stop my request sending global ocip-subscription-key
Thanks
you can create a new question, you are typing in the answer area –
Valdavaldas
© 2022 - 2024 — McMap. All rights reserved.