2
votes

I am having a Web API deployed in Azure App service. The Web API is protected using Azure AD. I am planning to use API Management for exposing the api to various users.

Right now, I have enabled basic authentication to the developer portal in API Management. Also, I have enabled OAuth 2.0 authentication for the back end server (user Authorization). So, if i login to the developer portal, i can see two fields - Subscription Key and Authorization. The Subscription key will be the developer's subscription to the portal and the Authorization will be the OAuth authorization which is required for the back end server.

Also, if api management url needs to be accessed by any users, the user need to pass the subscription key in the query string and the token in the authorization header (eg: a desktop client).

Is there any way to call the api managament url by just using the JWT token and not using the subscription key (but i would still need to know which developer/user had accessed the service). What I am looking forward is single token that can be used to authenticate the user to the developer portal and that can be used to authenticate to the back end api (either by translation to the back end server token or by any other means)

Thanks,

John

2
Hey @John, did you find any solution for this?Sachin
Nope. We ended up using two headers - subscription key and oauth tokenSilly John

2 Answers

0
votes

Subscription keys in APIM are tied to a user and product, thus if you change (or create new one) product to not require subscription (option available at creation time or in product settings) no usbscription key would be needed to call any API included into such products.

The downside is that all such calls would be treated by APIM as anonymous and shown in analytics as such.

1
votes

Yeah, you can do that (a bit of a hack). You have to use REST Api for that, specifically this call. For me it didn't work to edit the existing API (they key was still there), but when I've created new API, key wasn't there:

No 'Ocp-Apim-Subscription-Key'

I had to blur out all my stuff, sorry about that. So to achieve that, you would want to issue the following query:

Path:

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/apis/{apiId}?api-version=2016-07-07&import=true&path={APIpostfix}

Headers:

Authorization = "Bearer TOKEN_GOES_HERE" ## Space after 'Bearer' is mandatory  
Content-Type = "application/vnd.swagger.link+json" ## Look for the proper "Content-Type" on the page I've linked. This is the example to import API definition directly from "swagger.json" generated by your running api.

Body:

{
    "name": "Name",
    "description": "Desc",
    "link": "http://url.to/your/swagger.json", ## <<only needed if you import directly from running API
    "serviceUrl": "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/apis/{apiId}/backends/{APIpostfix}", ## << declare your API Management backend
    "protocols": [
        "https"
    ],
    "authenticationSettings": {
        "oAuth2": null,
        "openid": null
    },
    "subscriptionKeyParameterNames": { ## << Magic happens here
        "header": null,
        "query": null
    }
}

PS. I've never bothered to figure out PUT + Send over the swagger file, but I'm sure its pretty straight forward when you know this.