Azure API Management REST call to create subscription for user (missing)

0
votes

I'm attempting to delegate product subscription from Azure API Management using the sample provided here. My prototype has a functioning user authentication delegation however the product subscription delegation is befuddling.

During user login delegation I receive a request from APIM to my delegation page and handle it according to the sample link above without issue. During delegation of product subscription, a call is made to my login page first; not the delegation page. This leads me to my first series of questions:

  1. Can someone explain why delegation of product subscription would fundamentally flow differently than delegation of user authentication?
  2. If the login delegation page (as per the sample referenced above) handles user authentication by checking User.Identity.IsAuthenticated, why can't product delegation do the same and why would it be sent to the login page and not the delegation page?

I've handled the above issue by using the login page to evaluate whether or not the user is authenticated first, then to redirect them to the returnUrl as follows:

if (User.Identity.IsAuthenticated)
{
    return LocalRedirect(returnUrl);
}

The value of returnUrl, as provided by APIM, contains the following variables:

  • Path = /Identity/Account/Manage/Delegate
  • productId = [productId]
  • userId = [userId]
  • operation = Subscribe
  • salt = [salt]
  • sig = [sig]

Since these are ALL the variables provided in the returnUrl from APIM, I have the following questions:

  1. Following the documentation about subscription using APIM REST API, how do you determine the following required properties:

    • subscriptionId
    • resourceGroupName
    • serviceName
    • sid

  2. Additionally for the request body, how do you determine properties.scope as per this reference.

As a test, I set a breakpoint in code just before calling the PUT method on the endpoint containing the following line of code. I used Postman to test creating a subscription by copying out the Authorization header in VS2017 and all relevant header/body data. I was able to get back a 201 response indicating a subscription was created, however it doesn't show up in the APIM portal anywhere and I certainly didn't have many of the "required" properties as defined in the docs article:

response = await client.PutAsync("/subscriptions/" + subscriptionId + "?api-version=" + apiVersion, new StringContent(ApimSubscriptionJson, Encoding.UTF8, "text/json"));

APIM PUT RESPONSE

Here is the body of my test call to the API:

{
    "userId" : "/users/c22afea6-3e9c-4b85-87a6-2d5e97e259cf",
    "scope" : "/products/ring-0-beta-access"
}

Based on this oddity, I have the following additional questions:

  1. If the subscription to the product was indeed created, where would it be if not in the Azure APIM portal? It also doesn't show up in the user's profile.
  2. How am I able to get a 201 response on the PUT method if I haven't given the APIM REST API all the 'required' parameters?
1
azure-api-management

1 Answers

1
votes

I found a solution and wanted to share.

I was okay to use the method explained in the Channel 9 video. I was simply using the wrong property. Instead of userId it should be ownerId. I noticed after running a GET on my subscriptions that I could see them all. They have no association to a user so they don't show up in the Azure APIM portal.

Another key miss was notifications. If you leave out the &notify=true query string parameter you won't get notified when someone subscribes to your API. This is particularly troublesome when your API requires approval.

This seems like a potential product bug as you shouldn't be able to create an 'owner-less' subscription. It makes it nearly impossible to find if you don't know where to look.