Azure API management: Open API (no subscription key) still gives error 401

0
votes

I'd like to setup an open API, i.e. one that doesn't require a subscription key.

I have created the API and associated it to a new product which has "requires subscription" unchecked and is published. However, any call to this API results in dreaded 401 "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API."

What am I missing?

Before marking this as duplicate: I have searched similar issues:

and they all seem to indicate that it's sufficient that the API is part of a published product where "requires subscription" is unchecked. Obviously there must be something else since I'm in this case and I still get the 401...

1
azureazure-api-management
You seem to be doing everything right. Could you add more info? Screenshot of product properties, API settings page and call you're making.Vitaliy Kurokhtin
@VitaliyKurokhtin for confidentiality reasons I didn't want to publish screenshots of the actual API so I tried to create a new one from scratch and guess what: it works... So now I "only" have to spot the difference.Olivier Gérardin
OK so now without changing anything I suddenly don't get the 401 on my original API. Is there some caching or delayed update somewhere??Olivier Gérardin
@JoeyCai sorry but as i said, I didn't change anything and suddenly next day it worked, so I can't mark any answer as accepted. I have no explanation on why it didn't work. It's also not impossible that I wasn't testing correctly, although I had doubled and triple-checked.Olivier Gérardin
I'm running into this problem now and have an open ticket with Azure support. The support engineer I'm working with did a screenshare before escalating the issue to another engineer. There's likely a bug. I'll update once they diagnose the issue.BobbyA

1 Answers

1
votes

You can use a <choose> policy to detect if the token is invalid and if so, return a 401 response.

As per RFC 6750 which describes how bearer tokens should be used, API Management also returns a WWW-Authenticate header with the 401 response. The WWW-Authenticate is intended to instruct a client on how to construct a properly authorized request.

For more details, you could refer to this article.