2

I am having a Web API deployed in Azure App service. The Web API is protected using Azure AD. I am planning to use API Management for exposing the api to various users.

Right now, I have enabled basic authentication to the developer portal in API Management. Also, I have enabled OAuth 2.0 authentication for the back end server (user Authorization). So, if i login to the developer portal, i can see two fields - Subscription Key and Authorization. The Subscription key will be the developer's subscription to the portal and the Authorization will be the OAuth authorization which is required for the back end server.

Also, if api management url needs to be accessed by any users, the user need to pass the subscription key in the query string and the token in the authorization header (eg: a desktop client).

Is there any way to call the api managament url by just using the JWT token and not using the subscription key (but i would still need to know which developer/user had accessed the service). What I am looking forward is single token that can be used to authenticate the user to the developer portal and that can be used to authenticate to the back end api (either by translation to the back end server token or by any other means)

Thanks,

John

Improve this question
2
  • Hey @John, did you find any solution for this? Commented Mar 3, 2021 at 15:23
  • 1
    Nope. We ended up using two headers - subscription key and oauth token Commented Mar 15, 2021 at 6:33

2 Answers 2

Reset to default
1

Yeah, you can do that (a bit of a hack). You have to use REST Api for that, specifically this call. For me it didn't work to edit the existing API (they key was still there), but when I've created new API, key wasn't there:

No 'Ocp-Apim-Subscription-Key'

I had to blur out all my stuff, sorry about that. So to achieve that, you would want to issue the following query:

Path: 

PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/apis/{apiId}?api-version=2016-07-07&import=true&path={APIpostfix}

Headers:

Authorization = "Bearer TOKEN_GOES_HERE" ## Space after 'Bearer' is mandatory Content-Type = "application/vnd.swagger.link+json" ## Look for the proper "Content-Type" on the page I've linked. This is the example to import API definition directly from "swagger.json" generated by your running api.

Body:

{ "name": "Name", "description": "Desc", "link": "http://url.to/your/swagger.json", ## <<only needed if you import directly from running API "serviceUrl": "https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/apis/{apiId}/backends/{APIpostfix}", ## << declare your API Management backend "protocols": [ "https" ], "authenticationSettings": { "oAuth2": null, "openid": null }, "subscriptionKeyParameterNames": { ## << Magic happens here "header": null, "query": null } }

PS. I've never bothered to figure out PUT + Send over the swagger file, but I'm sure its pretty straight forward when you know this.

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

I did not clearly understand what you have told me to do. But, doing this how will i identify which user had called the api management service?
I need to get rid of the susbscribtion key.. but i still need to know the user stats (i.e. which users are calling what applications). As i mentioned in the initial post - "What I am looking forward is single token that can be used to authenticate the user to the developer portal and that can be used to authenticate to the back end api (either by translation to the back end server token or by any other means)"
so use JWT for that, whats the problem?
But JWT will authenticate the user to the back end api. But how will i know which user uses the API Management service url without having the subscribtion key? The reason why i am asking is I don't want the user to use two authentication keys - Subscription key and the JWT token to access the api management url. Can i somehow figure out a way to use just JWT to call the api management service? I would still need to know the user stats from the api management (like the event hub logs etc.)
the answer to that is yes, you can do that, but that's completely different question
|
0

Subscription keys in APIM are tied to a user and product, thus if you change (or create new one) product to not require subscription (option available at creation time or in product settings) no subscription key would be needed to call any API included into such products.

The downside is that all such calls would be treated by APIM as anonymous and shown in analytics as such.

Improve this answer

Comments

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.