Can we have API management end point exposed with out the subscription key sent as a part of headers?
Can we expose api management endpoints in azure without the opim-subscription keys?
7.6k views Asked by Vinodh AtThere are 5 answers
There is a very simple way to do this via the API Management interface.
On the APIs page, select your API, then click on the "Settings" tab. Scroll down to the "Subscription" section and uncheck the "Subscription required" option.
You will now be able to call your api without providing the subscription key either in the headers or as part of the querystring.
I tried creating a new product that does not require a subscription. I updated one of my APIs such that it was only associated with this new product. When I tested it, I got an 400 level error (I think a 401) that complained about the request not having a subscription id.
I contacted Azure support about this, and found out that it is a known bug. Copy/pasting the response here:
While investigating your issue, it seems that your APIM service has encountered a known bug. Due to this bug, turning a product from closed (requiring a subscription) to open (does not require a subscription) does not always properly take effect. However, this can easily be fixed by rebooting the VM the APIM service is hosted on. You can do this by going to the VNET blade on the left side navigation menu under the APIM and pressing the "Apply network configuration" button at the top. This reboots the Dev SKU VM and should put you in the proper position to not need subscription keys.
Upon rebooting, the APIM should be down for about 5 minutes, with 15 minutes being the maximum it should take to reset the VNET. When the APIM comes back up, it may need an additional, small amount of time to settle itself(maybe 5-10 minutes) then it should be good to go as desired.
Microsoft has added a new scope for ocip-subscription-key in azure APIM which bypass the product scope. We can use this key in test console.
https://learn.microsoft.com/en-us/azure/api-management/api-management-subscriptions
Now problem is there is no way I can remove this key. If I send request from postman with this key in header my API bypass the Authorization header which is set at product level and calls my API.
I have restricted this header in my API with below code
<check-header name="Authorization" failed-check-httpcode="401" failed-check-error-message="Not authorized" ignore-case="false" />
<choose>
<when condition="@{
string[] value;
if (context.Request.Headers.TryGetValue("Ocp-Apim-Subscription-Key", out value))
{
if(value != null && value.Length > 0)
{
return true;
}
}
return false;
}">
<return-response response-variable-name="response">
<set-status code="401" reason="Unauthorized" />
<set-body>
{"statusCode": 401,"message": "Subscription key not allowed"}
</set-body>
</return-response>
</when>
</choose>
Here 1st I am checking that request should contain Authorization header. And after that I am sending error if request contains ocip-subscription-key.
Is there any better way I can stop my request sending global ocip-subscription-key
Thanks
It is possible to achieve this, you can do so via the product the API is associated with.
In the Publisher Portal go to the products menu and select the product the API is associated with (or even set up a new product just for the usage without the subscription key). Then select the settings tab and uncheck the Require Subscription checkbox and then save the settings.
Updated following comment by @sdementen
Please be aware in doing so, you will loose all metrics associated with the different users and any other functions that you may wish to apply differently to different consumers.
Another option is to send the subscription key in the URL, if you go to the developer portal and download the Swagger document of your API, you will see this:
{ "name": "subscription-key", "in": "query", "description": "subscription key in url", "type": "string" }, { "name": "Ocp-Apim-Subscription-Key", "in": "header", "description": "subscription key in header", "type": "string" }
API management also accepts a subscription key in the querystring.