Stop POSTMAN from Accessing API in Azure API Management Service

Question

Stop POSTMAN from Accessing API in Azure API Management Service

Ziggy Zulueta 495 MVP

I have been going over the Azure API Management Service and I have one basic question: How do we stop POSTMAN from accessing it?

I have an application created via Azure Static Web App that accesses a front-end API (via Azure API Management) with a back-end API (via Azure Functions). The back-end API has the credentials of a service so it is imperative it is not seen by the public. The Static Web App needs an Ocp-Apim-Subscription-Key to access the API and it also need a Functions Key to access the back-end API. Those are not hard-coded in the front-end and are setup in the Azure Static Web App Configuration. The Static Web App has a back-end API to access the two keys to access the API. The API then calls the back-end API (Azure functions). While this solution may look great, the issue here is that POSTMAN can all access these. So a normal person may not be able to see it but can still use POSTMAN to access. So how do we stop this?

krishna572 886 Reputation points

2023-04-10T02:38:29.6866667+00:00
Not Sure, this is an big approach. Give it a try:

Get the IPs used by Postman from your Internal Network Admin.

Then use IP Filter Policy in your APIM Service to block the requests coming from the Postman IPs.

More details about Postman IPs: https://support.postman.com/hc/en-us/articles/10667371814679-What-IP-ranges-does-Postman-use-to-send-requests-
Ziggy Zulueta 495 Reputation points MVP

2023-04-10T12:51:30.3166667+00:00

Well no it does not bec they dont have a fixed IP address: The Postman web app used with a cloud agent When you send requests from the Postman web app with a cloud agent, the requests are sent from the Postman cloud. Note: We don't support static IPs on cloud agents. As our infrastructure runs on data centers provided by Amazon Web Services (AWS), there isn't a fixed IP range we can provide. Refer to the AWS IP address ranges to find the IP address ranges used by AWS.
Ziggy Zulueta 495 Reputation points MVP

2023-04-10T12:52:08.4+00:00

No It does not bec they dont have a fixed IP Address:

The Postman web app used with a cloud agent When you send requests from the Postman web app with a cloud agent, the requests are sent from the Postman cloud. Note: We don't support static IPs on cloud agents. As our infrastructure runs on data centers provided by Amazon Web Services (AWS), there isn't a fixed IP range we can provide. Refer to the AWS IP address ranges to find the IP address ranges used by AWS.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-13T13:30:30.6166667+00:00

Ziggy Zulueta We noticed your feedback that the below answer was not helpful. Thank you for taking time to share your feedback.

I hope the follow up comments provide more clarity to the initial answer. However, let us know what we could have better to improve the answer and make your experience good. If you have any feedback related to the product, please submit it directly to our product team via https://feedback.azure.com/d365community/forum/b09330d1-c625-ec11-b6e6-000d3a4f0f1c or https://aka.ms/apimwish.

Looking forward to your reply. If you wish, you may consider re-surveying/rating for the engagement you received on the thread.

Accepted answer

0 additional answers

Your answer

krishna572 886 Reputation points

2023-04-10T02:38:29.6866667+00:00

Not Sure, this is an big approach. Give it a try:

Get the IPs used by Postman from your Internal Network Admin.

Then use IP Filter Policy in your APIM Service to block the requests coming from the Postman IPs.

More details about Postman IPs: https://support.postman.com/hc/en-us/articles/10667371814679-What-IP-ranges-does-Postman-use-to-send-requests-
Ziggy Zulueta 495 Reputation points MVP

2023-04-10T12:51:30.3166667+00:00

Well no it does not bec they dont have a fixed IP address: The Postman web app used with a cloud agent When you send requests from the Postman web app with a cloud agent, the requests are sent from the Postman cloud. Note: We don't support static IPs on cloud agents. As our infrastructure runs on data centers provided by Amazon Web Services (AWS), there isn't a fixed IP range we can provide. Refer to the AWS IP address ranges to find the IP address ranges used by AWS.
Ziggy Zulueta 495 Reputation points MVP

2023-04-10T12:52:08.4+00:00

No It does not bec they dont have a fixed IP Address:

The Postman web app used with a cloud agent When you send requests from the Postman web app with a cloud agent, the requests are sent from the Postman cloud. Note: We don't support static IPs on cloud agents. As our infrastructure runs on data centers provided by Amazon Web Services (AWS), there isn't a fixed IP range we can provide. Refer to the AWS IP address ranges to find the IP address ranges used by AWS.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-13T13:30:30.6166667+00:00

Ziggy Zulueta We noticed your feedback that the below answer was not helpful. Thank you for taking time to share your feedback.

I hope the follow up comments provide more clarity to the initial answer. However, let us know what we could have better to improve the answer and make your experience good. If you have any feedback related to the product, please submit it directly to our product team via https://feedback.azure.com/d365community/forum/b09330d1-c625-ec11-b6e6-000d3a4f0f1c or https://aka.ms/apimwish.

Looking forward to your reply. If you wish, you may consider re-surveying/rating for the engagement you received on the thread.

Answer 1

MuthuKumaranMurugaachari-MSFT 22,441 Moderator

Ziggy Zulueta Thanks for posting your question in Microsoft Q&A. Unfortunately, you cannot reject requests from a specific client such as Postman since user-agent is editable in the app and there is no static IP or IP ranges as you mentioned.

However, in addition to Ocp-Apim-Subscription-Key you can protect APIs in APIM with client certification authentication or using OAuth 2.0 authorization with Azure AD, Azure AD B2C and validate the access token using validate-jwt policy. This provides secure access to APIs and the clients need to have either certificate or access token for accessing it. Refer docs for reference: https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-protect-backend-with-aad, https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c, https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-mutual-certificates-for-clients.

For specifically Static Web Apps as a client, we have API support with APIM and refer to docs: https://learn.microsoft.com/en-us/azure/static-web-apps/apis-api-management for more info. (Similar discussion in your other thread). I hope this helps with your question and let me know if you have any other.

If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

Ziggy Zulueta 495 Reputation points MVP

2023-04-11T02:09:04.9966667+00:00

Hi, the Ocp-Apim-Subscription-Key is NOT OK bec the issue is that even if I do not hardcode it in my html and hide it via application configuration, POSTMAN will still be able to access the Ocp-Apim-Subscription-Key by calling the link (Azure Function) that gets the Ocp-Apim-Subscription-Key. Developer can merely look at the html and look for the link that gets the Subscription key. Using OAuth2.0 does not work either because the website is accessible by the public. Client cannot afford to have so many Azure AD consumer accounts
Ziggy Zulueta 495 Reputation points MVP

2023-04-11T02:19:35.0166667+00:00

hi, as mentioned earlier, the Ocp-Apim-Subscription-Key can easily be seen by POSTMAN as there is no way to restrict it from accessing the link. Postman can access the self-managed Azure HTTP trigger of Azure Static Web Apps. In addition, I can create my own Azure Function (instead of self managed) but I would need an API for that and that brings me back to my initial issue: that Postman can access APIs of Azure easily.

I cannot use Azure AD B2C bec the website is a public website. If i am not mistaken, with AD B2C every consumer that logs in will have an account in Azure AD B2C yes? and there is a limit based on the number of accounts of the customer.
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-11T15:30:36.0366667+00:00

Ziggy Zulueta I would like to clarify about the flow: user (client) -> Azure Static Web Apps (public) -> APIM -> Function App. Is that correct?

If so, basically direct APIs exposed by static web apps (SWA) (https://<static-apps-name>.azurestaticapps.net/api/) must be accessible from client browsers (public in your case). You can follow backend integration https://learn.microsoft.com/en-us/azure/static-web-apps/apis-api-management (no need to have separate account for each user) and this means when accessing SWA API, it generates access token (which expires in 5 mins) and send it via x-ms-auth-token HTTP header to APIM and then APIM can validate it via validate-jwtpolicy.

You are absolutely correct, that anyone can view HTTP headers sent via browser and use any clients such as Postman, curl to send requests to APIM with that access token. APIM can validate Ocp-Apim-Subscription-Key and access token and since there is no outbound IP available for SWA, unfortunately it is not possible to restrict in APIM to accept requests only from SWA or specific client. See similar discussion: https://security.stackexchange.com/questions/246434/how-can-i-ensure-my-api-is-only-called-by-my-client and I saw you have opened https://stackoverflow.com/questions/75956476/azure-api-management-postman-can-still-access-my-api-how-to-restrict-postman thread for the same discussion.

You can consider alternate options instead of SWA or there is an article describing alternate solutions for integration network-isolated backends. I hope this helps and if you still have any questions, let me know.
Ziggy Zulueta 495 Reputation points MVP

2023-04-12T16:15:09.3266667+00:00

user (client) -> Azure Static Web Apps (public) -> APIM -> Function App. Is that correct? - Yes Correct If so, basically direct APIs exposed by static web apps (SWA) (https://<static-apps-name>.azurestaticapps.net/api/) must be accessible from client browsers (public in your case). You can follow backend integration https://learn.microsoft.com/en-us/azure/static-web-apps/apis-api-management (no need to have separate account for each user) and this means when accessing SWA API, it generates access token (which expires in 5 mins) and send it via x-ms-auth-token HTTP header to APIM and then APIM can validate it via validate-jwtpolicy.
--> With this solution are you saying the SWA must have an auth token unique to the SWA and that the APIM will only allow those with auth tokens?
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-04-12T17:23:45.66+00:00
Ziggy Zulueta When you call SWA API with backend integration above, it generates an access token (JWT) and if you decode it (https://jwt.io/), you will see the issuer as azurestaticapps.net and aud as apim-name like below:

APIM validates those details in the token via validate-jwt policy it added in the generated product in APIM like below:

<validate-jwt header-name="X-MS-AUTH-TOKEN" failed-validation-httpcode="401" failed-validation-error-message="X-MS-AUTH-TOKEN invalid" require-expiration-time="true"> <openid-config url="https://identity.3.azurestaticapps.net/.auth/.well-known/openid-configuration" /> <audiences> <audience>https://<apim-name>.azure-api.net</audience> </audiences> </validate-jwt>

For full description about access token, refer Payload claims doc. However, please note the access token is valid for 5 mins, and still be visible in the browser when accessing SWA API (can be used to access APIM API via any client within expiry time).

Share via

Stop POSTMAN from Accessing API in Azure API Management Service

0 additional answers

Your answer