Background:
This is a follow on question to https://learn.microsoft.com/en-us/answers/questions/1381782/how-to-add-subscription-to-consumption-mode-azure. I see that when I use the portal to create an APIM & API I get an all-access-subscription (as described here: https://learn.microsoft.com/en-us/azure/api-management/api-management-subscriptions#all-access-subscription ) and when I use az apim create --name $serviceName --resource-group $rg --publisher-name $pub --publisher-email $email
I don't get such a subscription and either way my javascript (authenticated with MSAL.js) AJAX call can call to my azure function works.
In addition to having customers call my Azure Functions via my APIM, I would like to give them the option to use an existing client that I provide such as a browser resident javascript client.
How to implement Vendor (where I am the vendor) Supplied Javascript Clients?
If I am supplying a browser resident javascript client for my customers to call my Azure Functions via my APIM and I'm using an Azure Static Web Site with my javascript source code stored in a Github repo, how do I store the api subscription key?
- I suppose I could store it (the subscription key) in a key vault but regardless of where I store it, it still has go into the javascript source code, correct?
- How do I get the subscripiton key into the github resident source code? Do I just hard code it and commit & push to github? I thought this approach to pushing secrets to github repos was highly discouraged! And what if the subscription key changes? How do I write a github action that inserts the new subscription key into the deployed javascript code?
- If this subscription key is embedded in the browser resident source code, is it possible to securely post the client on a public web site? I'm thinking no because anyone could extract the subscription key from the javascript!
- Since I'm already using <validate-jwt> in the APIM policies as per https://learn.microsoft.com/en-us/azure/api-management/howto-protect-backend-frontend-azure-ad-b2c, how could I add an APIM policy that would expand the claims and determine if current REST call is coming from a paying customer? I could create and store a GUID in an AzureAD extension claim or use a standard claim (mabye the [http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier] claim -- is this unqiue?) and have the APIM policy search a list of paid customers in a cosmos db for his/her unique claim and reject non-paying customers? Is there an example of how to do this somewhere? I think this would solve the problem and give me the benefit of the APIM's ability to shield my azure functions from DOS attacks (for example).
Thanks again for your help!
Siegfried
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(310.4, 23%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ESH%3C/text%3E%3C/svg%3E)
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 63%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETM%3C/text%3E%3C/svg%3E)