APIM invalid subscription key returns 500 error instead of 401

Question

APIM invalid subscription key returns 500 error instead of 401

Nikolaj LARSEN 20

We have an API Management Service configured, using Subscriptions for authentication. We're playing around with creating a policy to perform some action when the authentication fails for a consumer. So we created the following policy:

<on-error>
    <base />
    <choose>
        <when condition="@(context.Response.StatusCode == 401)">
            <return-response>
                <set-status code="200" />
                <set-body>Something went wrong.</set-body>
            </return-response>
        </when>
    </choose>
</on-error>

The issue is that the condition is never met. Apparently, the Status Code being used for invalid or missing subscription key, is the status code "500 Internal Server Error", rather than the expected "401 Unauthorized".

This behavior is rater weird. Can someone explain, why a failed authentication, doesn't produce an "401 Unauthorized" response? It makes it difficult to specifically target authentication errors.

JananiRamesh-MSFT 29,436 Reputation points Moderator

2023-11-22T14:55:07.19+00:00
@Nikolaj LARSEN Thanks for reaching out. Please share the below details over an email at AzCommunity@microsoft.com ( with subject "Attn: Janani") and include the below details:

You Azure APIM resource URI in below format: /subscriptions/XXXXXX/resourceGroups/XXXX/providers/Microsoft.ApiManagement/service/XXXX

Most recent UTC time of the actual issue where you received HTTP 500 error.

I will look at the backend logs to identify the root cause.
JananiRamesh-MSFT 29,436 Reputation points Moderator

2023-12-01T12:23:38.2566667+00:00

@Nikolaj LARSEN Just a follow up to my previous comment and see if you can share the requested info. That would help in assisting you better
Nikolaj LARSEN 20 Reputation points

2023-12-05T12:54:40.8466667+00:00

I got a delivery error from "postmaster@microsoft.com" when I tried sending the requested info to the given e-mail address.

Something akin to:
SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group

Answer accepted by question author

0 additional answers

Your answer

JananiRamesh-MSFT 29,436 Reputation points Moderator

2023-11-22T14:55:07.19+00:00

@Nikolaj LARSEN Thanks for reaching out. Please share the below details over an email at AzCommunity@microsoft.com ( with subject "Attn: Janani") and include the below details:

You Azure APIM resource URI in below format: /subscriptions/XXXXXX/resourceGroups/XXXX/providers/Microsoft.ApiManagement/service/XXXX

Most recent UTC time of the actual issue where you received HTTP 500 error.

I will look at the backend logs to identify the root cause.
JananiRamesh-MSFT 29,436 Reputation points Moderator

2023-12-01T12:23:38.2566667+00:00

@Nikolaj LARSEN Just a follow up to my previous comment and see if you can share the requested info. That would help in assisting you better
Nikolaj LARSEN 20 Reputation points

2023-12-05T12:54:40.8466667+00:00

I got a delivery error from "postmaster@microsoft.com" when I tried sending the requested info to the given e-mail address.

Something akin to:
SenderNotAuthenticatedForGroup; authentication required; Delivery restriction check failed because the sender was not authenticated when sending to this group

Answer 1

JananiRamesh-MSFT 29,436 Moderator

@Nikolaj LARSEN Thanks for reaching out. I had tried this at my end and below are my observations.

We have this option "Subscription required" for an API in the settings tab.

If you don't pass the subscription key in the request, and your API is configured to require a subscription key, Azure API Management will return a 401 Unauthorized response with an error message indicating that a subscription key is required before even the policies are executed.

If the "Subscription required" option is unchecked, Azure API Management will not look for the subscription key in the request for authentication. In this case, the context.Subscription.Id expression will evaluate to null. Thats the reason you get 500 response code. User's image

Please verify and do let me know if you have any queries.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

Nikolaj LARSEN 20 Reputation points

2023-12-08T07:42:05.7433333+00:00

We have the "Subscription required" option checked, but we're still getting an 500 error, instead of a 403 error, when the subscription key is either missing or incorrect. The API is assigned a Product though, where the "Subscription required" option is unchecked, but I'd assume that the "Subscription required" setting on the API config, takes precedence.
JananiRamesh-MSFT 29,436 Reputation points Moderator

2023-12-08T08:51:11.62+00:00

Nikolaj LARSEN Thanks for getting back, I understand that you have an API with Subscription required enabled and you have associated that api to an open product (An API Product which doesn’t require a subscription key is considered as an open product in APIM.)

If API is only associated with Open products, then requests with no subscription key or invalid subscription will be included in open product and the "require subscription key" setting will override the setting at API level.

please refer Scenario 4 in this blog https://techcommunity.microsoft.com/t5/azure-paas-blog/using-api-management-open-product-to-manage-access-control-with/ba-p/2898754

do let me know if you have any queries.

Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.
JananiRamesh-MSFT 29,436 Reputation points Moderator

2023-12-11T12:35:37.26+00:00

Nikolaj LARSEN Just a follow up to my previous comment and see if you have any other questions. Feel free to add a comment and if the below answer helped with your question, please Accept as answer. That would really help others in the community with similar interests. Thanks again for posting it in Q&A

Share via

APIM invalid subscription key returns 500 error instead of 401

0 additional answers

Your answer