Hi @Sumit Gaur
Short answer, yes, it is possible to use both OAuth and API keys on your APIM but with some caveats.
As you've already determined, when you configured the usage of a subscription key on a product, if it's missing, you'll receive a 404. The only way I know of to get around this is by using two separate products for your different customer types.
- Create Separate Products:
- In the APIM portal, create two separate products: one for external clients and one for internal clients.
- Configure the external product to use OAuth 2.0 by setting up the OAuth 2.0 server settings, including the authorization endpoint, token endpoint, client ID, and client secret.
- Configure the internal product to require a subscription key.
- Assign APIs to Products:
- Assign the same API to both products. This way, the API can be accessed using either OAuth tokens or subscription keys, depending on the product.
- Configure Policies:
- In the APIM portal, navigate to the "APIs" section and select the API you want to configure.
- Go to the "Design" tab and select the "Inbound processing" section.
- Add a policy to validate the OAuth token using the
validate-jwt
policy for the external product. This policy will check the validity of the OAuth token. - Add a policy to validate the subscription key using the
check-header
policy for the internal product. This policy will ensure that the API key is present in the request headers.
However, it isn't recommended to protect your API with just a subscription key. You should have another authentication scheme unless the data being returned to internal customers is something low level like a product info or usage information.