API Management removes existing security schemes from OpenAPI spec

Question

API Management removes existing security schemes from OpenAPI spec

Eugene O'Brien 20

When importing an OpenAPI specification into API Management, the existing securitySchemes is replaced, removing existing keys.

For example, given the following securitySchemes definition...

"securitySchemes": {
  "ApiKey": {
    "type": "apiKey",
    "description": "The API key to access the API",
    "name": "Authorization",
    "in": "header"
  }
}

If the spec is imported into API Management, and then exported, the securitySchemes is changed to...

"securitySchemes": {
    "apiKeyHeader": {
        "type": "apiKey",
        "name": "Ocp-Apim-Subscription-Key",
        "in": "header"
    },
    "apiKeyQuery": {
        "type": "apiKey",
        "name": "subscription-key",
        "in": "query"
    }
}

"ApiKey" is removed.

Is there some way to change the original spec, to indicate to API Management that "ApiKey" should be retained, in addition to the new keys?

This is confusing for developers who want to consume the API, as looking at the spec alone, there is no way to know that they need to provide that additional Authorization header to authenticate to the back-end service.

JananiRamesh-MSFT 29,261 Reputation points

2024-11-25T05:37:19.5366667+00:00

@Eugene O'Brien Thank you for reaching out. Looking into this will get back to you shortly.
JananiRamesh-MSFT 29,261 Reputation points

2024-11-27T05:14:45.59+00:00

@Eugene O'Brien Just checking to see if you have chance to see previous response and helped. Please let us know if you have further queries.
JananiRamesh-MSFT 29,261 Reputation points

2024-11-28T15:15:03.5066667+00:00

@Eugene O'Brien Just following up to check if the below answer helped. If that answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know. I would be happy to help.
Eugene O'Brien 20 Reputation points

2024-11-28T22:56:39.65+00:00

Thanks @JananiRamesh-MSFT This is helpful. I'll pass on the information to my team.

Accepted answer

0 additional answers

Your answer

JananiRamesh-MSFT 29,261 Reputation points

2024-11-25T05:37:19.5366667+00:00

@Eugene O'Brien Thank you for reaching out. Looking into this will get back to you shortly.
JananiRamesh-MSFT 29,261 Reputation points

2024-11-27T05:14:45.59+00:00

@Eugene O'Brien Just checking to see if you have chance to see previous response and helped. Please let us know if you have further queries.
JananiRamesh-MSFT 29,261 Reputation points

2024-11-28T15:15:03.5066667+00:00

@Eugene O'Brien Just following up to check if the below answer helped. If that answers your query, do click "Accept the answer” for the same, which might be beneficial to other community members reading this thread. And, if you have any further query do let us know. I would be happy to help.
Eugene O'Brien 20 Reputation points

2024-11-28T22:56:39.65+00:00

Thanks @JananiRamesh-MSFT This is helpful. I'll pass on the information to my team.

Answer 1

@Eugene O'Brien Thanks for your patience! When importing an OpenAPI specification into APIM, the securitySchemes section is replaced with APIM's default settings. This behavior is a known limitation and is documented in the official API Management documentation.

please refer: https://learn.microsoft.com/en-us/azure/api-management/api-management-api-import-restrictions

Currently, the product does not support editing the components part for securitySchemes during import or export operations. As a result, any custom securitySchemes defined in the original OpenAPI specification may be overwritten.

please feel free to leave your feedback at aka.ms/apimwish.

do let me know incase of further queries, I would be happy to assist you.

Share via

API Management removes existing security schemes from OpenAPI spec

0 additional answers

Your answer