Azure API sub-domain name to header

Marco 6 Reputation points
2022-02-05T18:32:01.837+00:00

Hello,

I have developed a number of APIs which are protected by a subscrition key.

The problem I have is that I cannot change client application to add the subscription key header (only the target url).

I have thus developed a simple proxy application that paying customers can deploy internally and that adds the necessary authorization header. That part works fine.

I would like however to offer prospects a simpler way to evaluate the product. The idea was to provide them with a subdomain like tenant.mydomain.com and then convert somehow the tenant name into the authorization header. Can this be done with Azure API Management and a custom domain? if not, what alternatives do I have? as mentioned, I cannot change the client application code.

Thanks,

Marco

ps: as far as I know, subdomains cannot easily be enumerated as long as I use a hard to guess subdomain name .

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,739 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. MayankBargali-MSFT 68,066 Reputation points
    2022-02-11T08:37:14.757+00:00

    @Marco Thanks for reaching out. Please correct if my understanding is right. You already have the setup as below:
    Client --> Proxy (you are adding the subscription key) --> APIM

    Now you want that your client should not able to access all the APIs in different products as you may be using the subscription key which is subscribed to all the products. They should only access one or more products based on which they have subscribed to and you are thinking of using the subdomain for this approach.

    As you should already have the mapping based on your client which products they should be subscribed to. The best approach would be verifying this in your proxy application to validate whether your client is authorized or not based on your subdomain name. This will help in overcoming the overhead as it is like passing the request to your backend service to validate it.

    If in case you don't want this to be implemented at your proxy level then your proxy should add a custom header that will have the subdomain details along with the subscription key (as you have already implemented) before calling the APIM. Now at the APIM end, you need to write an inbound policy to get the value of your custom header and validate it against the mapping (based on your client which products they should be subscribed) if the request should be authorized or not.