Share via

Verify Subscription inside the policy

Vijay Akula 66 Reputation points
2022-08-03T00:06:32.017+00:00

We have an API with operations protected by OAuth, this API at the moment does not require subscription but just OAuth. However we would like to expose one of its operations for API Key based authentication. We will move the jwt validation policy to the OAuth based operation and I am wondering if there any option to check if client subscription has been added to the product. Enabling Subscription required option will fore OAuth clients to supply API key which is not necessary. Please let me know if there is any option. Thank you

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,792 questions
0 comments
Accepted answer
  1. JananiRamesh-MSFT 21,966 Reputation points
    2022-08-08T13:53:45.053+00:00

    Hi @Vijay Akula Thanks for reaching out. You can't do that, because the narrower subscription level(scope) is the API/User level.

    There are two solutions, add a policy on the operation level to check against the subscription but that is inefficient and dirty for the following reasons:

    • You will need to keep track all the subscription keys values (removed, added, regenerated...etc).
    • All the other polices precedes the checking policy will be executed before the request is denied.
    • If you decide to change the subscription key header name, you will have to go through all the checking policies and modify them. The other solutions which is cleaner is to put those operations that require subscriptions in a separate api that requires subscription

    please let me know incase of further queries, I would be glad to help.

    Please 'Accept as answer' and ‘Upvote’ if it helped so that it can help others in the community looking for help on similar topics.

    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. James Longworth 326 Reputation points
    2022-08-03T15:39:48.117+00:00

    A possible approach may be to use an additional APIM API as a 'shim' between your Frontend APIM API and your backend API. With the 'shim' API configured to require a subscription key.

    So, as an example:
    You have an existing APIM frontend API defined as /api99
    You need to implement 2x GET operations (Note, these could be any operations)

    • /api99/req-with-auth, which has the jwt validation policy applied
    • /api99/req-with-sub, which has no jwt validation policy, but should have a subscription key.

    The first is pretty straight forward:

    GET /api99/req-with-auth --> backend-API

    The second has the front-end's API backend set to direct to the shim API (On the same APIM instance)
    The SHIM API is configured to pass through to the original backed-API but has the require subscription enabled

    GET /api99/req-with-sub --> shim --> backend-API

    You may need to include a URL rewrite policy to ensure the backend API gets the expected path in the case the shim appends further elements.

    1 person found this answer helpful.
    0 comments