How to delegate user registration and product subscription
Delegation enables your website to own the user data and perform custom validation. With delegation, you can handle developer sign-in/sign-up and product subscription using your existing website, instead of the developer portal's built-in functionality.
Availability
Important
This feature is available in the Premium, Standard, Basic, and Developer tiers of API Management.
Delegating developer sign-in and sign-up
To delegate developer sign-in and sign-up to your existing website, create a special delegation endpoint on your site. This special delegation acts as the entry-point for any sign-in/sign-up request initiated from the API Management developer portal.
The final workflow will be:
- Developer clicks on the sign-in or sign-up link at the API Management developer portal.
- Browser redirects to the delegation endpoint.
- Delegation endpoint in return redirects user to or presents user with sign-in/sign-up.
- Upon successful sign-in/sign-up, user is redirected back to the API Management developer portal at the location they left.
Set up API Management to route requests via delegation endpoint
- In the Azure portal, search for Developer portal in your API Management resource.
- Click the Delegation item.
- Click the checkbox to enable Delegate sign-in & sign-up.
- Decide your special delegation endpoint's URL and enter it in the Delegation endpoint URL field.
- Within the Delegation Validation Key field, either:
- Enter a secret used to compute a signature provided for verification that the request originates from API Management.
- Click the Generate button for API Management to generate a random key for you.
- Click Save.
Create your delegation endpoint
Note
While the following procedure provides examples of the SignIn operation, you can perform account management using any of the available operations with the steps below.
Recommended steps for creating a new delegation endpoint to implement on your site:
Receive a request in the following form:
http://www.yourwebsite.com/apimdelegation?operation=SignIn&returnUrl={URL of source page}&salt={string}&sig={string}
Query parameters for the sign-in/sign-up case:
Parameter Description operation Identifies the delegation request type. Available operations: SignIn, ChangePassword, ChangeProfile, CloseAccount, and SignOut. returnUrl The URL of where the user clicked on a sign-in or sign-up link. salt A special salt string used for computing a security hash. sig A computed security hash used for comparison to your own computed hash. Verify the request comes from Azure API Management (optional, but highly recommended for security).
Compute an HMAC-SHA512 hash of a string based on the returnUrl and salt query parameters. For more details, check our example code.
HMAC(salt + '\n' + returnUrl)
Compare the above-computed hash to the value of the sig query parameter. If the two hashes match, move on to the next step. Otherwise, deny the request.
Verify you receive a request for sign-in/sign-up.
- The operation query parameter will be set to "SignIn".
Present the user with sign-in/sign-up UI.
- If the user signs up, create a corresponding account for them in API Management.
- Create a user with the API Management REST API.
- Set the user ID to either the same value in your user store or a new, easily tracked ID.
- If the user signs up, create a corresponding account for them in API Management.
When the user is successfully authenticated:
Request a shared access token via the API Management REST API.
Append a returnUrl query parameter to the SSO URL you received from the API call above. For example:
https://contoso.developer.azure-api.net/signin-sso?token=<URL-encoded token>&returnUrl=%2Freturn%2Furl
Redirect the user to the above-produced URL.
Note
For account management operations (ChangePassword, ChangeProfile, and CloseAccount), pass the following query parameters:
Parameter | Description |
---|---|
operation | Identifies the delegation request type. |
userId | The user ID of the account you wish to manage. |
salt | A special salt string used for computing a security hash. |
sig | A computed security hash used for comparison to your own computed hash. |
Delegating product subscription
Delegating product subscriptions works similarly to delegating user sign-in/sign-up. The final workflow would be as follows:
- Developer selects a product in the API Management developer portal and clicks on the Subscribe button.
- Browser redirects to the delegation endpoint.
- Delegation endpoint performs required product subscription steps, which you design. They may include:
- Redirecting to another page to request billing information.
- Asking additional questions.
- Storing the information and not requiring any user action.
Enable the API Management functionality
On the Delegation page, click Delegate product subscription.
Create your delegation endpoint
Recommended steps for creating a new delegation endpoint to implement on your site:
Receive a request in the following form.
http://www.yourwebsite.com/apimdelegation?operation={operation}&productId={product to subscribe to}&userId={user making request}&salt={string}&sig={string}
Query parameters for the product subscription case:
Parameter Description operation Identifies the delegation request type. Valid product subscription requests options are: - Subscribe: a request to subscribe the user to a given product with provided ID (see below).
- Unsubscribe: a request to unsubscribe a user from a product.
- Renew: a request to renew a subscription (for example, that may be expiring)
productId On Subscribe, the product ID that the user requested subscription. subscriptionId On Unsubscribe and Renew, the product subscription. userId On Subscribe, the requesting user's ID. salt A special salt string used for computing a security hash. sig A computed security hash used for comparison to your own computed hash. Verify that the request is coming from Azure API Management (optional, but highly recommended for security)
- Compute an HMAC-SHA512 of a string based on the productId, userId, and salt query parameters:
HMAC(**salt** + '\n' + **productId** + '\n' + **userId**)
- Compare the above-computed hash to the value of the sig query parameter. If the two hashes match, move on to the next step. Otherwise, deny the request.
- Compute an HMAC-SHA512 of a string based on the productId, userId, and salt query parameters:
Process the product subscription based on the operation type requested in operation (for example: billing, further questions, etc.).
Upon successful user subscription to the product on your side, subscribe the user to the API Management product by calling the REST API for subscriptions.
Example code
These code samples show how to:
- Take the delegation validation key, which is set in the Delegation screen of the Azure portal.
- Create an HMAC, which validates the signature, proving the validity of the passed returnUrl.
With slight modification, you can use the same code for the productId and userId.
C# code to generate hash of returnUrl
using System.Security.Cryptography;
string key = "delegation validation key";
string returnUrl = "returnUrl query parameter";
string salt = "salt query parameter";
string signature;
using (var encoder = new HMACSHA512(Convert.FromBase64String(key)))
{
signature = Convert.ToBase64String(encoder.ComputeHash(Encoding.UTF8.GetBytes(salt + "\n" + returnUrl)));
// change to (salt + "\n" + productId + "\n" + userId) when delegating product subscription
// compare signature to sig query parameter
}
NodeJS code to generate hash of returnUrl
var crypto = require('crypto');
var key = 'delegation validation key';
var returnUrl = 'returnUrl query parameter';
var salt = 'salt query parameter';
var hmac = crypto.createHmac('sha512', new Buffer(key, 'base64'));
var digest = hmac.update(salt + '\n' + returnUrl).digest();
// change to (salt + "\n" + productId + "\n" + userId) when delegating product subscription
// compare signature to sig query parameter
var signature = digest.toString('base64');
Important
You need to republish the developer portal for the delegation changes to take effect.
Next steps
- Learn more about the developer portal.
- Authenticate using Azure AD or with Azure AD B2C.
- More developer portal questions? Find answers in our FAQ.
Feedback
Submit and view feedback for