Azure API Management limitation workaround: Return 404 instead of 405 when the HTTP method not match

This article provides a workaround for the limitation on API Management for returning 404 Operation Not Found instead of 405 Method Not Allowed. There is a Azure feedback and the Stack overflow about this limitation.

Current Status for API Management

Defining API in APIM including creating the resources and allowed methods for each resource.

1. Define a POST API:

2. Test the API with POST method via Postman:

3. Change the HTTP Method to GET or other methods, it returns with 404 operation not found:

The error returned by APIM in this scenario does not follow the definition of HTTP status code strictly. There was feedback that this is still a limitation for APIM and product team updated that there is still no plan on it.

Workaround:

1. Handle the error

When APIM failed to identify an API or operation for the request, it will raise a configuration error which Responses the caller with 404 Resource Not Found. We need to handle this kind of configuration error by referring the Error Handling for APIM, this kind of error can be specified with configuration Error source and OperationNotFound Error reason.  We can define a policy to single API or all of our APIs to capture the error, and set the status code to HTTP 405.

2. Define the policy to all APIs:

Policy Code:

      <choose>
            <when condition="@(context.LastError.Source == "configuration" && context.LastError.Reason == "OperationNotFound")">
                <return-response>
                    <set-status code="405" reason="Method not allowed" />
                    <set-body>@{
                    return new JObject(
                        new JProperty("status", "HTTP 405"),
                        new JProperty("message", "Method not allowed"),
                        new JProperty("text", context.Response.StatusCode.ToString()),
                        new JProperty("errorReason", context.LastError.Message.ToString())
                    ).ToString();
                }</set-body>
                </return-response>
            </when>
            <otherwise />
        </choose>

You may wonder how the condition context.LastError.Source == "configuration" && context.LastError.Reason == "OperationNotFound" will specify this type of error, from the error OCP trace, we can see the an error is thrown with message in Configuration section “OperationNotFound”:

when this type error occurred during the evaluation, the error source will be captured as configuration. It will not forward request further. To exclude other configuration error, we need specify the error reason as “OperationNotFound”.

3. Test the API with wrong HTTP method:

Tested on all APIs and with all wrong methods, it will get 405 Method Not Allowed.

Related links:

Error Handling for APIM

Hope this can be useful!