Using API Management Open Product to Manage Access Control with subscription

Published Oct 28 2021 11:02 PM 1,014 Views
Microsoft

 

Background Information:

 

For Azure API Management (APIM) service users, the APIs are the core component of it. In many scenarios, the APIs need to be grouped up into different products, then can be accessed by different user groups, which is easier for the APIM owner to design the access control pattern targeting on different API consumer groups.

 

APIM uses different subscription keys to validate API consumer’s privilege to access the APIs. Normally, API consumer need to include the “Ocp-Apim-Subscription-Key” Header and its value passing to APIM and get validated by APIM, if this header is missing or the subscription key is invalid/incorrect, the visit to the target API will be denied by APIM and a 401 error will be returned.

 

However, in APIM, we have the option to check/uncheck the “Subscription required” box of the APIs to choose whether visiting the API(s) need to include the subscription key. And we can set it at two level: Product Level and API level. 

 

Picture1.pngPicture2.png

 

 

Open Product:

An API Product which doesn’t require a subscription key is considered as an open product in APIM.

 

There are some points should be noted:

  • Each API can only be associated with 1 Open Product.

If an API is associated with an open product, even at the API level the “Subscription required” is checked, API consumers can still visit this API without subscription key. 

  • If API consumers call the API with no subscription key, the Ocp-Apim-Trace cannot be generated.

MS official Document of Ocp Trace: Tutorial - Debug APIs in Azure API Management using request tracing | Microsoft Docs

  • If an API has no Open Product associated, and all the products this API associated require a subscription key, meanwhile, at API Level, it does not requires a subscription key, consumers can still visit the API without any Subscription Key since the API Level Policy will override the Product Level Policy.

 

Scenario1:

An API associated with both an Open Product and a normal product and API Level requires the subscription key:

 

I have an API “test-api-1” which requires subscription key at API Level and associated with 2 products “Unlimited” and “Test-Product”. In this case, the “Unlimited” requires a subscription key and “Test-Product” does not require any subscription key.

 

Picture3.png

Picture4.pngPicture5.png

 

If we visit this API without any subscription key, we can get a 200 OK response even though the API Level requires a subscription key:

Picture6.png

 

If we visit this API with a subscription key, we can get 200 OK back as well.

 

Picture7.png

Underlying Mechanism of Scenario 1:

 

In this Scenario, APIM will treat the Open Product as a Default Product, and the Product Level Policy will be executed. Therefore, we can get the response back successfully. In this case, the “Test-Product” will be associated with this visit record showing in APIM log. 

But when we include a subscription Key, the APIM will find the associated product based on the subscription key received, and in the APIM logs, we can see this visit record is associated with product “Unlimited”.

 

Scenario 2:

An API associated with no Open Product and a normal product and API Level does not requires subscription key:

 

I have an API “test-api-2” which only associated with product “Unlimited” which requires a subscription key as mentioned in scenario 1. But the API level does not require any subscription key:

Picture8.png

When we call this API with no subscription key, a 200 OK will be returned back:

Picture9.png

But if we change the configuration at API level that make it requiring a subscription key, if we call the API with no subscription key, 401 will be returned:

Picture10.png

 

Underlying Mechanism of Scenario 2:

 

If there is no Open product associated with Open API, the APIM will take the API level policy prior than the product level policy. In another words, the API-level’s “does not require a subscription key” policy will override the product-level’s “require a subscription key” policy.

 

Hence the overall logic of how APIM will evaluate the “subscription required” is:

  • If an API is associated with any Open product, the APIM will treat the Open Product as API’s default product, then the API-level policy cannot override Open Product’s policy.
  • And if the API is not associated with any Open product, the APIM will take the policy at API Level as APIM’s priority.
Co-Authors
Version history
Last update:
‎Oct 28 2021 11:02 PM
Updated by: