Using API Management Open Product to Manage Access Control with subscription
Published Oct 28 2021 11:02 PM 4,363 Views
Microsoft

 

Background Information:

 

For Azure API Management (APIM) service users, the APIs are the core component of it. In many scenarios, the APIs need to be grouped up into different products, then can be accessed by different user groups, which is easier for the APIM owner to design the access control pattern targeting on different API consumer groups.

 

APIM uses different subscription keys to validate API consumer’s privilege to access the APIs. Normally, API consumer need to include the “Ocp-Apim-Subscription-Key” Header and its value passing to APIM and get validated by APIM, if this header is missing or the subscription key is invalid/incorrect, the visit to the target API will be denied by APIM and a 401 error will be returned.

 

However, in APIM, we have the option to check/uncheck the “Subscription required” box of the APIs to choose whether visiting the API(s) need to include the subscription key. And we can set it at two level: Product Level and API level. 

 

Picture1.pngPicture2.png

 

 

Open Product:

An API Product which doesn’t require a subscription key is considered as an open product in APIM.

 

Scenario1:

An API is associated with both an Open Product and a normal product. Meanwhile, the API Level requires the subscription key:

 

I have an API named “test-api-1” which requires subscription key at API Level, and it is associated with 2 products called “Unlimited (subscription key required)” and “Test-Product (no subscription key required)” respectively. 

 

Picture3.png

Picture4.pngPicture5.png

 

If we visit this API without any subscription key, we can get a 200 OK response even though the API Level requires a subscription key:

Picture6.png

 

If we visit this API with a subscription key, we can get 200 OK back as well.

 

Picture7.png

Underlying Mechanism of Scenario 1:

 

In this Scenario, if users send requests with no subscription key, APIM treats the Open Product as a Default Product, and the Product Level setting will be executed. Therefore, we can get the response back successfully. In this case, the “Test-Product” will be associated with this visit record showing in APIM log. 

However, when we include a subscription Key, the APIM will find the associated product based on the subscription key received, and in the APIM logs, we can see this visit record is associated with product “Unlimited”.

 

Scenario 2:

An API is associated with no Open Product, but a normal product and API Level does not require subscription key:

 

I have an API “test-api-2” which is only associated with product called “Unlimited” which requires a subscription key as mentioned in scenario 1. But the API level does not require any subscription key:

Picture8.png

When we call this API with no subscription key, a 200 OK will be returned back:

Picture9.png

However, if we change the configuration at API level that make it requiring a subscription key, when we call the API with no subscription key, 401 will be returned:

Picture10.png

 

Underlying Mechanism of Scenario 2:

 

If there is no Open product associated with an API, the APIM will take the API level "subscription key required" setting prior than the product level. In another words, the API-level’s “does not require a subscription key” setting will override the product-level’s “require a subscription key” setting.

 

Scenario 3:

If an API is associated with both an open product (Test-Open-Product-1) and a normal product (Test Product, which requires the subscription key) as the image below:

Shuai_Hao_0-1652861905134.png

 

 

Consumer can consume this API via:

  • With a valid subscription key.

Shuai_Hao_2-1652846331775.png

 

  • Without any subscription key.

Shuai_Hao_0-1652846150256.png

 

  • With an invalid subscription key.

Shuai_Hao_1-1652846223669.png

Underlying Mechanism of Scenario 3:

 

If requests have valid subscription key which has a match with products that is associated with the target API, APIM will apply the corresponding product based on the subscription key value.

If requests have no subscription key or have invalid subscription key, and the API is included in Open product, APIM will apply the Open product as default product. 

 

Scenario 4:

If an API has only 1 Open product associated without any other products, and subscription key is required at API level:

Shuai_Hao_1-1652862664542.png

  • Requests with invalid subscription key can get 200 back:

Shuai_Hao_2-1652862751218.png

 

  • Requests with no subscription key can also get 200 back:

Shuai_Hao_3-1652862910130.png

Underlying Mechanism of Scenario 4:

 

If API is only associated with Open products, then requests with no subscription key or invalid subscription will be included in open product and the "require subscription key" setting will override the setting at API level.

 

Scenario 5:

If an API has Open product associated, also there are other products associated:

Shuai_Hao_0-1655881284469.png

 

  • Meanwhile, I have another product which is not associated with this API. 

Shuai_Hao_1-1655881425411.png

  • If I call this API with no subscription key, a 200 OK will be returned:

Shuai_Hao_2-1655881518304.png

 

  • If I call this API with an invalid subscription key, 200 will be returend:

Shuai_Hao_4-1655881739465.png

 

 

  • However, if I use the subscription key of another product which is not associated with this API, a 401 error will be returned:

Shuai_Hao_5-1655881871505.png

 

Underlying Mechanism of Scenario 5:

 

If API is associated with Open products, then requests with no subscription key or invalid subscription (which the subscription is not belongs to any other existing products that are not associated with this API) will be considered as calling via Open Products. However, if any requests with a subscription key which belongs to an existing product (but not associated with this API), the requests will be denied as the subscription of other product has no access to the APIs that are not included in the specific API even there are Open Product configured. 

 

Hence the overall logic of how APIM will evaluate the “subscription required” is:

  • If an API has open product associated and all visits with no subscription key or invalid subscription key, the "require subscription key" setting will be applied as Open Product regardless of whether the API level requires subscription key.
  • If an API is associated with any Open product, the APIM will treat the Open Product as API’s default product, then the API-level cannot override Open Product Level "require subscription key" setting.
  • If traffic to API has a valid subscription key and APIM can find a match in associated products of this API, the corresponding product will be applied no matter if Open Product is associated
  • If the API is not associated with any Open product, the APIM will take the "require subscription" setting at API Level with priority
  • If API is associated with Open Product, any requests which contains the subscription key of other products (the products not associated with this API) will be denied with a 401 error.

Additional Information:

Co-Authors
Version history
Last update:
‎Jun 22 2022 12:18 AM
Updated by: