Reputation: 4406
Specific API is added to multiple Products in API Management, want to set 'Subscription required' on API level
I have a couple of Products in my API Management instance, let's call them Product 1 and Product 2.
Both of these products have an API added called Inventory.
For Product 1 I have set Subscription required to true.
For Product 2 I have set Subscription required to false.
So far, this works great.
Now, I have set the Subscription required flag to true on my Inventory API also. I want to enforce people specify a valid subscription key when calling this API.
What I'm noticing though, this flag on API-level isn't enforced (properly?).
I'm still able to invoke the Inventory API without a subscription key.
My guess is, the Product 2 policy is overruling the Subscription required setting which is set on the API level. Is this correct?
And my actual question is, how to enforce a specific API that always requires a valid subscription key while still having an 'open' Product?
Upvotes: 2
Views: 1146
Answers (2)
Reputation: 4251
As long as the API is attached to an open product you can always call it without a subscription, this is by design. If you want to enforce a subscription key to be sent, you have either to remove it from that open product or mark it as a subscription required.
Adding a policy is really inefficient and dirty for the following reasons
You will need to keep track all the subscription keys values (removed, added, regenerated...etc).
All the other polices precedes the checking policy will be executed before the request is denied.
if you decide to change the subscription key header name, you will have to go through all the checking policies and modify them.
Upvotes: 3
Reputation: 15734
I test it in my side and also same feature as yours. When I use two products(one enable Requires subscription and the other disable Requires subscription) and both of them has one api in it. The api will not check subscription key even though I have enabled its Subscription required.
As a workaround, you can add a policy in your api <outbound> like below. The added policy is used to check the subscription key manually.
Upvotes: 1
Related Questions
- How to bypass Subscription Key for single endpoint in the API in Azure API Managment
- Azure Api management Is it possible to disable Subscription Key
- Azure API Management, single API accept AAD or subscription key
- Is There a Way to Restrict Azure API Management Endpoint By Subscription?
- Azure API Management - How to execute product policy when product does not require subscription?
- How to disable subscription key in Azure API Managment with Powershell
- Change scope of Azure API Mgmt Subscription
- Controlling when the subscription check happens in azure API management
- Azure apimanagement with subscriptions on a subset of operations, is it possible?
- In Azure API Management How are product level policies resolved for APIs when subscriptions are not required?