Search code examples
azureazure-api-management

Azure APIM subscription-key policy not working

I am trying to figure out azure apim, i am primarily using it to make azure functions to a domain name, all the endpoints are all public facing and all use OAuth for authentication.

However I am having a problem with the subscription-key, my main question is are they needed? my api's work if i go into the settings and select subscription key required to false, but i can't get it to work my adding a policy on the inbound policy to add it

<inbound>
    <base />
    <set-header name="Ocp-Apim-Subscription-Key" exists-action="override">
        <value>{{subscription-key}}</value>
    </set-header>
</inbound>

so do i need them? (i would like to get the policy to work regardless just cos), any suggestions would be appriciated

Solution

  • If you have disabled the subscription key required option in settings, then you don't need to pass Ocp-Apim-Subscription-Key while invoking any request.

    {{subscription-key}} format is being used when you want to fetch the value of a Named value parameter subscription-key.

    In APIM, header name Ocp-Apim-Subscription-Key is used for master subscription key which is shown below

    enter image description here

    • After disabling the subscription key required option in settings, Ocp-Apim-Subscription-Key is still being passed in the request header by default while testing the API operations in portal. You can validate it using the below policy and check the trace.
    <policies>
    <inbound>
        <base />
        <check-header name="Ocp-Apim-Subscription-Key" failed-check-httpcode="200" failed-check-error-message="Ignore subscription key" />
    </inbound>
</policies>
    • But you don't need to pass the Ocp-Apim-Subscription-Key key in request header explicitly if you are testing it outside of portal like in postman when the subscription key required is set to false. If enabled then you need to provide the key in the request header.

    enter image description here

    • You can use the below policy to pass the Ocp-Apim-Subscription-Key key value when the subscription key required is set to false.
    <policies>
    <inbound>
        <base />
        <set-header name="hasSubscriptionKey" exists-action="override">
            <value>@(context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key", ""))</value>
        </set-header>
    </inbound>
</policies>

    Trace-

    enter image description here

    Or you can also use the below policy.

    <policies>
    <inbound>
        <base />
        <set-header name="Ocp-Apim-Subscription-Key" exists-action="override">
            <value>@(context.Subscription.Key)</value>
        </set-header>
    </inbound>
</policies>

    If the Subscription key required is set to true then you need to pass Ocp-Apim-Subscription-Key key explicitly while invoking the request Url. It is needed to provide an extra layer of security so that the user with key can only access the API.