API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support UrlEncoding for the C# implementation.

    I have had several element when integrating with backend service APIs where the Authentication token and other properties need to be UrlEncoded. (ie SAS tokens, or redirect URL on query strings).

    Normally in C# I would use the HttpUtility class (UrlEncod methods) but these are not available / supported classes in the custom policy section of the site.

    Would be nice to have the HttpUtility class and some more of the Encoding classes available.

    18 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  2. Adding AAD Application authentication policy

    Add a policy for Axure AD Application Authentication, to make it easy to protect the backend API Apps with requirement of Azure AD authentication.

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  3. validate-jwt openid-config url attribute should support expressions

    I see this was declined a year ago but the alternative is not a good solution. ref: https://feedback.azure.com/forums/248703-api-management/suggestions/31936303-support-expressions-in-openid-config-url-of-valida

    Say I have 2 API developer accounts and for each one I have a document in Cosmos DB with extra data about each developer. In here I have an open ID configuration URL so that these developers can use their own authentication tokens to connect to my API. As a first step in all policies, after I have retrieved the developer data, I use the validate-jwt policy passing in the url. Ideal scenario. Doesn't work.

    Now looking at the alternative:
    I duplicate…

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. API versioning with header doesn't work for APIs with CORS policies.

    We have enabled versioning of APIs using a header 'api-verion'.
    We also have enabled CORS policies on the API.

    The problem that we have is when a CORS pre-flight request (OPTIONS) is sent to API by browser the required api-Version header is not present and thus a 404 is returned from API-M and we receive a CORS Failure in the browser.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support Newtonsoft.Json.JsonSerializerSettings in policies

    APIs that get re-written in policy to a json object output often end up with several properties that are null, to save bandwidth we'd like to exclude those null properties when calling the ToString method and passing the serializer settings (NullValueHandling) that remove null properties from the output.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  6. API management policy

    In aoigee there is a policy which let u create a custom javascript policy , so i wish to add this kind of custom policies in azure

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  7. Define Policy with Product and API and Operation scope

    Currently it is only not possible to define policies for a specific product and API and operation so that the policy is in effect when the 3 (product/API/operation) are in play. This is a common use case.

    10 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  8. Add a "go to on-error" policy

    The policy should transition control flow to the "on-error" section and be customizable with error details.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  9. Add support for custom user attributes

    It would be nice to add support for extending the user attributes beyond the basics in place now of name, email, etc. In cases where the user is associated to a downstream (back-end) entity that is identified differently from any of the existing fields, there isn't a way to do this without corrupting the "Notes" fields. It would be nice if Administrators can extend the user schema to contain custom attributes that can be fetched from within policies.

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  10. Policies in YAML

    YAML is fairly popular and easier to produce than XML, having support for YAML in policies would lower the policy sizes by reducing amount of text required to define a policy. It would also align with OpenAPI v3 specs in YAML.

    7 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  11. Providing policy to control when the subscription check happens

    We are providing the client with an API key. The subscription key is a part of the API key. We enabled the subscription required flag from settings. However, doing that executed the subscription check before any part of the policy is invoked. We were hoping to have more control over when the subscription check happens. We have inbound policies written that obtain the subscription key from the API key and then we set the Ocp-Apim-Subscription-Key. We want the subscription check to happen after this point. Currently, it's forcing us to provide the clients with 2 keys, our API key, and…

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support DateTime.TryParse & TryParseExact in Policy Expressions

    I have an API endpoint that receives a validates a block of json in the request body, and then forwards that json on to our backend.

    One of the validation requirements is for datetime values to comport with the format defined in section 5.6 of RFC3339:
    https://tools.ietf.org/html/rfc3339#section-5.6

    This wouldn't be too difficult if we had access to DateTime.TryParseExact(). The code would look like this:

    string[] validDateTimeFormats = new string[] {/*FORMAT STRINGS*/ };
    
    DateTime temp = new DateTime();
    bool correctFormat = DateTime.TryParseExact(dateTimeString, validDateTimeFormats, CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind, out temp);

    But since I don't have access to those methods, I need to rely on…

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  13. Policy to Log to Trace

    It would be nice to have a policy that lets me write a log entry to the trace log so if something is going wrong more detail can be seen similar to context.Trace but without needing to use some other policy to make it happen.

    Example:

    <log-to-trace message="@(string.Format("Request Body: {0}", context.Request.Body.As<string>()))" />

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  14. cors

    Currently if default CORS policy is used in , outbound policy is not executed. This doesn't allow to attach HSTS headers to the response from OPTIONS method call. That forces us to implement custom CORS policy in order to comply with our security requirement. Would be nice to have the design changed.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  15. Policy to remove header

    Cannot remove below headers with "Consumption (Preview)" price tier:
    X-Powered-By
    X-AspNet-Version
    Set-Cookie

    Below is the detail step I replicate the issue:
    I'm trying to remove some headers in the response but they are still there.

    I did follow http://www.ithero.nl/post/2018/03/31/Using-policies-in-API-Management-to-remove-response-headers-from-the-backend-Web-API-that-leak-information.aspx

    to remove 'Set-Cookie' and 'X-Powered-By' by adding these lines to policy:
    <set-header name='X-Powered-By' exists-action='delete' />
    <set-header name='Set-Cookie' exists-action='delete' />
    but it's no hope.

    Currenty I still got these info in the headers:
    Cache-Control →private
    Transfer-Encoding →chunked
    Content-Type →text/plain; charset=utf-8
    Content-Encoding →gzip
    Vary →Accept-Encoding
    Server →Kestrel
    X-AspNet-Version →4.0.30319
    X-Powered-By →ASP.NET
    Date →Thu, 18 Apr 2019 05:01:14 GMT

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  16. Allow conditional cors policy in the <inbound> policy section rather than restricting it to use only once in the <inbound> section.

    Allow conditional cors policy in the <inbound> policy section rather than restricting it to use only once in the <inbound> section. The desire state is in the attachment.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  17. Block IP's after N incorrect subscription keys

    Currently, subscription key validation takes place before policies take effect. This limits being able to manage subscription key access via policies.

    It is not currently possible to develop a policy that would block an IP or IPs after too many invalid subscription keys. In an environment where a rate limit policy would not otherwise be appropriate, this could potentially allow APIM to be flooded with a bunch of requests with invalid keys.

    To be able to enforce this at the moment requires some sort of relay middleware, or building out manual subscriptions (not via APIM's) and enforcing those via policy.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  18. Increase renewal period limit of 'rate-limit-by-key'

    Increase the upper limit on' renewal period' attribute of 'rate-limit-by-key' policy. Currently it accepts maximum 300 seconds.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  19. Improve the authoring experience for policy expressions

    There are several other requests for e.g. improving the reusability of policy expressions. And that is all good. But if you think about the experience of working with policies - especially from a devops perspective, it is rather clunky as a whole. Here's what building a policy expression essentially is now: author code by trial-and-error using a web-only interface by injecting pseudo-C# code inside an XML document.

    I would much prefer a way to construct testable policy expressions using proper developer tools (also outside the admin portal) with full code completion and deploy them as reusable artefacts into the API…

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  20. allow group

    Allow restricting groups to specific operations vs per api. Maybe a policy editor entry?

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  • Don't see your idea?

Feedback and Knowledge Base