API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Caching OPTIONS response should be for url rather than dependent on parameters/headers.

    we need facility in policies for caching response of OPTIONS method type. So that browser does not send OPTIONS calls. Also caching should be done on url only and not different sessionid/reuqest headers/parameters.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  2. Suport dynamic policy

    for example, in CORS policy, it's better to add allowed-origins dynamically by retrieve values from a named value.

    Another example is in JWT validation. In the required claims, it will be great if I can add claims from the named values. So when there're more claims, I just need modify the named value without changing the policies.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  3. Fix on-error + set-body policy bug

    There is a doc bug and potentially a behavior bug in the global on-error policy definition.

    The doc states that set-body is not supported in the on-error policy but it appears to work. Setting the template type to "liquid", however, does not work.

    https://docs.microsoft.com/en-us/azure/api-management/api-management-error-handling-policies

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. Deploy policy as xml file

    If we keep policies as XML (instead of allowing policy definition in JSON for instance) can we deploy the policy as a separate XML file so we don't have to have escaped XML within JSON templates? This is similar to B2C IEF custom policies which are uploaded as XML files.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  5. XSD for polices

    Is there a published XSD version for polices syntax ?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  6. Log http request with policy execution

    By current design, application insight collect requests log after the policy execution.

    For example, request table can't record x-user-ids values correctly in the request table, but it can record in the dependencies table.

    but for some cases, the request hit the cache, there will be no request record in dependencies table.

    <set-header name="x-user-ids" exists-action="override">

            &lt;value&gt;@(context.Subscription.Name)&lt;/value&gt;
    
    &lt;/set-header&gt;

    Is it possible to adjust it, make to collect the APIM request log to requests table after policy execution?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  7. return-response policy

    The <return-response> policy enforces the order of any contained policies. They must be in the following order <set-status>,<set-header>,<set-body>.
    This means you cannot perform xml->json or json to xml mapping using a liquid map. This is because liquid uses the incoming Content-Type header to establish incoming message type. But we are forced to set the Content-Type to the outgoing message type before calling <set-body> and liquid cannot parse the incoming message.
    This only occurs in the <return-response> policy. In the <outgoing> policy there is no order restriction on contained policies.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support System.Net.WebUtility in policies

    I have APIs that are returning json with properties that have html-encoded values, returning html encoded string in json isn't needed as the original service was based on xml and didn't use the CDATA tag. To be able to properly compose this API usage of an HtmlDecode function is needed which is readily available in System.Net.WebUtility

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  9. Ignore scheme differences in <redirect-content-urls />

    By default APIM matches on the scheme when using this policy. It would be nice to have an optional flag on this policy to ignore the scheme when redirecting backend URLs to the proxy.

    Via the backend, we may build a URL as "http://mybackend...&quot; - when this is surfaced via the api we'd want it redirected to the APIM proxy as "https://api.mycompany...". Currently, APIM won't fixup this response because the scheme on the link emitted from the backend doesn't match the scheme on the backend API base URL.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enhance Json Serialization support in Policy Expressions for Legacy Backend APIs

    Provide access to JsonConverter types, e.g. JavaScriptDateTimeConverter so that a JObject can be formatted as needed for a legacy system.

    Currently, if a Json object needs to be translated to a different format for a DateTime property it is not easily possible to convert the APIM body JObject to what the backend service expected for Json serialization.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  11. Url Helper Policy Expressions for Route Building

    As a developer I want to include hypermedia links to other operations in the same and other API sets so that I have easy navigation for clients between APIs.

    Today, these link url paths must be hard coded based on what is know. To provide flexibility while developing APIs and to ensure routes are actually valid, provide a url helper method to generate these routes.

    Example:

    context.RouteFor("API-ID", "Version", "Operation-ID", new {param1=1,param2="hello"})

    Today:

    <set-body>{
    return JObject.FromObject(new {

    _links = new[] {
    
    new { href = $&quot;/api/operation?query={context.Request.MatchedParameters.GetValueOrDefault(&quot;query&quot;, string.Empty)&amp;api-version=2018-10-31&quot;, rel = &quot;other-api&quot;, type = &quot;GET&quot; }
    }

    }
    }</set-body>

    With a helper:

    <set-body>{ …

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support for token bucket - enable burst quota

    The current quota/call rate limit is +1 per call. In practice this means we create SKUs based on the maximum expected spike rather than average usage. By supporting a token bucket model (https://en.wikipedia.org/wiki/Token_bucket) we could define a SKU more aligned with our actual usage.

    For example: on average we have 50 calls per second, but need to be able to spike to 250 calls per second.

    Today we'd create a 250 calls per second throttle policy for this key/product which is not optimal.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  13. Policy tag directory

    Have a comprehensive directory that has all of the tags that can be used in the policy XML.

    An example is have documentation of the <when> tag regarding which tags can be nested within and which attributes it accepts.

    I seem to be unable to find any resource that has detailed documentation on these multi-use tags.

    Thank you

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  14. Use valid xml to configure policies.

    In your examples one can find lines like this one:

    &lt;set-variable name=&quot;isMobile&quot; value=&quot;@(context.Request.Headers[&quot;User-Agent&quot;].Contains(&quot;iPad&quot;) || context.Request.Headers[&quot;User-Agent&quot;].Contains(&quot;iPhone&quot;))&quot; /&gt;

    If you try to validate this xml, you will find out that those double quotes inside of the value attribute are not allowed.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  15. Add support for evaluating jsonpath expressions against request bodies within a policy and conditionally invoking an external request

    I'd like the ability to use a jsonpath expression to query a json request body and send the results to an external endpoint for validation. This is intended to implement a form of request spoofing prevention

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  16. Use valid xml to configure policies.

    In your examples one can find lines like this one:

    &lt;set-variable name=&quot;isMobile&quot; value=&quot;@(context.Request.Headers[&quot;User-Agent&quot;].Contains(&quot;iPad&quot;) || context.Request.Headers[&quot;User-Agent&quot;].Contains(&quot;iPhone&quot;))&quot; /&gt;

    If you try to validate this xml, you will find out that those double quotes inside of the value attribute are not allowed.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
1 2 4 Next →
  • Don't see your idea?

Feedback and Knowledge Base