API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Use DDoS Protection Standard with VNET integrated API Management gateway

    We would like to use DDoS Protection Standard for our VNET integrated API Management Service. A possible solution could be to have self-signed public ip's for the public endpoint.

    P.S. We cannot put a Application Gateway v2 in front of API gateway because of the requirement of Client Certificate Authentication.

    38 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. A process for manually approving new users

    Today, you have the possibility to force a manual process for approving a user access to a product. However, if you need to enable simple username-password you have no possibility to have a manual process for approving a user access to the portal.

    It would be good for a user to see all products and APIs available in the portal, being able to browse and discover APIs. This means that anyone can create a user and browse APIs, basically spying on a company thru the names of APIs and products.

    The other way is to hide all APIs behind Products…

    19 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. Reader roles should not be able to see subscription keys

    Currently, users assigned the "Reader" or "Monitoring Reader" role are able to reveal subscription keys in the API Management portal. As is the case with other Azure products, secrets should not be accessible to members of these roles.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  4. Add metadata to subscription

    I would like the ability to add metadata to a subscription. A key-value that could describe the subscription.

    Values should be accessible in policies - to be added as inbound headers for example.

    The actual API could then use the values to return different values depending on the subscription.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. Increase password strength for basic user accounts

    Basic user accounts can be created via;
    1. Admin portal (minimum password length=6)
    2. Self registration page (minimum password length=8).
    No other rule applies i.e. very poor password strength.

    When possible, we definitely use AAD.
    For cases where we can not use AAD the Azure PaaS Developer Support Team has recommended us to use Facebook, Google, Microsoft or Twitter accounts...

    Please, provide UI page where Admin can design password policy by choosing;
    - Minimum password length. [Default=8?].
    - English upper case letters (e.g., A, B, C, ...Z). [Checkbox True|False].
    - English lower case letters (e.g., a, b, c, ...z). [Checkbox…

    33 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    need-feedback  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  6. We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.

    We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.

    49 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  7. XSS Protection on Developer Portal

    During *********** testing, it was found that certain screens in the developer portal are vulnerable to XSS.

    eg IE, Firefox or Edge, if you browse to the change user details page, from the profile screen, you can enter

    bob"onfocus="alert(1)"autofocus="@example.com for a email
    or
    Bob"onfocus="alert(2) as the first name
    or
    the Builder"onfocus="alert(3) as the last name.

    After you press Update profile, while the information isn't sent to the DB, the popups occur when you click on any of the fields.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  8. Ability to use certificate as secret for OAuth 2.o

    OAuth 2.0 configuration has only option to provide secret. There is no option to provide certificate as secret. This is limiting our ability to use as our client id support only certificate secrete.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  9. Provide means to restrict TLS cipher suites or means to access cipher suite information

    Provide (1) means to restrict TLS cipher suites that are used in TLS communication between Azure API Management and API callers or (2) means for developers to access detailed information about the cipher suite used in the TLS connection from within API implementations.

    Background:

    We are investigating whether Azure API Management can be used for Financial-grade API (https://openid.net/wg/fapi/).

    Financial-grade API, also known as FAPI, is a set of standard specifications that are built on top of OAuth 2.0 and OpenID Connect. UK Open Banking (https://www.openbanking.org.uk/) has officially adopted FAPI and built Open Banking Profile (OBP) on…

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  10. Validate the client certificate against the custom CA certs uploaded in the CA trust store

    Currently the CA certificates in the store are used to validate against the server certificates in the backend. But it would be better if we get an option to validate the client certificates from client to api manager against the certs in CA store instead of just checking the issuer in the policy.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  11. Configure security also on operation level

    Today, the security is set on API level.
    I can see a need for defining security on operation level also.
    To be able to set that only a subset of the operations in an API is protected by e.g. OAuth.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  12. Support/force TLS 1.3

    As the new TLS 1.3 will be released soon, it would be great to support and possibly force TLS 1.3 on all connection on the front and back-end.

    67 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  4 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support Basic Authentication in Front-end API

    We are currently consuming our APIs via various clients, including Microsoft Excel and various integration tools. These tools do NOT support the current front-end API authentication methods.
    One solution is to enable Basic Auth support in the front-end API.
    The existing username and subscription key could be used as the credentials, but the API Management would accept them in the standard base64-encoded Authorization header.

    25 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  14. Improved RBAC roles for API Management

    Right now, Azure RBAC only has 3 API Management specific roles defined: API Management Service Contributor, API Management Service Operator and API Management Service Reader.

    These are OK, but they are not enough for many customers. In particular, many customers require giving developers or architects permissions to define and manage APIs without touching anything else (i.e no product, security, or similar configurations).

    While this is potentially possible to do using custom RBAC roles, doing so in a way that keeps everything working correctly and that does not break when the PG changes the way the portal works is non-trivial.

    So…

    16 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. Authentication with HMAC

    Currently, my project is using Hmac-SHA256 to do the authorization. We are struggle with how to generate, transmit and store the secret key between client side and ours. is there any secure way to do this?

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  16. Support for Let's Encrypt

    Allow publishers to easily use Let's Encrypt with the API management. https://letsencrypt.org/

    417 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add OAuth 2.0 as a proxy authentication

    Currently Proxy Authentication supports HTTP Basic and Client Certificates. In an effort to make a unified OAuth 2.0 Gateway, we have some services using other OAuth 2.0 providers for the security in the backend and would like to use something like Client Credentials flow or the On Behalf Of flow to call the existing service keeping the front with only one OAuth implementation.

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  18. Log x-forwarded-for header in API Management Gateway log

    If API Management is fronted by a WAF or Proxy the IP logged in the API Management Gateway log is not the original IP.

    WAF's like the Application Gateway Web Application Firewall do add an x-forwarded-for header however the current API Management Gateway log does not include it.

    64 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  19. API keys to be owned by AAD group as opposed to user

    Instead of have a subscription be tied to a user, have it be tied to a (AAD) group. This is useful when a team is sharing the keys.

    125 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  4 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  20. Restrict Portal Access by IP Address

    In some cases, Management Portal and Developer Portal should not be published into the Internet so that anonymous abusive users cannot attack the Portal, such as DDoS.
    If we can set a rule with IP address filtering like a firewall service, it would be very helpful to protect our API Management service.

    136 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base