API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Export variables reporting throttling information from rate-limit policy

    There are ongoing RFC to give clients the capability to throttle calls rate to avoid hitting the capping imposed by rate-limit policies.

    A possible way to implement this is to return in the response header 4 variables containing:


    • The current limit set by the policy

    • Amount of remaining calls before hitting the limit

    • Number of seconds to wait before getting the limit reset to the maximum

    • Number of seconds to wait before retrying (only when calls are blocked)

    119 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  2. Allow conditional cors policy in the <inbound> policy section rather than restricting it to use only once in the <inbound> section.

    Allow conditional cors policy in the <inbound> policy section rather than restricting it to use only once in the <inbound> section. The desire state is in the attachment.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  3. cors

    Currently if default CORS policy is used in , outbound policy is not executed. This doesn't allow to attach HSTS headers to the response from OPTIONS method call. That forces us to implement custom CORS policy in order to comply with our security requirement. Would be nice to have the design changed.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. Set proxy configuration for “send-request” policy

    I can found “Set HTTP proxy” policy. And I tried this policy on APIM. But this HTTP proxy setting effected only <forward-request>. All requests by <send-request> were not bypassed via proxy.

    Set HTTP proxy
    https://docs.microsoft.com/en-us/azure/api-management/api-management-advanced-policies#SetHttpProxy

    I hope to add new proxy configuration for “send-request” policy

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  5. Log http request with policy execution

    By current design, application insight collect requests log after the policy execution.

    For example, request table can't record x-user-ids values correctly in the request table, but it can record in the dependencies table.

    but for some cases, the request hit the cache, there will be no request record in dependencies table.

    <set-header name="x-user-ids" exists-action="override">

            &lt;value&gt;@(context.Subscription.Name)&lt;/value&gt;
    
    &lt;/set-header&gt;

    Is it possible to adjust it, make to collect the APIM request log to requests table after policy execution?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  6. Use NamedValues within C# expression

    In the existing implementaiton it is not possible to directly access data from NamedValue table within C# policy expressions, for ex: a code like "var x = {{dataStoredInNamedValue}}" will not work. The only way to access the namedValue it appears is to use XML Policy templates, for ex: '<set-variable value="{{some-value}}"/>'. So to use the data stored in namedValue, it should be first fetched using <set-variable/> and later this variable need to be accessed in C# expression, this is roundabout, and there should be a direct way to access these values.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  7. Policy aliases required

    We require some policy aliases:


    1. Resource: Microsoft.DataMigration
      Aliases:
      sourceConnectionInfo.type
      sourceConnectionInfo.encryptConnection


    2. Resource: Microsoft.ApiManagement
      Aliases:
      tenantAccess.enabled
      identity
      securityProtocolsTls


    3. Resource: Microsoft.Web
      Aliases:
      kind
      identity


    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  8. XSD for polices

    Is there a published XSD version for polices syntax ?

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  9. return-response policy

    The <return-response> policy enforces the order of any contained policies. They must be in the following order <set-status>,<set-header>,<set-body>.
    This means you cannot perform xml->json or json to xml mapping using a liquid map. This is because liquid uses the incoming Content-Type header to establish incoming message type. But we are forced to set the Content-Type to the outgoing message type before calling <set-body> and liquid cannot parse the incoming message.
    This only occurs in the <return-response> policy. In the <outgoing> policy there is no order restriction on contained policies.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  10. Providing policy to control when the subscription check happens

    We are providing the client with an API key. The subscription key is a part of the API key. We enabled the subscription required flag from settings. However, doing that executed the subscription check before any part of the policy is invoked. We were hoping to have more control over when the subscription check happens. We have inbound policies written that obtain the subscription key from the API key and then we set the Ocp-Apim-Subscription-Key. We want the subscription check to happen after this point. Currently, it's forcing us to provide the clients with 2 keys, our API key, and…

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support DateTime.TryParse & TryParseExact in Policy Expressions

    I have an API endpoint that receives a validates a block of json in the request body, and then forwards that json on to our backend.

    One of the validation requirements is for datetime values to comport with the format defined in section 5.6 of RFC3339:
    https://tools.ietf.org/html/rfc3339#section-5.6

    This wouldn't be too difficult if we had access to DateTime.TryParseExact(). The code would look like this:

    string[] validDateTimeFormats = new string[] {/*FORMAT STRINGS*/ };
    
    DateTime temp = new DateTime();
    bool correctFormat = DateTime.TryParseExact(dateTimeString, validDateTimeFormats, CultureInfo.InvariantCulture, DateTimeStyles.RoundtripKind, out temp);

    But since I don't have access to those methods, I need to rely on…

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  12. client cert with public key

    We have a scenario that we would like to use Azure APIM to replace another vendors API GW in use today. However, there is a serious flaw in APIM that prevents us to do so. Many of our web services (this is healthcare so a bit more old school) are secured by client cert auth. If the public cert isn't in our API GW store and authorized for the web service then the authentication/authorization is rejected.

    Azure APIM currently (as far as I can tell) only allows certs with private keys to be loaded for validation using the cert store…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  13. Deploy policy as xml file

    If we keep policies as XML (instead of allowing policy definition in JSON for instance) can we deploy the policy as a separate XML file so we don't have to have escaped XML within JSON templates? This is similar to B2C IEF custom policies which are uploaded as XML files.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  14. New policy: "update-context-variables" to add multiple context variables at once

    We should have a new policy: "update-context-variables" whose policy expression allows us to directly update the IReadOnlyDictionary<string, object> context.Variables, such that we can add multiple variables in a single policy expression.

    Use case:
    I have an application that receives a requests with json in the body, validates the shape of the json and its various fields, before passing that json forward to an eventhub service.

    My policy XML is overly verbose, because I have to iterate through that json multiple times to in multiple set-variable policies. I would like a single policy that would allow me to iterate through that…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  15. Allow asymmetric key validation with validate-jwt policy

    Currently Validate-JWT policy does not support asymmetric key validation.
    The JWT token is encrypted for various reasons with asymmetric key specially in case of B2B scenarios.

    We need a way to specify the IssuerSigningKey to validate-jwt policy.

    https://devblogs.microsoft.com/aspnet/jwt-validation-and-authorization-in-asp-net-core/

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  16. Log custom traces to Application Insights

    Provide a policy to log custom traces to Azure Application Insights, similar to the log-to-eventhub policy.

    130 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  4 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add support for custom user attributes

    It would be nice to add support for extending the user attributes beyond the basics in place now of name, email, etc. In cases where the user is associated to a downstream (back-end) entity that is identified differently from any of the existing fields, there isn't a way to do this without corrupting the "Notes" fields. It would be nice if Administrators can extend the user schema to contain custom attributes that can be fetched from within policies.

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  18. Add a "go to on-error" policy

    The policy should transition control flow to the "on-error" section and be customizable with error details.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  19. Allow the creation of custom API templates with predefined policies

    Allow custom templates to be created, and made available for selection via the API creation page (see attached), with predefined policies. This will improve the user experience where the requirement is to have several API's based on the same boiler plate policies. Product policies could be used but require all API's to be assigned to the same product which does not give flexibility in restricting access to the API's

    22 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  20. Block IP's after N incorrect subscription keys

    Currently, subscription key validation takes place before policies take effect. This limits being able to manage subscription key access via policies.

    It is not currently possible to develop a policy that would block an IP or IPs after too many invalid subscription keys. In an environment where a rate limit policy would not otherwise be appropriate, this could potentially allow APIM to be flooded with a bunch of requests with invalid keys.

    To be able to enforce this at the moment requires some sort of relay middleware, or building out manual subscriptions (not via APIM's) and enforcing those via policy.

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1 3 4
  • Don't see your idea?

Feedback and Knowledge Base