API Management
Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.
-
add access policy that supports managed identity validation
similar to how azure key vault is secured with access policies tied back to the system-managed identities of azure resources accessing the key vault, create a similar mechanisim in APIM that allows an API to be secured. For example, if I want an API to be accessed only by a specific azure app service(s), create a way to set access policies to allow that resource's managed identity when the specific API is called.
3 votes -
Support renewal of certificates for API Management custom domain endpoint through ./well-known
This applies to API Management instances with custom domain configured:
https://docs.microsoft.com/bs-latn-ba/azure/api-management/configure-custom-domainWe would like to use automatic renewal of the SSL certificate for the endpoint, but there currently is no acceptable method to support the proof of ownership required the certificate renewal provider of Azure: GoDaddy.
Domain verification through DNS TXT record is not possible as it needs to be on root level of azure-api.net (which is owned by Microsoft and not the customer)
HTML web page method is not possible as not possible to publish a page to .well-known/pki-validation/godaddy.html on the API Management endpoint.
Email verification is a poor…
15 votes -
Remove TLS_RSA_WITH_AES_256_GCM_SHA384 from available TLS 1.2 ciphers
Api Management is REQUIRING a WEAK CIPHER be enabled: TLSRSAWITHAES256GCMSHA384
The documentation to remove ciphers excludes TLSRSAWITHAES256GCMSHA384 with no mention as to WHY: https://docs.microsoft.com/en-us/rest/api/apimanagement/2019-01-01/apimanagementservice/update#request-body
Further, running command specifying this cipher as False is having no change on the API management gateway:
Name: TLSRSAWITHAES256GCMSHA384
Value: FalseSSLLABS is identifying cipher suites using TLS_RSA as weak: https://discussions.qualys.com/thread/17971-tlsrsawithaes256cbcsha-comes-to-be-weak-cipher
3 votes -
Automatically provision AD app registration for an API Management instance
When we expose APIs through API Management, we often want to secure them using JWT validation. For fine-grained control, we would want to validate claims in the JWT to verify that the caller is allowed access to that particular API. Setting up and keeping in sync the app registration to allow this is tedious for the directory administrator particularly when the development environment is highly active.
I suggest that you enable a way to automatically provision and keep in sync an app registration in the AD tenant whose app roles mirror the APIs offered in the API Management instance
1 vote -
Add policy to prevent brute force attacks in the API Management Consumption Tier
Currently in Consumption Tier, there is no way to prevent abuse of unauthenticated endpoints. This allows attackers to be able to keep hitting these endpoints with random inputs until they succeed.
Examples of such endpoints could be account activation, registration, password reset where an attacker can keep calling these endpoints with random values, since there is no throttling or check of any kind per API method to limit calls from the same IP in a given time frame.
23 votes -
Remove or extend "Maximum number of CA certificates per service instance"
Currently there is a hard limit of 10 Certificate Authorities for the API Management Service. We need at least 50 Certificate Authorities / Intermediates for our customer.
24 votes -
Having the ability to
Having the ability to see which ciphers are active within the APIM. At the moment you can disable 3DES in the Portal and 9 other ciphers using a PATCH/PUT command but you cannot see which ciphers are actually active anywhere.
1 voteThank you for the feedback!
-
Reader roles should not be able to see subscription keys
Currently, users assigned the "Reader" or "Monitoring Reader" role are able to reveal subscription keys in the API Management portal. As is the case with other Azure products, secrets should not be accessible to members of these roles.
6 votesWe will introduce a new version of the management API that would “hide” secrets from “reader” users. We will also introduce an explicit gesture to disable older versions of the API on a per API Management service instance basis.
-
Add metadata to subscription
I would like the ability to add metadata to a subscription. A key-value that could describe the subscription.
Values should be accessible in policies - to be added as inbound headers for example.
The actual API could then use the values to return different values depending on the subscription.
16 votes -
Use DDoS Protection Standard with VNET integrated API Management gateway
We would like to use DDoS Protection Standard for our VNET integrated API Management Service. A possible solution could be to have self-signed public ip's for the public endpoint.
P.S. We cannot put a Application Gateway v2 in front of API gateway because of the requirement of Client Certificate Authentication.
52 votes -
XSS Protection on Developer Portal
During *********** testing, it was found that certain screens in the developer portal are vulnerable to XSS.
eg IE, Firefox or Edge, if you browse to the change user details page, from the profile screen, you can enter
bob"onfocus="alert(1)"autofocus="@example.com for a email
or
Bob"onfocus="alert(2) as the first name
or
the Builder"onfocus="alert(3) as the last name.After you press Update profile, while the information isn't sent to the DB, the popups occur when you click on any of the fields.
6 votes -
A process for manually approving new users
Today, you have the possibility to force a manual process for approving a user access to a product. However, if you need to enable simple username-password you have no possibility to have a manual process for approving a user access to the portal.
It would be good for a user to see all products and APIs available in the portal, being able to browse and discover APIs. This means that anyone can create a user and browse APIs, basically spying on a company thru the names of APIs and products.
The other way is to hide all APIs behind Products…
26 votesThank you for the feedback! We added this suggestion to the backlog and will update the item when we prioritize it for implementation.
-
Ability to use certificate as secret for OAuth 2.o
OAuth 2.0 configuration has only option to provide secret. There is no option to provide certificate as secret. This is limiting our ability to use as our client id support only certificate secrete.
3 votesThank you for the feedback! We added this suggestion to the backlog and will update the item when we prioritize it for implementation.
-
Increase password strength for basic user accounts
Basic user accounts can be created via;
1. Admin portal (minimum password length=6)
2. Self registration page (minimum password length=8).
No other rule applies i.e. very poor password strength.When possible, we definitely use AAD.
For cases where we can not use AAD the Azure PaaS Developer Support Team has recommended us to use Facebook, Google, Microsoft or Twitter accounts...Please, provide UI page where Admin can design password policy by choosing;
- Minimum password length. [Default=8?].
- English upper case letters (e.g., A, B, C, ...Z). [Checkbox True|False].
- English lower case letters (e.g., a, b, c, ...z). [Checkbox…33 votes -
Portal Permissions Management - Remove Limit of 30 from preview
On the preview UI in the portal we can no longer assign permissions on some apps as the UI states the following: 'A maximum of 30 total permissions may be added to an application.'.
I cannot find documentation around this limitation.
This limit is extremely restrictive and will break a lot of applications registered as the total permissions limit is on all API's. If you have an app that uses a lot of API's it will not work. Graph on it's own has more than 30.This is limiting our development at the moment for future planning as this limit…
5 votes -
Provide means to restrict TLS cipher suites or means to access cipher suite information
Provide (1) means to restrict TLS cipher suites that are used in TLS communication between Azure API Management and API callers or (2) means for developers to access detailed information about the cipher suite used in the TLS connection from within API implementations.
Background:
We are investigating whether Azure API Management can be used for Financial-grade API (https://openid.net/wg/fapi/).
Financial-grade API, also known as FAPI, is a set of standard specifications that are built on top of OAuth 2.0 and OpenID Connect. UK Open Banking (https://www.openbanking.org.uk/) has officially adopted FAPI and built Open Banking Profile (OBP) on…
26 votes -
Configure security also on operation level
Today, the security is set on API level.
I can see a need for defining security on operation level also.
To be able to set that only a subset of the operations in an API is protected by e.g. OAuth.9 votes -
Validate the client certificate against the custom CA certs uploaded in the CA trust store
Currently the CA certificates in the store are used to validate against the server certificates in the backend. But it would be better if we get an option to validate the client certificates from client to api manager against the certs in CA store instead of just checking the issuer in the policy.
11 votes -
We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.
We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.
111 votes -
Allow to use Subscription key OR other authentication method on API
Currently if you chose to use subscription key as authentication method even if you add Oauth it will always require the subscription key. We have scenarios where we need to be able to use either one of these, need to allow OR option in policy definition currently it is always AND.
Also since all subscription keys are user bound and not "application bound" long term use in an production system this may be problematic.
6 votes
- Don't see your idea?