API Management
Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.
-
Encrypt request / response payload in ApplicationInsights
As of now, Azure APIM dosent have capability to encrypt payload and disply it in ApplicationInsights (all data is in plain text).
Need to have policy to encrypt full payload or part of it so that sensitive / personal data is not exposed.
1 vote -
adel
adel
2 votes -
RBAC security on add API to a Product
Add RBAC to prevent users from adding any API to a product when they are not the owner of that API. This is a security risk.
6 votes -
Add Secure Azure AD Application Proxy Support to API Management
Steps to reproduce
Expose an on-premise REST API to Azure through Azure AD App Proxy and ensure security is activated for the API endpoint.
Define/front the API in the API management instance with a validate-jwt policy attached to authenticate callers.
Result:
Despite successful authenticating against Azure AD and getting a token, the calls to the API through the developer portal or the azure API test console fail by returning an HTML page which asks the user to sign in again and that js is disabled.Looking at fiddler traces shows that the call is indeed being redirected to the App…
3 votes -
Developer portal users to be able to input Client ID and Client Secret to generate OAuth2 token
OAuth2.0 - Update to the developer portal UI so that portal users can enter their own ClientId and Client Secret to generate token.
233 votes -
Update documentation of required ports
Please update the list of outbound security policies to include the following: TCP, 443, VirtualNetwork -> AzureCloud - because it is needed for logging
1 vote -
add access policy that supports managed identity validation
similar to how azure key vault is secured with access policies tied back to the system-managed identities of azure resources accessing the key vault, create a similar mechanisim in APIM that allows an API to be secured. For example, if I want an API to be accessed only by a specific azure app service(s), create a way to set access policies to allow that resource's managed identity when the specific API is called.
3 votes -
Support renewal of certificates for API Management custom domain endpoint through ./well-known
This applies to API Management instances with custom domain configured:
https://docs.microsoft.com/bs-latn-ba/azure/api-management/configure-custom-domainWe would like to use automatic renewal of the SSL certificate for the endpoint, but there currently is no acceptable method to support the proof of ownership required the certificate renewal provider of Azure: GoDaddy.
Domain verification through DNS TXT record is not possible as it needs to be on root level of azure-api.net (which is owned by Microsoft and not the customer)
HTML web page method is not possible as not possible to publish a page to .well-known/pki-validation/godaddy.html on the API Management endpoint.
Email verification is a poor…
15 votes -
Remove TLS_RSA_WITH_AES_256_GCM_SHA384 from available TLS 1.2 ciphers
Api Management is REQUIRING a WEAK CIPHER be enabled: TLSRSAWITHAES256GCMSHA384
The documentation to remove ciphers excludes TLSRSAWITHAES256GCMSHA384 with no mention as to WHY: https://docs.microsoft.com/en-us/rest/api/apimanagement/2019-01-01/apimanagementservice/update#request-body
Further, running command specifying this cipher as False is having no change on the API management gateway:
Name: TLSRSAWITHAES256GCMSHA384
Value: FalseSSLLABS is identifying cipher suites using TLS_RSA as weak: https://discussions.qualys.com/thread/17971-tlsrsawithaes256cbcsha-comes-to-be-weak-cipher
3 votes -
Automatically provision AD app registration for an API Management instance
When we expose APIs through API Management, we often want to secure them using JWT validation. For fine-grained control, we would want to validate claims in the JWT to verify that the caller is allowed access to that particular API. Setting up and keeping in sync the app registration to allow this is tedious for the directory administrator particularly when the development environment is highly active.
I suggest that you enable a way to automatically provision and keep in sync an app registration in the AD tenant whose app roles mirror the APIs offered in the API Management instance
4 votes -
Add policy to prevent brute force attacks in the API Management Consumption Tier
Currently in Consumption Tier, there is no way to prevent abuse of unauthenticated endpoints. This allows attackers to be able to keep hitting these endpoints with random inputs until they succeed.
Examples of such endpoints could be account activation, registration, password reset where an attacker can keep calling these endpoints with random values, since there is no throttling or check of any kind per API method to limit calls from the same IP in a given time frame.
29 votes -
Remove or extend "Maximum number of CA certificates per service instance"
Currently there is a hard limit of 10 Certificate Authorities for the API Management Service. We need at least 50 Certificate Authorities / Intermediates for our customer.
24 votes -
Having the ability to
Having the ability to see which ciphers are active within the APIM. At the moment you can disable 3DES in the Portal and 9 other ciphers using a PATCH/PUT command but you cannot see which ciphers are actually active anywhere.
4 votesThank you for the feedback!
-
Reader roles should not be able to see subscription keys
Currently, users assigned the "Reader" or "Monitoring Reader" role are able to reveal subscription keys in the API Management portal. As is the case with other Azure products, secrets should not be accessible to members of these roles.
9 votesWe will introduce a new version of the management API that would “hide” secrets from “reader” users. We will also introduce an explicit gesture to disable older versions of the API on a per API Management service instance basis.
-
Add metadata to subscription
I would like the ability to add metadata to a subscription. A key-value that could describe the subscription.
Values should be accessible in policies - to be added as inbound headers for example.
The actual API could then use the values to return different values depending on the subscription.
16 votes -
Use DDoS Protection Standard with VNET integrated API Management gateway
We would like to use DDoS Protection Standard for our VNET integrated API Management Service. A possible solution could be to have self-signed public ip's for the public endpoint.
P.S. We cannot put a Application Gateway v2 in front of API gateway because of the requirement of Client Certificate Authentication.
55 votes -
XSS Protection on Developer Portal
During *********** testing, it was found that certain screens in the developer portal are vulnerable to XSS.
eg IE, Firefox or Edge, if you browse to the change user details page, from the profile screen, you can enter
bob"onfocus="alert(1)"autofocus="@example.com for a email
or
Bob"onfocus="alert(2) as the first name
or
the Builder"onfocus="alert(3) as the last name.After you press Update profile, while the information isn't sent to the DB, the popups occur when you click on any of the fields.
6 votes -
A process for manually approving new users
Today, you have the possibility to force a manual process for approving a user access to a product. However, if you need to enable simple username-password you have no possibility to have a manual process for approving a user access to the portal.
It would be good for a user to see all products and APIs available in the portal, being able to browse and discover APIs. This means that anyone can create a user and browse APIs, basically spying on a company thru the names of APIs and products.
The other way is to hide all APIs behind Products…
26 votesThank you for the feedback! We added this suggestion to the backlog and will update the item when we prioritize it for implementation.
-
Ability to use certificate as secret for OAuth 2.o
OAuth 2.0 configuration has only option to provide secret. There is no option to provide certificate as secret. This is limiting our ability to use as our client id support only certificate secrete.
3 votesThank you for the feedback! We added this suggestion to the backlog and will update the item when we prioritize it for implementation.
-
Increase password strength for basic user accounts
Basic user accounts can be created via;
1. Admin portal (minimum password length=6)
2. Self registration page (minimum password length=8).
No other rule applies i.e. very poor password strength.When possible, we definitely use AAD.
For cases where we can not use AAD the Azure PaaS Developer Support Team has recommended us to use Facebook, Google, Microsoft or Twitter accounts...Please, provide UI page where Admin can design password policy by choosing;
- Minimum password length. [Default=8?].
- English upper case letters (e.g., A, B, C, ...Z). [Checkbox True|False].
- English lower case letters (e.g., a, b, c, ...z). [Checkbox…41 votes
- Don't see your idea?