API Management
Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.
-
Support for Let's Encrypt
Allow publishers to easily use Let's Encrypt with the API management. https://letsencrypt.org/
635 votesPlease tell us a bit more about scenarios you are trying to enable and how do you see this feature working.
-
Developer portal users to be able to input Client ID and Client Secret to generate OAuth2 token
OAuth2.0 - Update to the developer portal UI so that portal users can enter their own ClientId and Client Secret to generate token.
233 votes -
Restrict Portal Access by IP Address
In some cases, Management Portal and Developer Portal should not be published into the Internet so that anonymous abusive users cannot attack the Portal, such as DDoS.
If we can set a rule with IP address filtering like a firewall service, it would be very helpful to protect our API Management service.183 votes -
API keys to be owned by AAD group as opposed to user
Instead of have a subscription be tied to a user, have it be tied to a (AAD) group. This is useful when a team is sharing the keys.
157 votes -
We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.
We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.
132 votes -
Support/force TLS 1.3
As the new TLS 1.3 will be released soon, it would be great to support and possibly force TLS 1.3 on all connection on the front and back-end.
124 votes -
OAuth 2.0 implementation support/Securing APIs using OAuth
A major bonus when using an API management system should be that it helps you secure your backend APIs using standard techniques. Other API management systems (such as Kong, see https://getkong.org/plugins/oauth2-authentication/) have support for this, where the APIm acts as a Bearer token store and validates the tokens for you.
Obviously, this will only work for the Client Credentials and possibly also Resource Owner Password Flows, as the others require additional UI, but still this would be a very nice add-on, which enables you to leverage OAuth for backends which are actually OAuth-agnostic.
Azure APIm would then also need…
110 votes -
Log x-forwarded-for header in API Management Gateway log
If API Management is fronted by a WAF or Proxy the IP logged in the API Management Gateway log is not the original IP.
WAF's like the Application Gateway Web Application Firewall do add an x-forwarded-for header however the current API Management Gateway log does not include it.
83 votes -
Add support for key vault stored SSL certificates in API Management service
Add ability to use SSL certificates bought through Azure and stored in key vault with API Management instance.
61 votesThanks for the feedback – be great to get continued input on this. Keep the votes coming!
-
Use DDoS Protection Standard with VNET integrated API Management gateway
We would like to use DDoS Protection Standard for our VNET integrated API Management Service. A possible solution could be to have self-signed public ip's for the public endpoint.
P.S. We cannot put a Application Gateway v2 in front of API gateway because of the requirement of Client Certificate Authentication.
55 votes -
Developer Portal displays IIS Yellow Page
https://****.portal.azure-api.net/
A security team observes that the developer portal application reveals the server information in terms of IIS error page (Yellow Page).
System should have ability to configure "Default IIS error page".
Try accesing any developer portal URL by expanding "/C:/test" to actual URL.
51 votes -
Provide means to restrict TLS cipher suites or means to access cipher suite information
Provide (1) means to restrict TLS cipher suites that are used in TLS communication between Azure API Management and API callers or (2) means for developers to access detailed information about the cipher suite used in the TLS connection from within API implementations.
Background:
We are investigating whether Azure API Management can be used for Financial-grade API (https://openid.net/wg/fapi/).
Financial-grade API, also known as FAPI, is a set of standard specifications that are built on top of OAuth 2.0 and OpenID Connect. UK Open Banking (https://www.openbanking.org.uk/) has officially adopted FAPI and built Open Banking Profile (OBP) on…
45 votes -
Improved RBAC roles for API Management
Right now, Azure RBAC only has 3 API Management specific roles defined: API Management Service Contributor, API Management Service Operator and API Management Service Reader.
These are OK, but they are not enough for many customers. In particular, many customers require giving developers or architects permissions to define and manage APIs without touching anything else (i.e no product, security, or similar configurations).
While this is potentially possible to do using custom RBAC roles, doing so in a way that keeps everything working correctly and that does not break when the PG changes the way the portal works is non-trivial.
So…
41 votes -
Increase password strength for basic user accounts
Basic user accounts can be created via;
1. Admin portal (minimum password length=6)
2. Self registration page (minimum password length=8).
No other rule applies i.e. very poor password strength.When possible, we definitely use AAD.
For cases where we can not use AAD the Azure PaaS Developer Support Team has recommended us to use Facebook, Google, Microsoft or Twitter accounts...Please, provide UI page where Admin can design password policy by choosing;
- Minimum password length. [Default=8?].
- English upper case letters (e.g., A, B, C, ...Z). [Checkbox True|False].
- English lower case letters (e.g., a, b, c, ...z). [Checkbox…41 votes -
Add policy to prevent brute force attacks in the API Management Consumption Tier
Currently in Consumption Tier, there is no way to prevent abuse of unauthenticated endpoints. This allows attackers to be able to keep hitting these endpoints with random inputs until they succeed.
Examples of such endpoints could be account activation, registration, password reset where an attacker can keep calling these endpoints with random values, since there is no throttling or check of any kind per API method to limit calls from the same IP in a given time frame.
29 votes -
Support Basic Authentication in Front-end API
We are currently consuming our APIs via various clients, including Microsoft Excel and various integration tools. These tools do NOT support the current front-end API authentication methods.
One solution is to enable Basic Auth support in the front-end API.
The existing username and subscription key could be used as the credentials, but the API Management would accept them in the standard base64-encoded Authorization header.28 votesBasic credentials can be already validated using a combination of check header policy and expression (use named value for storing username and password).
We could simplify this use case by implementing a “validate basic credentials” policy, hence I am keeping this under review.
-
Origin API oauth support
Ability to create an API in Azure API Management that will OAuth to the origin api. I don't want my users to oauth, the Azure API key is enough security for that. I just want my Azure API to access the origin API through OAuth.
26 votesThanks for the feedback!
-
A process for manually approving new users
Today, you have the possibility to force a manual process for approving a user access to a product. However, if you need to enable simple username-password you have no possibility to have a manual process for approving a user access to the portal.
It would be good for a user to see all products and APIs available in the portal, being able to browse and discover APIs. This means that anyone can create a user and browse APIs, basically spying on a company thru the names of APIs and products.
The other way is to hide all APIs behind Products…
26 votesThank you for the feedback! We added this suggestion to the backlog and will update the item when we prioritize it for implementation.
-
25 votes
Thanks for the feedback – be great to get additional input on this. Keep the votes coming!
-
Remove or extend "Maximum number of CA certificates per service instance"
Currently there is a hard limit of 10 Certificate Authorities for the API Management Service. We need at least 50 Certificate Authorities / Intermediates for our customer.
24 votes
- Don't see your idea?