API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Support for Let's Encrypt

    Allow publishers to easily use Let's Encrypt with the API management. https://letsencrypt.org/

    427 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    7 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. Restrict Portal Access by IP Address

    In some cases, Management Portal and Developer Portal should not be published into the Internet so that anonymous abusive users cannot attack the Portal, such as DDoS.
    If we can set a rule with IP address filtering like a firewall service, it would be very helpful to protect our API Management service.

    137 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. API keys to be owned by AAD group as opposed to user

    Instead of have a subscription be tied to a user, have it be tied to a (AAD) group. This is useful when a team is sharing the keys.

    125 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  4 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  4. OAuth 2.0 implementation support/Securing APIs using OAuth

    A major bonus when using an API management system should be that it helps you secure your backend APIs using standard techniques. Other API management systems (such as Kong, see https://getkong.org/plugins/oauth2-authentication/) have support for this, where the APIm acts as a Bearer token store and validates the tokens for you.

    Obviously, this will only work for the Client Credentials and possibly also Resource Owner Password Flows, as the others require additional UI, but still this would be a very nice add-on, which enables you to leverage OAuth for backends which are actually OAuth-agnostic.

    Azure APIm would then also need…

    91 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  5 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. Support/force TLS 1.3

    As the new TLS 1.3 will be released soon, it would be great to support and possibly force TLS 1.3 on all connection on the front and back-end.

    70 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  4 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  6. Log x-forwarded-for header in API Management Gateway log

    If API Management is fronted by a WAF or Proxy the IP logged in the API Management Gateway log is not the original IP.

    WAF's like the Application Gateway Web Application Firewall do add an x-forwarded-for header however the current API Management Gateway log does not include it.

    68 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    planned  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  7. Add support for key vault stored SSL certificates in API Management service

    Add ability to use SSL certificates bought through Azure and stored in key vault with API Management instance.

    54 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  8. Developer Portal displays IIS Yellow Page

    https://****.portal.azure-api.net/

    A security team observes that the developer portal application reveals the server information in terms of IIS error page (Yellow Page).

    System should have ability to configure "Default IIS error page".

    Try accesing any developer portal URL by expanding "/C:/test" to actual URL.

    51 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  9. We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.

    We would like to have OWASP security features as part of API Management rather than using API gateway/WAF.

    49 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    triaged  ·  2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  10. Use DDoS Protection Standard with VNET integrated API Management gateway

    We would like to use DDoS Protection Standard for our VNET integrated API Management Service. A possible solution could be to have self-signed public ip's for the public endpoint.

    P.S. We cannot put a Application Gateway v2 in front of API gateway because of the requirement of Client Certificate Authentication.

    42 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  11. Increase password strength for basic user accounts

    Basic user accounts can be created via;
    1. Admin portal (minimum password length=6)
    2. Self registration page (minimum password length=8).
    No other rule applies i.e. very poor password strength.

    When possible, we definitely use AAD.
    For cases where we can not use AAD the Azure PaaS Developer Support Team has recommended us to use Facebook, Google, Microsoft or Twitter accounts...

    Please, provide UI page where Admin can design password policy by choosing;
    - Minimum password length. [Default=8?].
    - English upper case letters (e.g., A, B, C, ...Z). [Checkbox True|False].
    - English lower case letters (e.g., a, b, c, ...z). [Checkbox…

    33 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    need-feedback  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  12. Origin API oauth support

    Ability to create an API in Azure API Management that will OAuth to the origin api. I don't want my users to oauth, the Azure API key is enough security for that. I just want my Azure API to access the origin API through OAuth.

    26 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support Basic Authentication in Front-end API

    We are currently consuming our APIs via various clients, including Microsoft Excel and various integration tools. These tools do NOT support the current front-end API authentication methods.
    One solution is to enable Basic Auth support in the front-end API.
    The existing username and subscription key could be used as the credentials, but the API Management would accept them in the standard base64-encoded Authorization header.

    25 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  14. 25 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    4 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. A process for manually approving new users

    Today, you have the possibility to force a manual process for approving a user access to a product. However, if you need to enable simple username-password you have no possibility to have a manual process for approving a user access to the portal.

    It would be good for a user to see all products and APIs available in the portal, being able to browse and discover APIs. This means that anyone can create a user and browse APIs, basically spying on a company thru the names of APIs and products.

    The other way is to hide all APIs behind Products…

    22 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  16. Improved RBAC roles for API Management

    Right now, Azure RBAC only has 3 API Management specific roles defined: API Management Service Contributor, API Management Service Operator and API Management Service Reader.

    These are OK, but they are not enough for many customers. In particular, many customers require giving developers or architects permissions to define and manage APIs without touching anything else (i.e no product, security, or similar configurations).

    While this is potentially possible to do using custom RBAC roles, doing so in a way that keeps everything working correctly and that does not break when the PG changes the way the portal works is non-trivial.

    So…

    16 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  17. Add metadata to subscription

    I would like the ability to add metadata to a subscription. A key-value that could describe the subscription.

    Values should be accessible in policies - to be added as inbound headers for example.

    The actual API could then use the values to return different values depending on the subscription.

    16 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    triaged  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  18. Provide means to restrict TLS cipher suites or means to access cipher suite information

    Provide (1) means to restrict TLS cipher suites that are used in TLS communication between Azure API Management and API callers or (2) means for developers to access detailed information about the cipher suite used in the TLS connection from within API implementations.

    Background:

    We are investigating whether Azure API Management can be used for Financial-grade API (https://openid.net/wg/fapi/).

    Financial-grade API, also known as FAPI, is a set of standard specifications that are built on top of OAuth 2.0 and OpenID Connect. UK Open Banking (https://www.openbanking.org.uk/) has officially adopted FAPI and built Open Banking Profile (OBP) on…

    13 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  19. Add OAuth 2.0 as a proxy authentication

    Currently Proxy Authentication supports HTTP Basic and Client Certificates. In an effort to make a unified OAuth 2.0 Gateway, we have some services using other OAuth 2.0 providers for the security in the backend and would like to use something like Client Credentials flow or the On Behalf Of flow to call the existing service keeping the front with only one OAuth implementation.

    12 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    3 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  20. Validate the client certificate against the custom CA certs uploaded in the CA trust store

    Currently the CA certificates in the store are used to validate against the server certificates in the backend. But it would be better if we get an option to validate the client certificates from client to api manager against the certs in CA store instead of just checking the issuer in the policy.

    11 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
← Previous 1
  • Don't see your idea?

Feedback and Knowledge Base