API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Configure security also on operation level

    Today, the security is set on API level.
    I can see a need for defining security on operation level also.
    To be able to set that only a subset of the operations in an API is protected by e.g. OAuth.

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. Signout issue - SSO URL is not expiring even after logout

    https://github.com/MicrosoftDocs/azure-docs/issues/8673
    As per the comments in above thread/issue, I am putting this idea on feedback website also.

    I did used the delegate option and am able to Sign User Programmatically by generating SSO URL (generateSsoUrl). Now I have problem in Signingout, once user try Sign-Out from Azure APIM Developer portal, microsoft delegate the call to our CUstom AUthentication server, and we end the users session, and redirect them back to base url of developer portal. Here User see the Sign-In option again.

    However If I paste the previous SSO URL (generateSsoUrl) into browser it allows the user to log-in, which…

    9 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. Security: OCSP Stapling support

    When using OCSP stapling, the web server will send its certificate combined with a signed proof from the OCSP responder about its certificate status.

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  4. Authentication with HMAC

    Currently, my project is using Hmac-SHA256 to do the authorization. We are struggle with how to generate, transmit and store the secret key between client side and ours. is there any secure way to do this?

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. Add AzureAD users

    Allow the admin to add users from AzureAD so they can be configured before the user actually logs in.

    With having to wait for the user to login, then the admin to configure them with appropriate groups within APIM (not AzureAD groups) this increases the time before the user can actually make use of APIM depending on how long it takes the user to get around to logging in and the admin to add them to the right groups.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  6. Reader roles should not be able to see subscription keys

    Currently, users assigned the "Reader" or "Monitoring Reader" role are able to reveal subscription keys in the API Management portal. As is the case with other Azure products, secrets should not be accessible to members of these roles.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  7. Support for NVA with APIM in VNET Internal Mode

    Currently when deploying an APIM in VNET Internal Mode, the default rule for 0.0.0.0/0 must direct traffic to Internet. It would be great from a security perspective to be able to have that internet bound traffic be scanned by an NVA before reaching the internet and vice versa.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  8. Allow to use Subscription key OR other authentication method on API

    Currently if you chose to use subscription key as authentication method even if you add Oauth it will always require the subscription key. We have scenarios where we need to be able to use either one of these, need to allow OR option in policy definition currently it is always AND.

    Also since all subscription keys are user bound and not "application bound" long term use in an production system this may be problematic.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  9. Allow multiple OAuth provides for an API

    Currently each API can only be configured with one OAuth provider. It would be great if it can allow multiple.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  10. XSS Protection on Developer Portal

    During *********** testing, it was found that certain screens in the developer portal are vulnerable to XSS.

    eg IE, Firefox or Edge, if you browse to the change user details page, from the profile screen, you can enter

    bob"onfocus="alert(1)"autofocus="@example.com for a email
    or
    Bob"onfocus="alert(2) as the first name
    or
    the Builder"onfocus="alert(3) as the last name.

    After you press Update profile, while the information isn't sent to the DB, the popups occur when you click on any of the fields.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  11. Portal Permissions Management - Remove Limit of 30 from preview

    On the preview UI in the portal we can no longer assign permissions on some apps as the UI states the following: 'A maximum of 30 total permissions may be added to an application.'.

    I cannot find documentation around this limitation.
    This limit is extremely restrictive and will break a lot of applications registered as the total permissions limit is on all API's. If you have an app that uses a lot of API's it will not work. Graph on it's own has more than 30.

    This is limiting our development at the moment for future planning as this limit…

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  12. Fix bugs around Azure AD Groups and Product Permissions

    The linking of a user to a Azure AD group doesn't not work well. When I create a new user in AD and put them in a group, they are not in that group after they sign into the portal. In order for them to be associated with the AD group, I must put them in the group AFTER they have signed in at least once. Then they must sign in AGAIN in order to be part of that group. After these rounds of singing in multiple times I can then go in and add them to a subscription, in…

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  13. Groups within Groups

    There seems to be no way to add groups to groups. This makes granular control of access difficult

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    need-feedback  ·  2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  14. Issue and retrieve secrets for signing and validating JWT tokens

    The Mashape Kong product issues secrets for signing JWT keys. Could this be added so API Management could then validate the token without another roundtrip request to a JWT validation service?

    Even if we could store these in cache (by exposing cache via REST) or by adding it as a property that could be reference by the policy would be a good first step. The problem with the latter approach is that I think the {{propertyName}} has to be a string literal and cannot be composed from a variable like {{context.Subscription.Id+"naming-convention"}|}.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. Ability to use certificate as secret for OAuth 2.o

    OAuth 2.0 configuration has only option to provide secret. There is no option to provide certificate as secret. This is limiting our ability to use as our client id support only certificate secrete.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  16. Handle Signing requests

    Add a feature to manage customer keys, customer secret and signing validation of the requests.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  17. OAuth/OpenId Security Per Group

    Add the ability to selectively choose which groups can use which OAuth/OpenId server on the developer portal.

    Our use case is mainly around Client Credentials flows where one team (group) of users can use a certain client id and another team (group) can use a different client id.

    Once we can assign multiple OAuth/OpenId servers to an API, we then would be able to have one registered server for each group so they could test the functionality as if the system they are developing was accessing the API.

    Alternatively, the other option would be to allow explicit client id in…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  18. Store OAuth Token in SQL Server ( or somewhere else )

    There should be storage of oAuth token attched with API portal. It can have with Email address / Subscription Key of requester as ID.

    abc@abc.com / Subscription key as "Key" and OAuth Token as "Value".
    Now if someone requests backend call with specific ID / Email it attach oAuth token in header.

    This is very classic problem for any OAuth based backend services. That we need to handle is separately in other database.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Miao Jiang responded

    Thanks for the feedback. I’d like to hear more regarding how do you think the feature will work? How/Who should be responsible of getting the token and storing the key/value pair? How to handle token refresh etc. Thanks!

  19. Having the ability to

    Having the ability to see which ciphers are active within the APIM. At the moment you can disable 3DES in the Portal and 9 other ciphers using a PATCH/PUT command but you cannot see which ciphers are actually active anywhere.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  20. Pre-populate Azure AD accounts to users with ARM template should act the same as the manual process

    I am pre-populating the users with Azure AD accounts with the following ARM template snippet using a VSTS CI-CD pipeline.

    {
    "apiVersion": "2018-06-01-preview",
    "type": "Microsoft.ApiManagement/service/users",
    "name": "[concat(parameters('serviceName'), '/', 'apim-dev')]",
    "properties": {
    "state": "active",
    "note": "Application account for the SIAM application",
    "email": "apim-dev@contoso.onmicrosoft.com",
    "firstName": "Dev",
    "lastName": "User",
    "identities": [
    {
    "provider": "Aad",
    "id": "12ca3158-2a1b-4a00-87dc-454ebaa5d238"
    }
    ]
    }
    }

    When I run this template the user is added with authentication type Azure AD and Basic. I only want Azure AD as authentication type which should be the same behavior as if the user is sigin-in for the first time into…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
2 Next →
  • Don't see your idea?

Feedback and Knowledge Base