API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

How can we improve Azure API Management?

You've used all your votes and won't be able to post a new idea, but you can still search and comment on existing ideas.

There are two ways to get more votes:

  • When an admin closes an idea you've voted on, you'll get your votes back from that idea.
  • You can remove your votes from an open idea you support.
  • To see ideas you have already voted on, select the "My feedback" filter and select "My open ideas".
(thinking…)

Enter your idea and we'll search to see if someone has already suggested it.

If a similar idea already exists, you can support and comment on it.

If it doesn't exist, you can post your idea so others can support it.

Enter your idea and we'll search to see if someone has already suggested it.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. Security: OCSP Stapling support

    When using OCSP stapling, the web server will send its certificate combined with a signed proof from the OCSP responder about its certificate status.

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  2. Authentication with HMAC

    Currently, my project is using Hmac-SHA256 to do the authorization. We are struggle with how to generate, transmit and store the secret key between client side and ours. is there any secure way to do this?

    8 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  3. Add AzureAD users

    Allow the admin to add users from AzureAD so they can be configured before the user actually logs in.

    With having to wait for the user to login, then the admin to configure them with appropriate groups within APIM (not AzureAD groups) this increases the time before the user can actually make use of APIM depending on how long it takes the user to get around to logging in and the admin to add them to the right groups.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  4. Support for NVA with APIM in VNET Internal Mode

    Currently when deploying an APIM in VNET Internal Mode, the default rule for 0.0.0.0/0 must direct traffic to Internet. It would be great from a security perspective to be able to have that internet bound traffic be scanned by an NVA before reaching the internet and vice versa.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow to use Subscription key OR other authentication method on API

    Currently if you chose to use subscription key as authentication method even if you add Oauth it will always require the subscription key. We have scenarios where we need to be able to use either one of these, need to allow OR option in policy definition currently it is always AND.

    Also since all subscription keys are user bound and not "application bound" long term use in an production system this may be problematic.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  6. Allow multiple OAuth provides for an API

    Currently each API can only be configured with one OAuth provider. It would be great if it can allow multiple.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  7. Provide means to restrict TLS cipher suites or means to access cipher suite information

    Provide (1) means to restrict TLS cipher suites that are used in TLS communication between Azure API Management and API callers or (2) means for developers to access detailed information about the cipher suite used in the TLS connection from within API implementations.

    Background:

    We are investigating whether Azure API Management can be used for Financial-grade API (https://openid.net/wg/fapi/).

    Financial-grade API, also known as FAPI, is a set of standard specifications that are built on top of OAuth 2.0 and OpenID Connect. UK Open Banking (https://www.openbanking.org.uk/) has officially adopted FAPI and built Open Banking Profile (OBP) on…

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  8. XSS Protection on Developer Portal

    During *********** testing, it was found that certain screens in the developer portal are vulnerable to XSS.

    eg IE, Firefox or Edge, if you browse to the change user details page, from the profile screen, you can enter

    bob"onfocus="alert(1)"autofocus="@example.com for a email
    or
    Bob"onfocus="alert(2) as the first name
    or
    the Builder"onfocus="alert(3) as the last name.

    After you press Update profile, while the information isn't sent to the DB, the popups occur when you click on any of the fields.

    6 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  9. Portal Permissions Management - Remove Limit of 30 from preview

    On the preview UI in the portal we can no longer assign permissions on some apps as the UI states the following: 'A maximum of 30 total permissions may be added to an application.'.

    I cannot find documentation around this limitation.
    This limit is extremely restrictive and will break a lot of applications registered as the total permissions limit is on all API's. If you have an app that uses a lot of API's it will not work. Graph on it's own has more than 30.

    This is limiting our development at the moment for future planning as this limit…

    5 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  10. Fix bugs around Azure AD Groups and Product Permissions

    The linking of a user to a Azure AD group doesn't not work well. When I create a new user in AD and put them in a group, they are not in that group after they sign into the portal. In order for them to be associated with the AD group, I must put them in the group AFTER they have signed in at least once. Then they must sign in AGAIN in order to be part of that group. After these rounds of singing in multiple times I can then go in and add them to a subscription, in…

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  11. Groups within Groups

    There seems to be no way to add groups to groups. This makes granular control of access difficult

    4 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    need-feedback  ·  2 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  12. Issue and retrieve secrets for signing and validating JWT tokens

    The Mashape Kong product issues secrets for signing JWT keys. Could this be added so API Management could then validate the token without another roundtrip request to a JWT validation service?

    Even if we could store these in cache (by exposing cache via REST) or by adding it as a property that could be reference by the policy would be a good first step. The problem with the latter approach is that I think the {{propertyName}} has to be a string literal and cannot be composed from a variable like {{context.Subscription.Id+"naming-convention"}|}.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  13. Ability to use certificate as secret for OAuth 2.o

    OAuth 2.0 configuration has only option to provide secret. There is no option to provide certificate as secret. This is limiting our ability to use as our client id support only certificate secrete.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  14. Handle Signing requests

    Add a feature to manage customer keys, customer secret and signing validation of the requests.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  15. OAuth/OpenId Security Per Group

    Add the ability to selectively choose which groups can use which OAuth/OpenId server on the developer portal.

    Our use case is mainly around Client Credentials flows where one team (group) of users can use a certain client id and another team (group) can use a different client id.

    Once we can assign multiple OAuth/OpenId servers to an API, we then would be able to have one registered server for each group so they could test the functionality as if the system they are developing was accessing the API.

    Alternatively, the other option would be to allow explicit client id in…

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
  16. Store OAuth Token in SQL Server ( or somewhere else )

    There should be storage of oAuth token attched with API portal. It can have with Email address / Subscription Key of requester as ID.

    abc@abc.com / Subscription key as "Key" and OAuth Token as "Value".
    Now if someone requests backend call with specific ID / Email it attach oAuth token in header.

    This is very classic problem for any OAuth based backend services. That we need to handle is separately in other database.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
    under review  ·  Miao Jiang responded

    Thanks for the feedback. I’d like to hear more regarding how do you think the feature will work? How/Who should be responsible of getting the token and storing the key/value pair? How to handle token refresh etc. Thanks!

  17. Pre-populate Azure AD accounts to users with ARM template should act the same as the manual process

    I am pre-populating the users with Azure AD accounts with the following ARM template snippet using a VSTS CI-CD pipeline.

    {
    "apiVersion": "2018-06-01-preview",
    "type": "Microsoft.ApiManagement/service/users",
    "name": "[concat(parameters('serviceName'), '/', 'apim-dev')]",
    "properties": {
    "state": "active",
    "note": "Application account for the SIAM application",
    "email": "apim-dev@contoso.onmicrosoft.com",
    "firstName": "Dev",
    "lastName": "User",
    "identities": [
    {
    "provider": "Aad",
    "id": "12ca3158-2a1b-4a00-87dc-454ebaa5d238"
    }
    ]
    }
    }

    When I run this template the user is added with authentication type Azure AD and Basic. I only want Azure AD as authentication type which should be the same behavior as if the user is sigin-in for the first time into…

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Security  ·  Flag idea as inappropriate…  ·  Admin →
2 Next →
  • Don't see your idea?

API Management

Feedback and Knowledge Base