API Management

Microsoft Azure API Management is a turnkey solution for publishing APIs to external and internal consumers. Quickly create consistent and modern API gateways for existing backend services hosted anywhere, secure and protect them from abuse and overuse, and gain insights into usage and health. Plus, automate and scale developer onboarding to help get your API program up and running in no time.

  • Hot ideas
  • Top ideas
  • New ideas
  • My feedback
  1. API Mgmt. policy management PowerShell module

    The policies should be definable and manageable thru PowerShell. There should be a separate module for Azure API Mgmt. Policy Mgmt. An IT Pro shouldn't have to learn XML to manage these policies.

    3 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  2. Support for conversion to SWIFT messaging proticol and vice versa

    Customers in the banking industry are asking for this..

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  3. Support AAD JWT token validation more directly using AAD metadata

    There is currently a way to validate JWT tokens in the policies. This is great. However, it could be done better in the case the JWT tokens are issued by AAD. In that case one would like to give the tenant ID of AAD and the Application ID that is assigned to the API. This way the policy would automatically extract the valid certificate from AAD metadata (something like https://login.microsoftonline.com/38cda3b4-71fa-4748-a48e-e50ef1ebfe00/federationmetadata/2007-06/federationmetadata.xml).
    That would prevent us from having to do this manually each time the global AAD certificate changes (next one is before mar 2019). It would be more in the…

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  4. Policy to Log to Trace

    It would be nice to have a policy that lets me write a log entry to the trace log so if something is going wrong more detail can be seen similar to context.Trace but without needing to use some other policy to make it happen.

    Example:

    <log-to-trace message="@(string.Format("Request Body: {0}", context.Request.Body.As<string>()))" />

    2 votes
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  5. Allow backend call details in "context" interface

    It would be very usefull to have access to backend call details via a new context "backend" interface so we could have access to "status code", backend url, call duration...
    In fact all that could be usefull to analyse "backend calls" in outbound policies.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    2 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  6. Caching OPTIONS response should be for url rather than dependent on parameters/headers.

    we need facility in policies for caching response of OPTIONS method type. So that browser does not send OPTIONS calls. Also caching should be done on url only and not different sessionid/reuqest headers/parameters.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  7. Policy to remove header

    Cannot remove below headers with "Consumption (Preview)" price tier:
    X-Powered-By
    X-AspNet-Version
    Set-Cookie

    Below is the detail step I replicate the issue:
    I'm trying to remove some headers in the response but they are still there.

    I did follow http://www.ithero.nl/post/2018/03/31/Using-policies-in-API-Management-to-remove-response-headers-from-the-backend-Web-API-that-leak-information.aspx

    to remove 'Set-Cookie' and 'X-Powered-By' by adding these lines to policy:
    <set-header name='X-Powered-By' exists-action='delete' />
    <set-header name='Set-Cookie' exists-action='delete' />
    but it's no hope.

    Currenty I still got these info in the headers:
    Cache-Control →private
    Transfer-Encoding →chunked
    Content-Type →text/plain; charset=utf-8
    Content-Encoding →gzip
    Vary →Accept-Encoding
    Server →Kestrel
    X-AspNet-Version →4.0.30319
    X-Powered-By →ASP.NET
    Date →Thu, 18 Apr 2019 05:01:14 GMT

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  8. Support System.Net.WebUtility in policies

    I have APIs that are returning json with properties that have html-encoded values, returning html encoded string in json isn't needed as the original service was based on xml and didn't use the CDATA tag. To be able to properly compose this API usage of an HtmlDecode function is needed which is readily available in System.Net.WebUtility

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  9. Ignore scheme differences in <redirect-content-urls />

    By default APIM matches on the scheme when using this policy. It would be nice to have an optional flag on this policy to ignore the scheme when redirecting backend URLs to the proxy.

    Via the backend, we may build a URL as "http://mybackend...&quot; - when this is surfaced via the api we'd want it redirected to the APIM proxy as "https://api.mycompany...". Currently, APIM won't fixup this response because the scheme on the link emitted from the backend doesn't match the scheme on the backend API base URL.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  10. Enhance Json Serialization support in Policy Expressions for Legacy Backend APIs

    Provide access to JsonConverter types, e.g. JavaScriptDateTimeConverter so that a JObject can be formatted as needed for a legacy system.

    Currently, if a Json object needs to be translated to a different format for a DateTime property it is not easily possible to convert the APIM body JObject to what the backend service expected for Json serialization.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  11. Support Newtonsoft.Json.JsonSerializerSettings in policies

    APIs that get re-written in policy to a json object output often end up with several properties that are null, to save bandwidth we'd like to exclude those null properties when calling the ToString method and passing the serializer settings (NullValueHandling) that remove null properties from the output.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  12. Url Helper Policy Expressions for Route Building

    As a developer I want to include hypermedia links to other operations in the same and other API sets so that I have easy navigation for clients between APIs.

    Today, these link url paths must be hard coded based on what is know. To provide flexibility while developing APIs and to ensure routes are actually valid, provide a url helper method to generate these routes.

    Example:

    context.RouteFor("API-ID", "Version", "Operation-ID", new {param1=1,param2="hello"})

    Today:

    <set-body>{
    return JObject.FromObject(new {
    _links = new[] {
    new { href = $"/api/operation?query={context.Request.MatchedParameters.GetValueOrDefault("query", string.Empty)&api-version=2018-10-31", rel = "other-api", type = "GET" }
    }
    }
    }</set-body>

    With a helper:

    <set-body>{ …

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  13. Support for token bucket - enable burst quota

    The current quota/call rate limit is +1 per call. In practice this means we create SKUs based on the maximum expected spike rather than average usage. By supporting a token bucket model (https://en.wikipedia.org/wiki/Token_bucket) we could define a SKU more aligned with our actual usage.

    For example: on average we have 50 calls per second, but need to be able to spike to 250 calls per second.

    Today we'd create a 250 calls per second throttle policy for this key/product which is not optimal.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  14. Policy tag directory

    Have a comprehensive directory that has all of the tags that can be used in the policy XML.

    An example is have documentation of the <when> tag regarding which tags can be nested within and which attributes it accepts.

    I seem to be unable to find any resource that has detailed documentation on these multi-use tags.

    Thank you

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  15. Use valid xml to configure policies.

    In your examples one can find lines like this one:

    `<set-variable name="isMobile" value="@(context.Request.Headers["User-Agent"].Contains("iPad") || context.Request.Headers["User-Agent"].Contains("iPhone"))" />`

    If you try to validate this xml, you will find out that those double quotes inside of the value attribute are not allowed.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    0 comments  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  16. Add support for evaluating jsonpath expressions against request bodies within a policy and conditionally invoking an external request

    I'd like the ability to use a jsonpath expression to query a json request body and send the results to an external endpoint for validation. This is intended to implement a form of request spoofing prevention

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    under review  ·  1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
  17. Use valid xml to configure policies.

    In your examples one can find lines like this one:

    `<set-variable name="isMobile" value="@(context.Request.Headers["User-Agent"].Contains("iPad") || context.Request.Headers["User-Agent"].Contains("iPhone"))" />`

    If you try to validate this xml, you will find out that those double quotes inside of the value attribute are not allowed.

    1 vote
    Vote
    Sign in
    (thinking…)
    Sign in with: Microsoft
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    1 comment  ·  Policies  ·  Flag idea as inappropriate…  ·  Admin →
1 3 Next →
  • Don't see your idea?

Feedback and Knowledge Base