Azure API Management | Product Required Subscription Behaviours
Background | Functional Workings of APIM Subscriptions
Subscriptions are a nice and easy method of securing your APIs in APIM, however as I bumped into a small detail around their use the other day, I thought it wise to note it down.
Azure API Management Subscriptions operate at three scope levels:
- All APIs
- Applies to any API that requires a Subscription.
- As this will allow access to ANY api, use this with caution.
- Specific APIs
- These subscriptions are linked to specific APIs, and their keys can only be used by those APIs.
- An API with a Specific subscription, as mentioned above, can be called with a generic All APIs Subscription Key.
- Products
- Products are independent of APIs and therefore have their own ‘Subscription Required’ setting and behaviours. See Problem Space below.
Problem Space
As mentioned above, because Products are independent of APIs, their subscriptions operate slightly differently and can cause some ill effects if unknown.
The following behaviours can be observed:
- API Subscription Required | Product Subscription NOT Required:
- The API can now be accessed without a Subscription.
- If a Subscription is provided it can only be from:
- All APIs Scoped Subscription Keys
- The Products Subscription Keys
- API Subscription Required | Product Subscription NOT Required:
- API Specific Subscription Required | Product Subscription NOT Required:
- The API can now be accessed without a Subscription.
- If a Subscription is provided it can be from:
- All three scoped Subscription Keys.
- API Specific Subscription Required | Product Subscription NOT Required:
- API Subscription Required | Product Subscription Required:
- The API Requires a Subscription key from either:
- All APIs Scoped Subscription Keys
- The Products Subscription Keys
- The API Requires a Subscription key from either:
- API Subscription Required | Product Subscription Required:
- API Specific Subscription Required | Product Subscription Required:
- The API Requires a Subscription key from any of the three Subscription scopes.
- API Specific Subscription Required | Product Subscription Required:
- API Subscription NOT Required | Product Subscription Required:
- The API can now be accessed without a Subscription.
- API Subscription NOT Required | Product Subscription Required:
Summary
Be very careful with the way you configure your subscription requirements. The only setup with a Product Subscription that will demand your API to require a subscription key is (setup 3 and 4).
All other setup options (1, 2, and 5) will leave your API open to be called without a subscription key.
For the original version of this post see Andrew Wilson's personal blog at Azure API Management | Product Required Subscription Behaviours