Azure Api Management Generate Subscription Key
Azure Api Management Generate Subscription Key 3,9/5 2781 reviews
  1. By default, there are two ways a consumer can specify the Subscription Key on a call to API Management: Using the Ocp-Apim-Subscription-Key HTTP header; Using the subscription-key query string value in the URL; These are just the default names for both.
  2. Nov 24, 2014  Introduction to API Management Microsoft acquired a company named Apiphany last year (read about the acquisition) and jumped to the API Management market. So what is API Management? Given below is the definition what Google gives for the question; indeed it’s a fairly well descriptive definition. Microsoft Azure API Management is backed by the.
  3. Oct 23, 2017  When virtualizing your APIs behind an Azure API Management (APIM) service, you always need to provide the subscription key in your calls. Typically, this is done via the header key Ocp-Apim-Subscription-Key. Your subscription key is always linked to.
Azure api management subscription key
titledescriptionservicesdocumentationcenterauthormanagereditorms.assetidms.servicems.workloadms.tgt_pltfrmms.topicms.datems.author
How to delegate user registration and product subscription
Learn how to delegate user registration and product subscription to a third party in Azure API Management.
cfowler
8b7ad5ee-a873-4966-a400-7e508bbbe158
mobile
article
apimpm

Delegation allows you to use your existing website for handling developer sign in/sign up and subscription to products, as opposed to using the built-in functionality in the developer portal. It enables your website to own the user data and perform the validation of these steps in a custom way.

Nov 14, 2018 Client applications that need to consume the published APIs must include a valid subscription key in HTTP requests when they make calls to those APIs. To get a subscription key for accessing APIs, a subscription is required. For more information about subscriptions, see Subscriptions in Azure API Management. Learn the Azure API Management terminology. Complete the following quickstart: Create an Azure API Management instance. Also, complete the following tutorial: Import and publish your first API. Create and publish a product. Click on Products in the menu on the left to display the Products page.

[!INCLUDE premium-dev-standard-basic.md]

Delegating developer sign-in and sign-up

To delegate developer, sign in and sign up to your existing website, you'll need to create a special delegation endpoint on your site. It needs to act as the entry-point for any such request initiated from the API Management developer portal.

The final workflow will be as follows:

  1. Developer clicks on the sign in or sign up link at the API Management developer portal
  2. Browser is redirected to the delegation endpoint
  3. Delegation endpoint in return redirects to or presents UI asking user to sign in or sign up
  4. On success, the user is redirected back to the API Management developer portal page they started from

To begin, let's first set-up API Management to route requests via your delegation endpoint. In the Azure portal, search for Security in your API Management resource and then click the Delegation item. Click the checkbox to enable 'Delegate sign in & sign up'.

  • Decide what the URL of your special delegation endpoint will be and enter it in the Delegation endpoint URL field.
  • Within the Delegation authentication key field, enter a secret that will be used to compute a signature provided to you for verification to ensure that the request is indeed coming from Azure API Management. You can click the generate button to have API Management randomly generate a key for you.

Azure Api Management Generate Subscription Key For Mac

Now you need to create the delegation endpoint. It has to perform a number of actions:

  1. Receive a request in the following form:

    http://www.yourwebsite.com/apimdelegation?operation=SignIn&returnUrl={URL of source page}&salt={string}&sig={string}

    Query parameters for the sign in / sign up case:

    • operation: identifies what type of delegation request it is - it can only be SignIn in this case
    • returnUrl: the URL of the page where the user clicked on a sign in or sign up link
    • salt: a special salt string used for computing a security hash
    • sig: a computed security hash to be used for comparison to your own computed hash
  2. Verify that the request is coming from Azure API Management (optional, but highly recommended for security)

    • Compute an HMAC-SHA512 hash of a string based on the returnUrl and salt query parameters (example code provided below):

      HMAC(salt + 'n' + returnUrl)

    • Compare the above-computed hash to the value of the sig query parameter. If the two hashes match, move on to the next step, otherwise deny the request.

  3. Verify that you are receiving a request for sign in/sign up: the operation query parameter will be set to 'SignIn'.

  4. Present the user with UI to sign in or sign up

  5. If the user is signing-up you have to create a corresponding account for them in API Management. Create a user with the API Management REST API. When doing so, ensure that you set the user ID to the same value as in your user store or to an ID that you can keep track of.

  6. When the user is successfully authenticated:

    • request a single-sign-on (SSO) token via the API Management REST API

    • append a returnUrl query parameter to the SSO URL you have received from the API call above:

      for example, https://customer.portal.azure-api.net/signin-sso?token&returnUrl=/return/url

    • redirect the user to the above produced URL

In addition to the SignIn operation, you can also perform account management by following the previous steps and using one of the following operations:

  • ChangePassword
  • ChangeProfile
  • CloseAccount

You must pass the following query parameters for account management operations.

  • operation: identifies what type of delegation request it is (ChangePassword, ChangeProfile, or CloseAccount)
  • userId: the user ID of the account to manage
  • salt: a special salt string used for computing a security hash
  • sig: a computed security hash to be used for comparison to your own computed hash

Delegating product subscription

Delegating product subscription works similarly to delegating user sign in/-up. The final workflow would be as follows:

  1. Developer selects a product in the API Management developer portal and clicks on the Subscribe button.
  2. Browser is redirected to the delegation endpoint.
  3. Delegation endpoint performs required product subscription steps. It's up to you to design the steps. They may include redirecting to another page to request billing information, asking additional questions, or simply storing the information and not requiring any user action.

To enable the functionality, on the Delegation page click Delegate product subscription.

Next, ensure the delegation endpoint does the following actions:

  1. Receive a request in the following form:

    http://www.yourwebsite.com/apimdelegation?operation={operation}&productId={product to subscribe to}&userId={user making request}&salt={string}&sig={string}

    Query parameters for the product subscription case:

    • operation: identifies what type of delegation request it is. For product subscription requests the valid options are:
      • 'Subscribe': a request to subscribe the user to a given product with provided ID (see below)
      • 'Unsubscribe': a request to unsubscribe a user from a product
      • 'Renew': a request to renew a subscription (for example, that may be expiring)
    • productId: the ID of the product the user requested to subscribe to
    • subscriptionId: on Unsubscribe and Renew - the ID of the product subscription
    • userId: the ID of the user the request is made for
    • salt: a special salt string used for computing a security hash
    • sig: a computed security hash to be used for comparison to your own computed hash
  2. Verify that the request is coming from Azure API Management (optional, but highly recommended for security)

    To generate the public/private key pair, enter this in the Command Prompt: ssh-keygen At the first prompt, “Enter file in which to save the key,” press Enter to save it in the default location. Generate ssh public private key pair. To generate an SSH key pair on UNIX and UNIX-like platforms using the ssh-keygen utility: Navigate to your home directory: $ cd $HOME. Run the ssh-keygen utility, providing as filename your choice of file name for. Enter a passphrase for the private key, or press Enter to create a private key.

    • Compute an HMAC-SHA512 of a string based on the productId, userId, and salt query parameters:

      HMAC(salt + 'n' + productId + 'n' + userId)

    • Compare the above-computed hash to the value of the sig query parameter. If the two hashes match, move on to the next step, otherwise deny the request.

  3. Process product subscription based on the type of operation requested in operation - for example, billing, further questions, etc.

  4. On successfully subscribing the user to the product on your side, subscribe the user to the API Management product by calling the REST API for subscriptions.

Example Code

These code samples show how to:

  • Take the delegation validation key, which is set in the Delegation screen of the publisher portal
  • Create an HMAC, which is then used to validate the signature, proving the validity of the passed returnUrl.

The same code works for the productId and userId with slight modification.

C# code to generate hash of returnUrl

NodeJS code to generate hash of returnUrl

[!IMPORTANT]You need to republish the developer portal for the delegation changes to take effect.

Next steps

For more information on delegation, see the following video:

[!VIDEO https://channel9.msdn.com/Blogs/AzureApiMgmt/Delegating-User-Authentication-and-Product-Subscription-to-a-3rd-Party-Site/player]

-->

This tutorial shows how to import an OpenAPI Specification backend API in JSON format into Azure API Management. Microsoft provides the backend API and hosts it on Azure at https://conferenceapi.azurewebsites.net?format=json.

Once you import the backend API into API Management, your API Management API becomes a facade for the backend API. You can customize the facade to your needs in API Management without touching the backend API. For more information, see Transform and protect your API.

In this tutorial, you learn how to:

  • Import an API into API Management
  • Test the API in the Azure portal

Prerequisites

Azure Api Access Key

  • Understand Azure API Management terminology.
  • Create an Azure API Management instance.

Go to your API Management instance

  1. In the Azure portal, search for and select API Management services.

  2. On the API Management screen, select your API Management instance.

Import and publish a backend API

This section shows how to import and publish an OpenAPI Specification backend API.

  1. In the left navigation of your API Management instance, select APIs from the API Management section. Openssl rsa key pair generation.

  2. Select the OpenAPI tile, and then select Full on the pop-up screen.

  3. On the Create from OpenAPI specification screen, use the values from the following table to create your API.

    A red star next to a field on the form indicates that the field is required. You can set API values during creation or later by going to the Settings tab.

    SettingValueDescription
    OpenAPI specificationhttps://conferenceapi.azurewebsites.net?format=jsonThe service implementing the API. API management forwards requests to this address.
    Display nameAfter you enter the preceding service URL, API Management fills out this field based on the JSON.The name displayed in the developer portal.
    NameAfter you enter the preceding service URL, API Management fills out this field based on the JSON.A unique name for the API.
    DescriptionAfter you enter the preceding service URL, API Management fills out this field based on the JSON.An optional description of the API.
    URL schemeHTTPSWhich protocols can be used to access the API.
    API URL suffixconferenceThe suffix appended to the base URL for the API Management service. API Management distinguishes APIs by their suffix, so the suffix must be unique for every API for a given publisher.
    ProductsUnlimitedAssociation of one or more APIs. Each API Management instance comes with two sample products: Starter and Unlimited. You publish an API by associating the API with a product, Unlimited in this example.
    You can include several APIs in a product and offer them to developers through the developer portal. To add this API to another product, type or select the product name. Repeat this step to add the API to multiple products. You can also add APIs to products later from the Settings page.
    To get access to the API, developers must first subscribe to a product. When they subscribe, they get a subscription key that's good for any API in that product.
    If you created the API Management instance, you're an administrator already, so you're subscribed to every product in the instance.
    TagsTags for organizing APIs for searching, grouping, or filtering.
    Version this API?Select or deselectFor more information about versioning, see Publish multiple versions of your API.

    Note

    To publish the API, you must associate it with a product. You can do that from the Settings page.

  4. Select Create.

If you have problems importing an API definition, see the list of known issues and restrictions.

Azure api keys

Test the new API in the Azure portal

You can call API operations directly from the Azure portal, which provides a convenient way to view and test the operations.

  1. In the left navigation of your API Management instance, select APIs from the API Management section, and then select Demo Conference API.

  2. Select the Test tab, and then select GetSpeakers. The page shows Query parameters and Headers, if any. The Ocp-Apim-Subscription-Key is filled in automatically for the subscription key associated with this API.

  3. Select Send.

    The back end responds with 200 OK and some data.

Next steps

In this tutorial, you learned how to:

  • Import your first API
  • Test the API in the Azure portal

Advance to the next tutorial to learn how to create and publish a product: