2

As we're developing the SaaS APIs and we're using Azure API Management service to manage the APIs.

We have defined the API products as described below:

  • Organization (product) This product contains sets of APIs to manage organizations.
  • Inventory (product) This product contains the sets of APIs to manage the stock and inventory.
  • Employee (product) This product contains the set of APIs to manage the employees.

What I want to achieve with Azure API Management service is that-

  • I don't want to create separate subscription for separate product.
  • I want to add multiple products into one subscription.
  • So that I can access all the APIs of different products using single subscription key.

Is this possible?

Thanks in advance.

PS: See image below for what I want to achieve.

enter image description here

nunu
  • 3,184
  • 10
  • 43
  • 58

2 Answers2

3

No, as far as I know what you seek is not possible.

Azure API Management offers following subscription scopes at this point of time

1) All APIs: this scope provides access to all the APIs hosted by APIM 2) Single API: this scope provides access to a single API hosted APIM 3) Product: this scope allows provides access to group of APIs when they are grouped in the products. The scope supports only a single product per subscription

So in theory when you want to give access to different APIs to different users, you will have to create individual products for the users and assign a subscription to a product.

Mandar Dharmadhikari
  • 1,079
  • 5
  • 6
  • I want to create separate subscription key for separate APIs under single instance of APIM. I have created 2 more subscriptions (whose scope is API: ApiName) other than built-in one. but when i am testing API, then new subscription key is not working. In-fact it is still getting validate with old (Built-in all-access) subscription key. What other settings I am missing? – Rahul Mar 10 '21 at 18:53
0

API Management has support for Access Groups. A product can set an access group under access control. This will make it so only users that are members of this group can see it in ApiManagement. Doing this, you can create just a single subscription for all API's, and filter using access policies, to verify that you can only use the API's that you are allowed to, due to the access groups.

I used the following policy on my API's to make sure the user has access, together with an AllApis subscription:

 <choose>
        <when condition="@(context?.User?.Groups == null || !(context.User.Groups.Any(q => q.Id == context?.Api?.Id)))">
            <return-response>
                <set-status code="401" reason="Unauthorized" />
                <set-header name="WWW-Authenticate" exists-action="override">
                    <value>Unauthorized. Subscription key not valid for this API."</value>
                </set-header>
            </return-response>
        </when>
    </choose>

All in all, this ends up with customizable access to API's, using only a single subscription key. You can choose any permutation of users and API accesses.

Froziph
  • 463
  • 2
  • 9