Menu
I have the following setup in Azure API Management:
Two products: Internal and Starter.
One api: Finance, that is included in both the above products. The Finance api also has the Subscription required checkbox cleared, so a subscription is not required.
The Internal product has a policy that does JWT validation. The Starter product does not.
In the test tab of APIs, I can choose a product scope via the Apply Product Scope dropdown. Presumably this decides which product policies are applied.
When calling the API, if I don't supply a valid token, the JWT validation kicks in and rejects my request. However, since I have no subscription key to identify the product, it could be either the Internal or Starter product - how does the system determine it should apply the Internal policy containing the jwt-validation rule rather than the Starter policy which doesn't?
209
When request comes in, first API and operation are identified. Then APIM tries to identify subscription. If product subscription key is provided, it's used to identify product and it's policies are executed. If API subscription key is provided, it's checked to match identified API and no product policies would be executed at all.
If no subscription key is present in request, APIM checks if there is a product with Subscription required set to false, and if such product includes identified API. If there is such match, product will be used and it's policies executed. If no such match found, APIM will check if API has Subscription required set to false, and if so then call will proceed without product.
The Test tab uses a special key - master key, among other things this key allows you to force a certain product to be used for a call even if API is not included into one. This is mostly useful for testing purposes, and master key should not really be used in production.
186
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
