When using Azure APIM to add a inbound policy to verify a JWT, the config editor throws the following error:
One or more fields contain incorrect values: Error in element 'validate-jwt' on line 16, column 10: Certificate '' could not be resolved.
I can see it's the issuer-signing-keys node causing the problem as removing it allows it to save.
Here is the example of the policies file:
<policies>
<inbound>
<base />
<validate-jwt header-name="Authorization" require-scheme="Bearer">
<issuer-signing-keys>
<key>YmVlZg==</key>
</issuer-signing-keys>
</validate-jwt>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
Thanks in advance for any help
Credit to #Mukesh Kumar
This is a bug we reported on Friday 19th Jun 2020. Recently Microsoft has rolled out a new release that applies to all new instances of APIM. So if you have previously created APIM instance then it would work. We are still awaiting MS to provide hotfix.
Related
I am wondering whether it is possible to specify something like Named value but for each API separately?
So if I have, say foo-API and bar-API I can specify for each a named value-like variable, eg my-url. So now when I create a global policy
<policies>
<inbound>
<base />
<send-request mode="new">
<set-url>{{my-url}}</set-url>
<set-method>POST</set-method>
<set-body>something</set-body>
</send-request>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
but send-request will send request to the API specific URL (eg. different URL for DEV, TEST, PROD)
Not possible. Named values are a global collection, the only workaround is to name them to be descriptive enough, i.e. prefix with API id.
An example of what I am looking for is as follows but the allow-access element does not exist. What can I replace with so that the subscription key is not checked. i.e. in this case it would allow all callers access to the controller as long as they are making GET requests.
<policies>
<inbound>
<base />
<choose>
<when condition="#(context.Request.Method.Equals("GET"))">
<allow-access />
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
Any help would be appreciated.
A workaround would be to turn off the Requires subscription setting on the product and check the subscription key in the inbound policy by yourself. Here is an example of how to do it.
Go to Settings of Starter product.
Uncheck Requires subscription and save.
Open the policies of the product and add the following policy to the inbound. The value of <check-header> policy is the subscription key of the Starter product.
<choose>
<when condition="#(!context.Request.Method.Equals("GET"))">
<check-header name="Ocp-Apim-Subscription-Key" failed-check-httpcode="401" failed-check-error-message="Not authorized" ignore-case="false">
<value>920b4e307f4f41ff9bd4a3bd6a5450ee</value>
</check-header>
</when>
</choose>
I'm trying to create a request with parameters in Azure API Management.
I have the following API(returns all invoices):
www.apibackend.com/invoice
This API can also handle parameters like this(returns invoice with ID 1):
www.apibackend.com/invoice/1
In my APIM service I've got the following code:
<policies>
<inbound>
<base />
<set-backend-service base-url="www.apibackend.com/" />
<rewrite-uri template="/invoice" />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
With the APIM URL(for example: www.apim.com/test/GetInvoices) I can make the following request to my backend:
www.apibackend.com/invoice
This will return all the invoices, but how do I only retrieve the invoice with ID 1? If i make the request "www.apim.com/test/GetInvoices/1" I will get an error.
Hope someone can help!
In APIM change your Operation template to GetInvoices/{id} then in policies you'll be able to do:
<rewrite-uri template="/invoice/{id}" />
https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-policies
<policies>
<inbound>
<!-- statements to be applied to the request go here -->
</inbound>
<backend>
<!-- statements to be applied before the request is forwarded to
the backend service go here -->
</backend>
<outbound>
<!-- statements to be applied to the response go here -->
</outbound>
<on-error>
<!-- statements to be applied if there is an error condition go here -->
</on-error>
</policies>
When do we use backend sections in the policy?
Looks like setting the backend url using is also done on <inbound> node only.
Thanks for your time.
that part is used to do any transforms\checks on the request before forwarding it to the backend, for example I was adding headers to the request and validating oauth tokens.
I am trying to set the policy for service fabric but I get the following error
One or more fields contain incorrect values: Error in element
'set-backend-service' on line 16, column 10: Backend with id
'servicefabric' could not be found.
Where do i set the backend id
<policies>
<inbound>
<base />
<set-backend-service backend-id="servicefabric" sf-service-instance-name="fabric:/Medivet.MicroServices/Medivet.WebApi" />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
There is still no UI to manage backends. Will have to use API: https://learn.microsoft.com/en-us/rest/api/apimanagement/2019-01-01/backend