azApim - klagan/learning GitHub Wiki

What is an APIM?

API management service (APIM) enables the management and access to APIs. It controls the flow of traffic and the orchestration of backend calls. It can manage quota limits and throttle calls where required which helps tune your service across consumers.

Auth server vs Identity server

Link 1
Link 2
Link 3

OAuth2

  • Utilises authorisation server
  • for token acquisition by the developer console when running API calls

Identity

  • Utilises authentication and authorisation server
  • for user login of the developer console

Link 1
Link 2
Link 3

Event hub integration

Link 1
Link 2
Link 3

Sample policy

<policies>
    <inbound>
        <base />
        <cors>
            <allowed-origins>
                <origin>*</origin>
            </allowed-origins>
            <allowed-methods>
                <method>*</method>
            </allowed-methods>
            <allowed-headers>
                <header>*</header>
            </allowed-headers>
            <expose-headers>
                <header>*</header>
            </expose-headers>
        </cors>
        <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized API Call" require-expiration-time="true" require-signed-tokens="true">
            <openid-config url="https://login.microsoftonline.com/aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc/v2.0/.well-known/openid-configuration" />
            <audiences>
                <audience>aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc</audience>
            </audiences>
            <issuers>
                <issuer>https://login.microsoftonline.com/aaaaaaaa-bbbb-bbbb-bbbb-cccccccccccc/v2.0</issuer>
            </issuers>
        </validate-jwt>
        <set-backend-service backend-id="coreapi-backend" />
    </inbound>
    <backend>
        <forward-request />
    </backend>
    <outbound />
    <on-error />
</policies>

Scopes vs Roles

• a user grants consent of permissions to access client resources to an application • an application designates a user against a role • an application asks consent of permissions to access user data • an application sets a user role

Link 1

[Authorize]
public class TodoListController : Controller
{
    /// <summary>
    /// The web API will accept only tokens 1) for users, 2) that have the `access_as_user` scope for
    /// this API.
    /// </summary>
    static readonly string[] scopeRequiredByApi = new string[] { "access_as_user" };

    // GET: api/values
    [HttpGet]
    public IEnumerable<TodoItem> Get()
    {
        HttpContext.VerifyUserHasAnyAcceptedScope(scopeRequiredByApi);
        // Do the work and return the result.
        // ...
    }
    ...
}

Soft delete/purging apim

# retrieve an azcli token
TOKEN=$(az account get-access-token --query accessToken --output tsv)

# list the deleted apim services
az rest --method GET --url 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ApiManagement/locations/{location}/deletedservices/{name of service}?api-version=2020-06-01-preview'

# purge the deleted service
az rest --method DELETE --url 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ApiManagement/locations/{location}/deletedservices/{serviceName}?api-version=2020-06-01-preview'

# purge ALL the deleted services
az rest --method DELETE --url 'https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.ApiManagement/locations/{location}/deletedservices?api-version=2020-06-01-preview'
⚠️ **GitHub.com Fallback** ⚠️