Access denied due to missing subscription key

To test a functionapp api which I put behind APIM, I copied the URL and tried to trigger a request using Postman, but got following error:
access denied due to missing subscription key

Why it happened


 It is one of the basic features APIM offers – security, only authorized users can send request to an API, unless explicitly allowed. Here the error returned by APIM engine is about missing Subscription Key, which is used to access the service (authorization).
Subscription Key - In APIM each set of APIs are part of a Product and users need to subscribe to that product before they can access the APIs within it. The subscription has a primary and secondary key and one of these needs to be passed in the header of the request to the APIM. Thus securing your API from being called by anyone without a subscription key
This happens in either of the scenario
  1. The API which is called is not part of any Product
  2. The request send to the APIM url does not have the subscription key in the header


For me it was the first case, where I missed to add the API to a product.

What to do
The very first step is to add the API to product, get the key and add it to header while making call. 
copy subscription key

Add key in header 

Request without a key are stopped at the APIM gateway, never reaching your API backend
What if you want to allow public access to it ? In that case you simply uncheck the Remove Subscription and can make call without key. 
Adding new product in APIM

Below is the result of calling APi in Test Product without subscription key through postman





Related Post


ServerLess360



Comments

Post a Comment

Popular posts from this blog

Getting Started with Logic Apps - XML to EDI X12

Image
Continuing from last post where I explained the basics of EDI and EDI X12 standards , let’s  see how we can enable EDI communication with Logic Apps Logic Apps and EDI together Earlier it was BizTalk from Microsoft which has all capabilities around Enterprise Application Integration(EAI) and Electronic Data Interchange (EDI)(which is server product) but with the cloud shift where everything is desired as service, Microsoft provided Logic Apps to cater the integration needs for cloud users and it is continuously getting matured (most of BizTalk capabilities already added). Read more about  Logic App Fundamentals To enable the logic apps to be leveraged in Business to Business EDI communication Microsoft introduced Enterprise Integration Pack,  which adds B2B capabilities like AS2 and X12, EDI standards support , XML capabilities like XML Validation, XSLT Transformation, Flat file to XML encode/decode etc.(Available as actions in Logic app e.g., AS2 De...
Read more

Getting Started with Logic Apps - AS2

Image
What is AS2? Every enterprise requires some kind of product, service or counselling from another enterprises thus there happens a B2B(business to business) communications, some of the communication is unique whereas most of the communications are common for most of the enterprises e.g., Purchase Order. But every enterprise has there own way(format) of sending the messages, leading to difficult management when number of partners increased.  Considering this the Enterprise leaders decided to have some standards/rules defined across the communication leading to B2B protocol standards which provide guidelines for trading partners to follow when conducting business between enterprises. EDI X12, EDIFACT, TRADACOM etc. AS2 stands for Applicability Statement 2 and is a B2B messaging protocol used to transmit Electronic Data Interchange (EDI)/Business documents from one organization to another. So EDI standards define how to format data and AS2 specifies how to securely transport...
Read more

The request has both SAS authentication scheme and 'Bearer' authorization scheme. Only one scheme should be used

Image
While doing testing after doing a POC on Securing Logic App with Azure Active Directory authentication , where I have put logic app behind APIM and before passing the request to logic app, apim does validation of the token.  I was encountered with an error "The request has both SAS authentication scheme and 'Bearer' authorization  scheme.  Only one scheme should be used." Why it happened After validating the token which is part of the header i.e. Authorization, APIM forwards the request as it is to backend. As  Logic app is configured as  back end , it's url already consist of SAS signature plus the request also has Authorization section and this is the problem. By default every request endpoint on a logic app has a Shared Access Signature (SAS) in the endpoint's URL, which follows this format: https://<request-endpoint-URI>sp=<permissions>sv...
Read more