Azure API Management is Microsoft’s turnkey solution for administrating and publishing APIs to external and internal customers; and for many development teams, Azure API Management is part of the whole lifecycle of an API: specification, development, test, production, monetization, support, etc. But exactly when are you ready to release a version of your new API to the public (or even to a limited set of users)?
I see many teams using Azure API Management quite early in the API lifecycle (specification, dev, test) but by default Azure API Management allows everyone to know the API Specifications (Swagger/WSDL) and API Documentation (and even query the API) through the Developer Portal. When crafting your API in its very early stages, you often don’t want to share specifications and documentation with anyone outside your team. Mostly because the API will change rapidly during its early phases, and you don’t want your (potential) users to spend their valuable time on something that might change tomorrow. So, is there a good way to control this?
In this blog post, I will show you how to configure and control access to API specifications and API documentation in the Developer Portal.
By default, anonymous users can access your API documentation and API specifications (Swagger/WSDL) in the Developer portal. That might not be what you want, and a straightforward way to solve this is simply to force all users to sign in before accessing the Developer Portal.
The following steps will show you how:
Step 1: Sign in to the Azure Portal and open your Azure API Management instance
Step 2: Once you are inside the API Management blade in Azure Portal, click on ‘Identities’ in the left-side menu.
Step 3: Now click on ‘Settings.’
Step 4: Finally, put a checkmark in “Redirect anonymous users to sign-in page” and click “Save.”
Step 5: When you open the Developer Portal, you will instantly be redirected to the sign-in page.
Now that we can require that users are signed in, we can start to look at the types of users we want to permit access to the Developer Portal.
When an anonymous user creates a new account and completes e-mail verification, the user will instantly gain access to your API documentation and specifications. How do you control who exactly is accessing your Developer Portal?
The most effective thing you can do is to remove to the possibility for users to sign in with username/password altogether.
This gives two advantages:
This is how it is done:
Step 1: Click on “Identities” in the left-side menu
Step 2: Click on the “…”-button under the provider type called “Username and password.”
Step 3: Click the “Delete”-button and click “Yes” to the confirmation pop-up.
Step 4: Finally, open the Developer Portal and see that sign-in is disabled for external users:
Developer Portal is showing that sign-in is disabled.
In this blog post, I have shown you how to handle anonymous access to your API documentation and specifications in Azure API Management via the Developer Portal. But are there ways to gain even more granular control over how content is presented in the Developer Portal? The answer is yes! In a future blog post I will show you how to restrict access to individual widgets and pages in the Developer Portal. So stay tuned…
“Build REST APIs in three steps with API Management and Azure Functions”
Azure API Management updates – October 2020
The API Management Landscape in 2020
Debug API Management policies in real time
How to get a ‘Request Trace’ in Azure API Management