问题
I have a composition API that is registered inside Azure API Management that is called by external clients, this composition service will call other APIs which are also registered inside API Management and also need a subscription key
Question Is there guidance or best practises for managing subscription keys in my type of composition scenario using Azure API Management
回答1:
Not sure what you mean by guidance. There are a few things to keep in mind:
- Make sure your subscription keys do not collide. I.e. if Composition APIM passes subscription key used to call it to backend APIM you're likely to get 401. So you need to make sure to either remove key at composition APIM during processing time, or overwrite it with another key intended to backend APIM.
- You can protect against it by using different header/query parameter names for subscription keys at composition and backend APIMs. See subscriptionKeyParameterNames here: https://docs.microsoft.com/en-us/rest/api/apimanagement/api/createorupdate
- Use Named values to manage secrets. You can create a named value, mark it as secret and use it inside policy without revealing it's value.
来源:https://stackoverflow.com/questions/51290489/managing-multiple-subscription-keys-inside-a-composition-service