I’ve recently started getting to grips with the API Management service in Azure which seems to be a good way of managing access to resources and to document their usage.

Part of this is the Developer Portal which acts as a centralized store of knowledge for using your APIs which also provides a UI for querying them and the ability to request access to resources. This is all very useful but one part of the Developer Portal that’s a staggeringly bad idea is that ANYONE can go to the portal page and signup to use your APIs once they’ve validated their email.

This may be fine if your APIs are just returning publicly available data such as train timetables but is a terrible idea if you’re using them to allow clients to access to APIs which return confidential data as after signing up anyone can access this.

After a lot of hunting around it seems that there is a way to prevent people being able to sign up to use your APIs on the Developer Portal but it’s certainly not obvious.

Redirect

The first part of fixing this is to remove the provider type of “Username and password” and to add something more secure such as “Azure Active Directory”. Once that’s done you should update the settings for your identities to redirect anonymous users to your sign-in page.

Once done you then need to disable the signup page completely, there doesn’t seem to be a setting in the portal for this so you need to use the REST API and set the enabled status to false. This can be done with the following request (though it’s probably easiest to do it using the “Try It” functionality in the above link).

PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/portalsettings/signup?api-version=2019-12-01

  "properties": {
    "enabled": false

This disables the signup process and prevents it from being linked to in the developer portal but it is still possible to get there directly via URL. In order to remove the page as well you first need to list all page content items using the REST API.


Using the signup page IDs returned by this query you can then use the REST API to delete the “Sign up” and “Sign up with OAuth” pages.



Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *