I’ve recently started getting to grips with the API Management service in Azure which seems to be a good way of managing access to resources and to document their usage.

Part of this is the Developer Portal which acts as a centralized store of knowledge for using your APIs which also provides a UI for querying them and the ability to request access to resources. This is all very useful but one part of the Developer Portal that’s a staggeringly bad idea is that ANYONE can go to the portal page and signup to use your APIs once they’ve validated their email.

This may be fine if your APIs are just returning publicly available data such as train timetables but is a terrible idea if you’re using them to allow clients to access to APIs which return confidential data as after signing up anyone can access this.

After a lot of hunting around it seems that there is a way to prevent people being able to sign up to use your APIs on the Developer Portal but it’s certainly not obvious.

Sign-In Redirect

The first part of fixing this is to remove the provider type of “Username and password” and to add something more secure such as “Azure Active Directory”. Once that’s done you should update the settings for your identities to redirect anonymous users to your sign-in page.

Once done you then need to disable the signup page completely, there doesn’t seem to be a setting in the portal for this so you need to use the REST API and set the enabled status to false. This can be done with the following request (though it’s probably easiest to do it using the “Try It” functionality in the above link).

PATCH https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.ApiManagement/service/{serviceName}/portalsettings/signup?api-version=2019-01-01

{
  "properties": {
    "enabled": false
}

One caveat is that at the time of writing this the developer portal is being updated and the above API call only seems to disable signup in the legacy version and not the new version. Azure AAD authentication also doesn’t seem to work in the new version as the redirect URI is incorrect but hopefully both these issues will be fixed when the migration is completed on 11/11/2019.


Leave a Reply

Your email address will not be published. Required fields are marked *