'Policy to validate API Subscription Key received in Request Body from Google Ads Lead Form Extension using Webhook integration

Azure API Management checks for Subscription Key in either the Header or Query, but Google Ads Lead Form extension sends the key in the request body google_key

Sample body:

    {
  "lead_id": "TeSter-123-ABCDEFGHIJKLMNOPQRSTUVWXYZ-abcdefghijklmnopqrstuvwxyz-0123456789-AaBbCcDdEeFfGgHhIiJjKkLl",
  "api_version": "1.0",
  "form_id": 2,
  "campaign_id": 281492028602095,
  "google_key": "HERE IS THE KEY",
  "is_test": true,
  "gcl_id": "TeSter-123-ABCDEFGHIJKLMNOPQRSTUVWXYZ-abcdefghijklmnopqrstuvwxyz-0123456789-AaBbCcDdEeFfGgHhIiJjKkLl",
  "adgroup_id": 20000000000,
  "creative_id": 30000000000
}

How can we configure a custom policy in Azure API Management to validate the key in the request body?

azure-api-management


Solution 1:[1]

There is built-in architecture in Azure API Management to validate subscription keys that cannot be accessed outside of the built-in Subscription validation.

To use validate the subscription, I created two APIs in Azure API Management. 1 has no security, 2 is secured by Subscription Key and is rate limited.

  1. Restructure the request by Appending the Key to the Request Header and removing it from the Request Body

    <inbound>
<base />
<set-header name="google_key" exists-action="append">
    <value>@{
            var reqBody = context.Request.Body.As<JObject>(preserveContent: true);
            if(reqBody.ContainsKey("google_key"))
            {
                return reqBody.GetValue("google_key").ToString();
            }
            else
            {
                return "";
            }
        }</value>
</set-header>
<set-body template="none">@{
            var reqBody = context.Request.Body.As<JObject>(preserveContent: true);

            if(reqBody.ContainsKey("google_key"))
            {
                reqBody.Remove("google_key");
            }
            return JsonConvert.SerializeObject(reqBody);
}</set-body>

  2. Send the restructured request to the secured API which validates the subscription key. Screenshot of Azure API Management Backend definition

Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source
Solution 1 sbitaxi

Related Questions

API Management with GIT and Octopus - Git PUSH / Git PULL

Need to modify request payload in Azure APIM set body to send modified request body to BE

Azure api management returns status 500 after enabling "assignment required" on Azure function Enterprise application properties

Azure API Management - Versioning

What are main difference between Subscription Key and OAth 2.0 in Azure API Management?

how to check value passed in header is Guid or not in azure APIM policy if not throw bad request

Azure api works locally but not in Azure deployment, for the endpoint which need data from Azure sql db. Endpoint with hardcoded data is fine though

How can I disable gzip compression on requests going through APIM?

APIM liquid How to check that the coming request include specific header?

How to get Pull Requests associated with a Work Item via the Azure DevOps API

Getting authentication failed error when calling APIM API which has Product scope from postman

Getting error while accessing Azure API developer portal while using Azure Application Gateway with Azure API Management service

Access-Control-Allow-Origin is added to the header when request is made from Python(Google Colab), but not when the request is made from ReactJS

Update Azure APIM Name (Api.Id) after cloning using Azure Portal?

Azure api management ssl certificate must have a private key