Secure API

As noted, the API from your backend system is now fully accessible without any restrictions. In a productive scenario, the backend should always be protected by typical authentication mechanisms such as basic authentication, SAML, OAuth or JWT. API Management can be used as “security mediation” layer, in which any kind of credential is checked and then passed to the backend in the desired format using predefined policies. In our scenario, we will keep things simple: you will add an API key verification, which will make sure the consumer is allowed to access the API. Note that this is not sufficient to properly secure your API since API keys can be read from applications (retro engineering) or network sniffers (it is not required to use SSL for an API key - in contrary to OAuth for example).

1. Find your _MSO_API under Configure -> APIs and select it to open the API viewer. Use the search facility if necessary.

   

Update the _MSO_API by adding the verify API Key Policy

1. Select Policies to open the policy editor, then select Edit to make changes.

   
   

2. Click on ProxyEndpoint and PreFlow in the “Flows” panel on the left and select Verify API key security policy

   

3. Enter VerifyAPIkey as Policy Name and click Add

   

   Note

   In the configuration pane under the policy, we will now define where the API key comes from.

4. Replace the value of the ref property of the APIKey tag with the following value: request.queryparam.apikey

   Here is the complete XML configuration of the policy in case you need it:

   Code Snippet

   Copy codeSwitch to dark mode

   123
   <VerifyAPIKey async='true' continueOnError='false' enabled='true' xmlns='http://www.sap.com/apimgmt'>
   <APIKey ref='request.queryparam.apikey'/>
   </VerifyAPIKey>

   

   Note

   This tells the proxy to look for the api key in the HTTP request parameter called

5. Click on Update in the policy editor, then on Save in the API proxy and finally on Deploy.

   
   
   

6. Test your policy by using the link of the API Proxy, as you did previously. API Management now throws an error telling you that no parameter with the name “api key” has been found.

   

   As you can see the error message:

   Code Snippet

   Copy codeSwitch to dark mode

   12345678
   {
      "fault":{
         "faultstring":"Failed to resolve API Key variable request.queryparam.apikey",
         "detail":{
               "errorcode":"steps.oauth.v2.FailedToResolveAPIKey"
         }
      }
   }

7. At the end of the URL of your API, add the following text: ?apikey=12345. This adds the apikey parameter with a dummy value to the request. Now execute your request again.

   
   Code Snippet

   Copy codeSwitch to dark mode

   12345678
   {
    "fault":{
        "faultstring":"Invalid ApiKey",
        "detail":{
            "errorcode":"oauth.v2.InvalidApiKey"
        }
    }
   }

   Note

   As you can see, the error message is now different: API Management has found the API key, but its verification failed.

Congratulations! You are now ready for the next lesson!