无法使用 Azure APIM 交互式门户向后端 API 发送测试请求
使用 Azure 门户,我无法向 Echo API(以及所有其他后端 API)发送测试请求。
发送请求时,我收到以下错误:
HTTP/1.1 401 Access Denied
cache-control: private, s-maxage=0
content-length: 152
content-type: application/json
date: Tue, 12 Apr 2022 05:13:28 GMT
vary: Origin
www-authenticate: AzureApiManagementKey realm="https://AAAA.azure-api.net/echo",name="Ocp-Apim-Subscription-Key",type="header"
{
"statusCode": 401,
"message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API."
}
当我勾选“绕过 CORS 代理”复选框并通过 Postman 时,该请求工作正常。
我有以下全局入站 CORS 策略:
<policies>
<inbound>
<cors allow-credentials="true">
<allowed-origins>
<origin>https://AAAA.developer.azure-api.net</origin>
<origin>https://AAAA.azure-api.net</origin>
</allowed-origins>
<allowed-methods preflight-result-max-age="300">
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
</inbound>
<backend>
<forward-request />
</backend>
<outbound />
<on-error />
</policies>
以及在 Echo API 上设置的入站基本策略。
我以前没有遇到过这个问题。在 APIM 门户中提交测试请求时如何解决 CORS 错误有什么想法吗?
Using the Azure portal, I’m unable to send test requests to the Echo API (and all other backend APIs).
When sending a request, I’m getting the following error:
HTTP/1.1 401 Access Denied
cache-control: private, s-maxage=0
content-length: 152
content-type: application/json
date: Tue, 12 Apr 2022 05:13:28 GMT
vary: Origin
www-authenticate: AzureApiManagementKey realm="https://AAAA.azure-api.net/echo",name="Ocp-Apim-Subscription-Key",type="header"
{
"statusCode": 401,
"message": "Access denied due to missing subscription key. Make sure to include subscription key when making requests to an API."
}
The request works fine when I tick the “Bypass CORS proxy” checkbox and through Postman.
I have the following global inbound CORS policy:
<policies>
<inbound>
<cors allow-credentials="true">
<allowed-origins>
<origin>https://AAAA.developer.azure-api.net</origin>
<origin>https://AAAA.azure-api.net</origin>
</allowed-origins>
<allowed-methods preflight-result-max-age="300">
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
</inbound>
<backend>
<forward-request />
</backend>
<outbound />
<on-error />
</policies>
and the inbound base policy set on the Echo API.
I haven't expereinced this problem previously. Any ideas how I can bupass the CORS error while submitting test request in the APIM portal?
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(3)
在此未经授权错误的故障排除步骤(401)在调用API时在Azure中,清楚地提到了:
创建APIM时,ECHO API默认情况下将订阅内置订阅。
每个订阅都有两个可以使用的订阅密钥。
方案1 :
默认情况下,Echo API已注册到内置的API All-Actcess订阅,因此它将完美工作,直到订阅键匹配为止:
在创建APIM实例时默认情况下还有2个产品订阅是起动器和无限的。
当API订阅该产品订阅时,将订阅键的订阅密钥应与订阅菜单中可用的原始产品订阅密钥匹配。
在此处,回声API均订阅了产品启动器,并无限地订阅了第1张图像中所示。
该产品订阅已获得一些称为管理员,开发人员和客人的权限。其中任何一个都应该在用户访问API订阅这些产品的情况下。
在第三张图像中,您可以看到API订阅的启动产品,例如Echo API。
如果以上任何解决方案都无法解决问题,请参阅“故障排除步骤文件”文件,提供显示所有产生此特定错误的原因
401未经授权并缺少订阅键与分辨率一起。In this Troubleshooting Steps of Unauthorized errors (401) while invoking APIs in Azure, it is mentioned clearly:
Ocp-Apim-Subscription-Key, this error occurs.When you create the APIM, the Echo API is subscribed to built-in subscriptions by default.
Each subscription has two subscription keys that can be used.
Scenario 1:
By default, Echo API is registered to the Built-in all-access subscription so it will work perfectly until the subscription key is matched:
Scenario 2:
There are 2 more product subscriptions that come by default when an APIM instance is created which are Starter and Unlimited.
When the API is subscribed to that product subscriptions, then the subscription key passing in the header should match with the Original Product Subscription Keys available in the Subscriptions Menu.
Here, the Echo API is subscribed to both the products Starter and Unlimited as shown in 1st Image.
That Product Subscriptions has given with some permissions called Administrators, Developers and Guests. Any one among these should have on the user to access the APIs subscribed these products.
In the 3rd Image, you can see what APIs are subscribed to Starter Product like Echo API.
If any of the above workaround did not solve the issue, please refer the troubleshooting steps doc provided that shows all of the causes that produces this specific error
401 Unauthorized and Missing the Subscription Keyalong with the resolution.旁路CORS选项允许源自任何域的请求。有时,允许跨域访问也可以解决问题。尝试以下给出的Azure跨域策略,以允许从“任何”域访问(您也可以指定域)。
有关详细信息,请参考有关管理跨域访问的MS文档: https://learn.microsoft.com/en-us/azure/api-management/api-management-cross-domain-policies
ByPass CORS option allows the requests originating from any domain. Sometime, allowing the cross-domain access also fixes the issue. Try Azure Cross-domain policy as given below to allow access from 'any' domain (you can specify your domain too).
For details refer MS documentation on managing cross domain access : https://learn.microsoft.com/en-us/azure/api-management/api-management-cross-domain-policies
我已与 Microsoft 就此事进行了接触,他们正在调查该问题。根据 MS 的初步调查,“Microsoft Defender for Cloud Apps”创建了一个代理来拦截从 Azure 门户发出的所有请求,并且 MCAS 代理似乎正在删除或修改传出请求中的标头,从而导致此行为。微软已指出以下文档供参考:故障排除 - 内容是 cas.ms、mcas.ms 还是 mcas-gov.us? MS 表示他们没有任何修复的预计时间,并且他们的建议是检查绕过 CORS。代理选项作为暂时的解决方法。
I have engaged with Microsoft on this and they are investigating the issue. As per MS initial investigation “Microsoft Defender for Cloud Apps" creates a Proxy that intercepts all requests going out of Azure portal and it seem like MCAS proxy is either removing or modifying headers from the outgoing request thus causing this behaviour. Microsoft has pointed to the following document for reference: Troubleshooting - What is cas.ms, mcas.ms, or mcas-gov.us?. MS has advised that they don’t have any ETA for the fix and that they are investigating further. Their recommendation is to check the Bypass CORS proxy option as workaround for the time being.