I have an API for which some endpoints must be JWT protected while others must be API KEY protected (as the client is unable to send a JWT).
I have implemented this with a policy at API level that:
- check if a given endpoint is API KEY protected and in this case verify that context.Subscription != null (ie a valid API KEY has been given) and if not return the 401 response with "Access denied due to missing subscription key..."
- otherwise, the endpoint is JWT protected and therefore apply a validate-jwt policy
However, for this to work, the product that contains the API should have subscriptionRequired to False (otherwise the API KEY is mandatory). But doing so, apparently, cancels the behavior of the approvalRequired (defaulting to False) which is not wanted as we want to keep approval of subscriptions (ie, when the subscription is created, it should be created in a "submitted" state.
In the documentation of properties.approvalRequired on https://video2.skills-academy.com/en-us/rest/api/apimanagement/2019-12-01/product/get#productcontract, I read
whether subscription approval is required. If false, new subscriptions will be approved automatically enabling developers to call the product’s APIs immediately after subscribing. If true, administrators must manually approve the subscription before the developer can any of the product’s APIs. Can be present only if subscriptionRequired property is present and has a value of false.
Would there be a typo in the "has a value of false" ?
Is it possible to have the behavior I describe (applying the effect of approvalRequired in all cases, not only when subscriptionRequired is True) ? is there a workaround ?