Closed simonkurtz-MSFT closed 2 years ago
@ferantoMSFT, I am going to address this in a PR and will link to this issue.
The only reference to http
is in the basePath
property in the OpenAPI json. There is no reference to https
since the backend does not implement https. I suspect the OpenAPI import in APIM makes some assertion on what scheme to use as, by contrast, importing the Petstore API sets the scheme to Both
.
Using basePath
for the backend URL makes sense to me, but I'm not sure we should do that on the APIM ingress as we want to encourage customers to use HTTPS throughout. Would it make more sense to at least set Both
, if not HTTPS
, when the import detects HTTP-only? This would also avoid CORS issues.
This may be a question for @mikebudzynski.
@simonkurtz-MSFT I don't have much context here, but the developer portal requires either:
Both options are covered here: https://docs.microsoft.com/en-us/azure/api-management/developer-portal-faq#cors
Hi @mikebudzynski, CORS is set up, but I don't see it as the root cause here. When the swagger.json import occurs, APIM appears to make a decision on what protocols to allow that has a detrimental effect here. If the API definition only has http
, as is the case in the CalcAPI, APIM correctly sets the backend protocol to http
, but I think it should set the frontend to Both
as that would future-proof it, provided a cert is available for the APIM URL. azure-api.net
would be on https
, and APIM could check whether any and all custom domains that may be used to access the CalcAPI, can also run https
.
I mitigated this issue via our APIM Lab documentation, and I am comfortable closing it out at this time; however, the root cause continues to exist.
Describe the bug
The screenshot in the documentation on importing the Calculator API shows to set the URL scheme to
HTTP
. While testing from within APIM itself works and returns a proper200
, using the Developer Portal fails with a CORS issue. Specifically, it's failing due to amixed-content
violation. The Developer Portal itself runs onHTTPS
and is attempting to make a call to APIM but fails due to APIM only acceptingHTTP
.To Reproduce Steps to reproduce the behavior:
Expected behavior The request should be allowed, and a
200
should be returned along with a response body showing the result.