Calculator API CORS Issue in Developer Portal Due to Incorrect Protocol for APIM

[simonkurtz-MSFT]

Describe the bug

The screenshot in the documentation on importing the Calculator API shows to set the URL scheme to HTTP. While testing from within APIM itself works and returns a proper 200, using the Developer Portal fails with a CORS issue. Specifically, it's failing due to a mixed-content violation. The Developer Portal itself runs on HTTPS and is attempting to make a call to APIM but fails due to APIM only accepting HTTP.

To Reproduce Steps to reproduce the behavior:

1. Set up the Calculator API as described here.
2. Go to the Developer Portal and try to make a request to the Calculator API.
3. Note the CORS error in the response.
4. Open the brower's developer tools and observe the mixed-content error on the network tab.

Expected behavior The request should be allowed, and a 200 should be returned along with a response body showing the result.

[simonkurtz-MSFT]

@ferantoMSFT, I am going to address this in a PR and will link to this issue.

[simonkurtz-MSFT]

The only reference to http is in the basePath property in the OpenAPI json. There is no reference to https since the backend does not implement https. I suspect the OpenAPI import in APIM makes some assertion on what scheme to use as, by contrast, importing the Petstore API sets the scheme to Both.

Using basePath for the backend URL makes sense to me, but I'm not sure we should do that on the APIM ingress as we want to encourage customers to use HTTPS throughout. Would it make more sense to at least set Both, if not HTTPS, when the import detects HTTP-only? This would also avoid CORS issues.

This may be a question for @mikebudzynski.

[mikebudzynski]

@simonkurtz-MSFT I don't have much context here, but the developer portal requires either:

1. Configuring CORS policy on the APIs, or
2. Enabling the CORS proxy feature

Both options are covered here: https://docs.microsoft.com/en-us/azure/api-management/developer-portal-faq#cors

[simonkurtz-MSFT]

Hi @mikebudzynski, CORS is set up, but I don't see it as the root cause here. When the swagger.json import occurs, APIM appears to make a decision on what protocols to allow that has a detrimental effect here. If the API definition only has http, as is the case in the CalcAPI, APIM correctly sets the backend protocol to http, but I think it should set the frontend to Both as that would future-proof it, provided a cert is available for the APIM URL. azure-api.net would be on https, and APIM could check whether any and all custom domains that may be used to access the CalcAPI, can also run https.

[simonkurtz-MSFT]

I mitigated this issue via our APIM Lab documentation, and I am comfortable closing it out at this time; however, the root cause continues to exist.