We are excited to announce the public preview of the OData API type in Azure API Management (API Management). OData (Open Data Protocol) is a standard that defines a set of best practices for building and consuming RESTful APIs. OData gained popularity as an industry standard for data integration and interoperability and has been widely adopted by large companies such as SAP, Oracle, Microsoft, and others.
This new capability extends the benefits and capabilities of API Management to OData APIs, including the ability to secure them with standard API protections, such as authentication, authorization, and rate limiting, in combination with OData-specific policies for request validation. First-class support for OData makes it easier for customers to publish OData APIs in API Management eliminating the need to first convert OData metadata to OpenAPI. The rest of the blog will show how simple and quick it is to onboard to and protect an OData API with API Management.
An example: Importing and protecting an OData API from SAP
I will be using the publicly available SAP Gateway Demo system ES5 which provides a practical, working OData service with a dataset containing a list of items of a sales order from the Enterprise Procurement demo data. It contains EntitySets such as:
- BusinessPartnerSet
- ProductSet
- SalesOrderSet
- SalesOrderLineItemSet
Export an OData metadata file and create an OData API
from the update-enabled SAP Gateway Demo API “GWSAMPLE_BASIC” and now I can import this as an OData API into API .
To create an OData API within the Azure API Management service:
- Open the Azure Portal in your browser
- Select your Azure API Management service or create a new one
- Select the APIs blade
- Select +Add API
- Fill in the form:
- Choose a Display name (sap-odata-test)
- The name field will auto-fill with a suitable name
- Select the file that contains the metadata for an API
- Choose an API URL suffix (sap-odata-test)
- Select Create to create the API
After the API is created, the entity sets and functions appear on the API’s schema tab.
Add policy for an OData request validation
With the introduction of OData API type into Azure API Management we added the new `validate-odata-request` policy which validates the request URL, headers, and parameters of a request to an OData API to ensure conformance with the OData specification. Now I can add an OData request validation policy to the imported SAP Gateway Demo API:
- Select API Policies tab
- Select </> in the Inbound processing section to edit the policy
- Add a <validate-odata-request> to the policy definition
<policies>
<inbound>
<validate-odata-request default-odata-version="4.01" min-odata-version="4.0" max-odata-version="4.01" />
<base />
</inbound>
…
</policies>
- Resulting policy should look the following
- Select Save to apply changes to the policy
If I try to request an EntitySet with a non-existing property, API Management will validate this request and return an error. I will send a request for ProductSet with a property ‘Name1’ using Postman:
The request was validated by Azure API Management, and I received a response stating that property could not be found.
{
"statusCode": 400,
"message": "Could not find a property named 'Name1' on type 'GWSAMPLE_BASIC.Product'."
}
In combination with the large set of policies available in API Management, such as authorization, authentication, rate limiting and more, you can further enhance the security of your OData APIs
For instance, you can exchange Microsoft Entra ID (formerly Azure Active Directory) issued tokens for an SAP issued Bearer token and forward it to backend with caching support for both tokens. Policy snippet available here.
Next steps
Kickstart your SAP app integration project on Azure leveraging OData and the SAP Cloud SDK from here. To hit the ground running, find publicly available SAP OData APIs or mock services here.
OData API type in Azure API Management is in public preview, give it a try and let us know what you think in the comments below!