├── media
    └── vscode-snippets
    │   ├── apim-vscode-snippets-1.png
    │   ├── apim-vscode-snippets-2.png
    │   └── apim-vscode-snippets-3.png
├── examples
    ├── oauth-proxy
    │   ├── oauth-proxy-token-endpoint-fragment.xml
    │   ├── oauth-proxy-validate-token-fragment.xml
    │   ├── oauth-proxy-construct-authorization-redirect-fragment.xml
    │   ├── oauth-proxy-slide-session-fragment.xml
    │   ├── oauth-proxy-sign-out.xml
    │   ├── oauth-proxy-sign-in.xml
    │   ├── readme.md
    │   ├── oauth-proxy-session-fragment.xml
    │   └── oauth-proxy-callback.xml
    ├── List all inbound headers.policy.xml
    ├── Random load balancer simpler.policy.xml
    ├── Forward gateway hostname to backend for generating correct urls in responses.policy.xml
    ├── Set cache duration using response cache control header.policy.xml
    ├── Encrypt data using expressions.policy.xml
    ├── Send request context information to the backend service.policy.xml
    ├── Mask async calls as synchronous.policy.xml
    ├── Decrypt AES Data using policy expressions.xml
    ├── Use custom error messages for jwt-validate policy with on-error handler.policy.xml
    ├── Return HTTP 405 if the HTTP Method of the request is not defined.xml
    ├── Route requests to regional backend instances.xml
    ├── Filter response content based on product name.policy.xml
    ├── Authenticate using Managed Identity to access Service Bus.xml
    ├── Random load balancer.policy.xml
    ├── Route requests based on size.policy.xml
    ├── Add correlation id to inbound request.policy.xml
    ├── Authenticate using Managed Identity to access Storage Account.xml
    ├── Perform basic authentication.policy.xml
    ├── Parse a JWT token using expressions.xml
    ├── Pre-authorize requests based on HTTP method with validate-jwt.policy.xml
    ├── Loopback request for service at same API Management service.xml
    ├── Authenticate using Managed Identity to access Event Hub.xml
    ├── Get OAuth2 access token from AAD and forward it to the backend.policy.xml
    ├── Log errors to Stackify.policy.xml
    ├── Extract value from XML.xml
    ├── Call out to an HTTP endpoint and cache the response.policy.xml
    ├── Get X-CSRF token from SAP gateway using send request.policy.xml
    ├── Backend OAuth2 Authentication With Cache.policy.xml
    ├── DELETE a from to blobStorage account.xml
    ├── Authorize requests using external authorizer.policy.xml
    ├── Back-end API redundancy.policy.xml
    ├── Query CosmosDB.policy.xml
    ├── Look up Key Vault certificate using Managed Service Identity and call backend.policy.xml
    ├── Look up Key Vault secret using Managed Service Identity.policy.xml
    ├── Trigger Azure Data Factory Pipeline.policy.xml
    ├── Handle Power Query access request to custom API.policy.xml
    ├── Trigger Azure Data Factory Pipeline With Parameters.policy.xml
    ├── Create HMAC SHA256-Signed JWT.policy.xml
    ├── Extracting multiple values from xml documents.policy.xml
    ├── Generate Azure Relay Token.policy.xml
    ├── GET a file from blobStorage account.xml
    ├── Filter on IP Address when using Application Gateway.policy.xml
    ├── Replay request on error.policy.xml
    ├── PUT a file to blobStorage account.xml
    ├── Forward Azure Event Grid Event.xml
    ├── Generate Shared Access Signature and forward request to Azure storage.policy.xml
    ├── Get OAuth2 access token from AAD using client id and certificate using key vault manage identity.xml
    ├── Return a blob URL signed with a user delegation SAS token.xml
    └── Request OAuth2 access token from SuccessFactors using AAD JWT token.xml
├── LICENSE
├── README.md
├── SECURITY.md
└── policy-expressions
    └── README.md


/media/vscode-snippets/apim-vscode-snippets-1.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Azure/api-management-policy-snippets/HEAD/media/vscode-snippets/apim-vscode-snippets-1.png


--------------------------------------------------------------------------------
/media/vscode-snippets/apim-vscode-snippets-2.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Azure/api-management-policy-snippets/HEAD/media/vscode-snippets/apim-vscode-snippets-2.png


--------------------------------------------------------------------------------
/media/vscode-snippets/apim-vscode-snippets-3.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Azure/api-management-policy-snippets/HEAD/media/vscode-snippets/apim-vscode-snippets-3.png


--------------------------------------------------------------------------------
/examples/oauth-proxy/oauth-proxy-token-endpoint-fragment.xml:
--------------------------------------------------------------------------------
1 | <fragment>
2 | 	<!-- Returns a URL identifying the token endpoint of your IdP -->
3 |     <set-variable name="idpTokenEndpoint" value="@{
4 |         return $"https://login.microsoftonline.com/{{TenantId}}/oauth2/v2.0/token";
5 |     }" />
6 | 
7 | </fragment>
8 | 


--------------------------------------------------------------------------------
/examples/oauth-proxy/oauth-proxy-validate-token-fragment.xml:
--------------------------------------------------------------------------------
 1 | <fragment>
 2 |     
 3 |     <!-- IdP provider specific validation of the access-tokens returned by the IdP -->
 4 |     <validate-azure-ad-token 
 5 |         tenant-id="{{TenantId}}"
 6 |         token-value="@((string)context.Variables["accessToken"])">
 7 |         <client-application-ids>
 8 |             <application-id>{{ClientId}}</application-id>
 9 |         </client-application-ids>
10 |     </validate-azure-ad-token>
11 | 
12 | </fragment>


--------------------------------------------------------------------------------
/examples/List all inbound headers.policy.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy sample demonstrates the listing of all inbound HTTP headers, which can be a bit more straight-forward than setting up a trace. 
 3 | -->
 4 | <policies>
 5 |     <inbound>
 6 |         <base />
 7 |         <return-response>
 8 |             <set-status code="200" reason="OK" />
 9 |             <set-body template="liquid">
10 |                 {% for header in context.Request.Headers %}
11 |                     {{- header.Key }}: {{ header.Value }}
12 |                 {% endfor %}
13 |             </set-body>
14 |         </return-response>
15 |     </inbound>
16 |     <backend>
17 |         <base />
18 |     </backend>
19 |     <outbound>
20 |         <base />
21 |     </outbound>
22 |     <on-error>
23 |         <base />
24 |     </on-error>
25 | </policies>


--------------------------------------------------------------------------------
/examples/Random load balancer simpler.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- REF: https://github.com/Gordonby/ApimTrafficSplitting -->
 2 | <!-- This policy overrides the backend baseurl to facilitate traffic splitting  -->
 3 | <!-- Traffic weight percentage and Backend URL to override with is stored in APIM named values -->
 4 | <policies>
 5 |     <inbound>
 6 |         <choose>
 7 |             <when condition="@(new System.Random().Next(1,100) &lt;= {{MyTrafficSplitApp_TrafficSplitWeight}})">
 8 |                 <set-backend-service base-url="{{MyTrafficSplitApp_TrafficBaseUrlOverride}}" />
 9 |             </when>
10 |         </choose>
11 |     </inbound>
12 |     <backend>
13 |         <base />
14 |     </backend>
15 |     <outbound>
16 |         <base />
17 |     </outbound>
18 |     <on-error>
19 |         <base />
20 |     </on-error>
21 | </policies>
22 | 


--------------------------------------------------------------------------------
/examples/Forward gateway hostname to backend for generating correct urls in responses.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file demonstrates how to add a Forwarded header in the inbound request to allow the backend API to construct proper URLs.-->
 2 | 
 3 | <!-- Forwarded header is defined in the IETF RFC 7239 https://tools.ietf.org/html/rfc7239  -->
 4 | 
 5 | <!-- Copy this snippet into the inbound section. -->
 6 | 
 7 | <policies>
 8 |   <inbound>
 9 |     <base />
10 |     <set-header exists-action="override" name="Forwarded">
11 |       <value>@("proto=" + context.Request.OriginalUrl.Scheme + ";host=" + context.Request.OriginalUrl.Host + ";")</value>
12 |     </set-header>
13 |   </inbound>
14 |   <backend>
15 |     <base />
16 |   </backend>
17 |   <outbound>
18 |     <base />
19 |   </outbound>
20 |   <on-error>
21 |     <base />
22 |   </on-error>
23 | </policies>


--------------------------------------------------------------------------------
/examples/Set cache duration using response cache control header.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- This snippet demonstrates how to set response cache duration using maxAge value in Cache-Control header sent by the backend. -->
 2 | 
 3 | <!-- Copy the following snippet into the outbound section. -->
 4 |       
 5 | <policies>
 6 |   <inbound>
 7 |     <base />
 8 |   </inbound>
 9 |   <backend>
10 |     <base />
11 |   </backend>
12 |   <outbound>
13 |     <base />
14 |     <!-- The following policy can be tested by setting up an API and operation mapped to GET http://httpbin.org/cache/{duration} -->
15 |     <cache-store duration="@{
16 |         var header = context.Response.Headers.GetValueOrDefault("Cache-Control","");
17 | 		    var maxAge = Regex.Match(header, @"max-age=(?<maxAge>\d+)").Groups["maxAge"]?.Value;
18 | 		    return (!string.IsNullOrEmpty(maxAge))?int.Parse(maxAge):300;
19 | 	    }"
20 |      />
21 |   </outbound>
22 |   <on-error>
23 |     <base />
24 |   </on-error>
25 | </policies>
26 | 


--------------------------------------------------------------------------------
/examples/Encrypt data using expressions.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- 
 2 |     The policy defined in this file shows how to encrypt a parameter using AES algorithm.
 3 | -->
 4 | 
 5 | <policies>
 6 |     <inbound>
 7 |         <base />
 8 |         <set-variable name="IV" value="{{AES-IV}}" />
 9 |         <set-variable name="key" value="{{AES-Key}}" />
10 |         <set-variable name="encryptedParameter" value="@{
11 | 
12 |             string goober = (string)context.Request.MatchedParameters["Goober"];
13 |             byte[] gooberBytes = Encoding.UTF8.GetBytes(goober);
14 |             
15 |             byte[] IV = Convert.FromBase64String((string)context.Variables["IV"]);
16 |             byte[] key = Convert.FromBase64String((string)context.Variables["key"]);
17 |             
18 |             byte[] encryptedBytes = gooberBytes.Encrypt("Aes", key, IV);
19 |             
20 |             return Convert.ToBase64String(encryptedBytes);
21 |         }" />
22 |     </inbound>
23 |     <backend>
24 |         <base />
25 |     </backend>
26 |     <outbound>
27 |         <base />
28 |     </outbound>
29 |     <on-error>
30 |         <base />
31 |     </on-error>
32 | </policies>


--------------------------------------------------------------------------------
/examples/Send request context information to the backend service.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policies described in this file show how to send some context information to the backend service for logging or processing. -->
 2 | 
 3 | <!-- Copy these snippets into the inbound element -->
 4 | 
 5 | <policies>
 6 |   <inbound>
 7 |     <base />
 8 |       <!-- Forward the name of the product associated with the subscription key in the request to the backend service. -->
 9 |       <set-query-parameter name="x-product-name" exists-action="override">
10 |         <value>@(context.Product.Name)</value>
11 |       </set-query-parameter>
12 | 
13 |       <!-- Forward the user id associated with the subscription key in the request as well as the region where the proxy processing the request is hosted. -->
14 |       <set-header name="x-request-context-data" exists-action="override">
15 |         <value>@(context.User.Id)</value>
16 |         <value>@(context.Deployment.Region)</value>
17 |       </set-header>    
18 |   </inbound>
19 |   <backend>
20 |     <base />
21 |   </backend>
22 |   <outbound>
23 |     <base />
24 |   </outbound>
25 |   <on-error>
26 |     <base />
27 |   </on-error>
28 | </policies>


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
 1 |     MIT License
 2 | 
 3 |     Copyright (c) Microsoft Corporation. All rights reserved.
 4 | 
 5 |     Permission is hereby granted, free of charge, to any person obtaining a copy
 6 |     of this software and associated documentation files (the "Software"), to deal
 7 |     in the Software without restriction, including without limitation the rights
 8 |     to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
 9 |     copies of the Software, and to permit persons to whom the Software is
10 |     furnished to do so, subject to the following conditions:
11 | 
12 |     The above copyright notice and this permission notice shall be included in all
13 |     copies or substantial portions of the Software.
14 | 
15 |     THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 |     IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 |     FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 |     AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 |     LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 |     OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 |     SOFTWARE
22 | 


--------------------------------------------------------------------------------
/examples/oauth-proxy/oauth-proxy-construct-authorization-redirect-fragment.xml:
--------------------------------------------------------------------------------
 1 | <fragment>
 2 | 	<!-- Construct a variable called 'idpRedirect' to start the authorization flow  -->
 3 |     <!-- Ensure to add the 'code-challenge-sha256', 'state', and 'nonce' to your request -->
 4 |     <!-- The redirect is in the variable 'oauth-proxy-callback' -->
 5 |     <!-- This example is for AAD. Change as required for your IdP -->
 6 | 
 7 |     <!-- Standard OIDC redirect flow. Currently AAD specific, but easy to tweak to your provider of choice -->
 8 |     <set-variable name="idpRedirect" value="@{
 9 |         return "https://login.microsoftonline.com/{{TenantId}}/oauth2/v2.0/authorize" +
10 |                 "?client_id={{ClientId}}&response_type=code&" + 
11 |                 $"redirect_uri={context.Variables["oauth-proxy-callback"]}&" +
12 |                 "response_mode=form_post&" + 
13 |                 $"scope={Uri.EscapeDataString("openid profile offline_access {{AdditionalScopes}}")}&" + 
14 |                 $"state={context.Variables["state"]}&" + 
15 |                 $"nonce={context.Variables["nonce"]}&" + 
16 |                 $"code_challenge={(string)context.Variables["codeChallengeSha256"]}&" + 
17 |                 "code_challenge_method=S256";
18 |     }" />
19 | 
20 | </fragment>
21 | 


--------------------------------------------------------------------------------
/examples/Mask async calls as synchronous.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file demonstrates how to mask an asynchronous API endpoint as if it is an synchronous one. -->
 2 | <!-- This is useful when modernizing APIs but some clients that call the API cannot be updated to the new behavior. -->
 3 | 
 4 | <!-- API used for this example is an Azure Logic Apps (request/response), in which returns HTTP 202 status code, -->
 5 | <!-- and location header to retrieve the terminal payload. Retry count and interval is fixed  in this example but can also be customized. -->
 6 | 
 7 | <policies>
 8 |     <inbound>
 9 |         <base />
10 |     </inbound>
11 |     <backend>
12 |         <forward-request />
13 |     </backend>
14 |     <outbound>
15 |         <base />
16 |         <retry condition="@(((IResponse)context.Variables["var"]).StatusCode == 202)" count="10" interval="30">
17 |             <send-request mode="new" response-variable-name="var" ignore-error="false">
18 |                 <set-url>@(context.Response.Headers["location"][0])</set-url>
19 |                 <set-method>GET</set-method>
20 |             </send-request>
21 |         </retry>
22 |         <return-response response-variable-name="var" />
23 |     </outbound>
24 |     <on-error>
25 |         <base />
26 |     </on-error>
27 | </policies>
28 | 


--------------------------------------------------------------------------------
/examples/Decrypt AES Data using policy expressions.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy snippet shows how to decrypt an AES 192 bit encrypted text and return it to caller. 
 3 |     The encrypted text is sent as a JSON element.
 4 | -->
 5 | <policies>
 6 | 	<inbound>
 7 | 		<base />
 8 | 		<set-variable name="IV" value="{{AES-IV}}" />
 9 | 		<set-variable name="key" value="{{AES-Key}}" />
10 | 		<set-variable name="plainText" value="@{
11 |             byte[] inBytes = Convert.FromBase64String(context.Request.Body.As<JObject>().SelectToken("encrpText").ToString());
12 |             byte[] IV = Convert.FromBase64String((string)context.Variables["IV"]);
13 |             byte[] key = Convert.FromBase64String((string)context.Variables["key"]);
14 |             byte[] decryptedBytes = inBytes.Decrypt("Aes", key, IV);
15 |             return Encoding.UTF8.GetString(decryptedBytes);
16 |          }" />
17 | 		<return-response>
18 | 			<set-status code="200" reason="Success" />
19 | 			<set-body>@{ 
20 |                     string inBody = (string)context.Variables["plainText"];                     
21 |                     return inBody; 
22 |                 }</set-body>
23 | 		</return-response>
24 | 	</inbound>
25 | 	<backend>
26 | 		<base />
27 | 	</backend>
28 | 	<outbound>
29 | 		<base />
30 | 	</outbound>
31 | 	<on-error>
32 | 		<base />
33 | 	</on-error>
34 | </policies>
35 | 


--------------------------------------------------------------------------------
/examples/Use custom error messages for jwt-validate policy with on-error handler.policy.xml:
--------------------------------------------------------------------------------
 1 | <policies>
 2 |     <inbound>
 3 |         <base />
 4 |         <validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="jwt validation failed">
 5 |             <issuer-signing-keys>
 6 |                 <key>{{base64-encoded-hashing-secret}}</key>
 7 |             </issuer-signing-keys>
 8 |         </validate-jwt>
 9 |     </inbound>
10 |     <backend>
11 |         <base />
12 |     </backend>
13 |     <outbound>
14 |         <base />
15 |     </outbound>
16 |     <on-error>
17 |         <choose>
18 |             <!--When on-error is defined, its error handling overrides validate-jwt's error message. Its failed-validation-error-message will
19 |             never become effective. In order to provide specific error handling, we can specifically reference the validate-jwt elements (via Source),
20 |             then handle the error here along with any other error-handling.-->
21 |             <when condition="@(context.LastError.Source == "validate-jwt")">
22 |                 <return-response>
23 |                     <set-status code="@(context.Response.StatusCode)" />
24 |                     <set-body>Unauthorized. Access token is missing or invalid.</set-body>
25 |                 </return-response>
26 |             </when>
27 |         </choose>
28 |         <base />
29 |     </on-error>
30 | </policies>
31 | 
32 | 
33 | 
34 | 


--------------------------------------------------------------------------------
/examples/Return HTTP 405 if the HTTP Method of the request is not defined.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy translates the HTTP status code from 404 to 405 when the HTTP Method of the request doesn't match the one defined in the corresponding Operation. -->
 2 | <!-- For example, if the client send a GET request to a POST operation, instead of returning HTTP 404 which is the default behavior of APIM, this policy returns HTTP 405. -->
 3 | <!-- Copy the following snippet into the on-error section. -->
 4 | <!-- Replace `/echo/resource-cached` with the actual path of your operation. -->
 5 | <policies>
 6 |     <inbound>
 7 |         <base />
 8 |     </inbound>
 9 |     <backend>
10 |         <base />
11 |     </backend>
12 |     <outbound>
13 |         <base />
14 |     </outbound>
15 |     <on-error>
16 |         <base />
17 |         <choose>
18 |             <when condition="@(context.LastError.Source == "configuration" && context.Request.Url.Path == "/echo/resource-cached")">
19 |                 <return-response>
20 |                     <set-status code="405" reason="Method not allowed" />
21 |                     <set-body>@{
22 |                         return new JObject(
23 |                             new JProperty("status", "HTTP 405"),
24 |                             new JProperty("message", "Method not allowed")
25 |                         ).ToString();
26 |                     }</set-body>
27 |                 </return-response>
28 |             </when>
29 |             <otherwise />
30 |         </choose>
31 |     </on-error>
32 | </policies>


--------------------------------------------------------------------------------
/examples/Route requests to regional backend instances.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     The policy defined in this file uses 'set-backend' and the conditional 'choose' policies as well as the 'context.Deployment.Region' property to route requests to different backend services, based on the region of an Azure API Management instance the request has reached. 
 3 | 
 4 |     It assumes that Azure API Management is deployed in West US and East Asia. Multi-regions functionality is supported only in the premium tier of the service.
 5 |     
 6 |     See the documentation for details: https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-deploy-multi-region
 7 | -->
 8 | 
 9 | <policies>
10 |     <inbound>
11 |         <base />
12 |         <choose>
13 |             <when condition="@("West US".Equals(context.Deployment.Region, StringComparison.OrdinalIgnoreCase))">
14 |                 <set-backend-service base-url="http://contoso-us.com/" />
15 |             </when>
16 |             <when condition="@("East Asia".Equals(context.Deployment.Region, StringComparison.OrdinalIgnoreCase))">
17 |                 <set-backend-service base-url="http://contoso-asia.com/" />
18 |             </when>
19 |             <otherwise>
20 |                 <set-backend-service base-url="http://contoso-other.com/" />
21 |             </otherwise>
22 |         </choose>
23 |     </inbound>
24 |     <backend>
25 |         <base />
26 |     </backend>
27 |     <outbound>
28 |         <base />
29 |     </outbound>
30 |     <on-error>
31 |         <base />
32 |     </on-error>
33 | </policies>


--------------------------------------------------------------------------------
/examples/Filter response content based on product name.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file demonstrates how to filter data elements from the response payload based on the product associated with the request.
 2 | <!-- The snippet assumes that response content is formatted as JSON and contains root-level properties named "current", "minutely", "hourly", "daily", "alerts". -->
 3 | 
 4 | <!-- The example backend response includes root-level properties similar to the https://openweathermap.org/api/one-call-api/ API. -->
 5 | 
 6 | <!-- Copy this snippet into the outbound section. -->
 7 | 
 8 | <policies>
 9 |   <inbound>
10 |     <base />
11 |   </inbound>
12 |   <backend>
13 |     <base />
14 |   </backend>
15 |   <outbound>
16 |     <base />
17 |     <choose>
18 |       <when condition="@(context.Response.StatusCode == 200 && context.Product.Name.Equals("Starter"))">
19 |         <!-- NOTE that we are not using preserveContent=true when deserializing response body stream into a JSON object since we don't intend to access it again. See details on https://docs.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#SetBody -->
20 |       	<set-body>
21 |           @{
22 |             var response = context.Response.Body.As<JObject>();
23 |             foreach (var key in new [] {"current", "minutely", "hourly", "daily", "alerts"}) {
24 |             response.Property (key).Remove ();
25 |            }
26 |           return response.ToString();
27 |           }
28 | 	</set-body>
29 |       </when>
30 |     </choose>    
31 |   </outbound>
32 |   <on-error>
33 |     <base />
34 |   </on-error>
35 | </policies>
36 | 


--------------------------------------------------------------------------------
/examples/oauth-proxy/oauth-proxy-slide-session-fragment.xml:
--------------------------------------------------------------------------------
 1 | <fragment>
 2 | 
 3 | 	<!-- slide the cookie -->
 4 | 	<choose>
 5 | 		<when condition="@(context.Variables.ContainsKey("cacheKey"))">
 6 | 			<set-variable name="cookie-expiry" value="@(DateTimeOffset.UtcNow.AddSeconds({{SessionCookieExpirationInSeconds}}).ToUnixTimeMilliseconds())" />
 7 | 			<set-variable name="cookie-prefix" value="@($"{(string)context.Variables["cacheKey"]}.{(string)context.Variables["ivTokens"]}.{(long)context.Variables["cookie-expiry"]}")" />
 8 | 
 9 | 			<!-- encrypt this using the cookie-iv-->
10 | 			<set-variable name="encryptedCookie" value="@{
11 | 				var cookie = Encoding.UTF8.GetBytes((string)context.Variables["cookie-prefix"]);
12 | 				var ivString = (string)context.Variables["ivCookie"];
13 | 				var iv = Guid.Parse(ivString).ToByteArray();
14 | 				var key1 = Convert.FromBase64String("{{CookieEncryptionKey1}}");
15 | 				var key2 = Convert.FromBase64String("{{CookieEncryptionKey2}}");
16 | 				var key = {{CookieEncryptionKey}};
17 | 				var encryptionKey = key == 1 ? key1 : key2;
18 | 				var encryptedCookie = cookie.Encrypt("Aes", encryptionKey, iv);
19 | 				return $"{Convert.ToBase64String(encryptedCookie)}.{ivString}.{key}";
20 | 			}" />
21 | 
22 |             <!-- add the new session cookie to the response -->
23 | 			<set-header name="Set-Cookie" exists-action="append">
24 | 				<value>@($"{{CookiePrefix}}={(string)context.Variables["encryptedCookie"]}; SameSite=Lax; secure; path=/; expires={DateTimeOffset.FromUnixTimeMilliseconds((long)context.Variables["cookie-expiry"]).ToString("R")}; Secure; HttpOnly" )</value>
25 | 			</set-header>
26 | 		</when>
27 | 	</choose>
28 | </fragment>
29 | 


--------------------------------------------------------------------------------
/examples/Authenticate using Managed Identity to access Service Bus.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file provides an example of how to authenticate using Managed Identity to access Service Bus and send a message to a queue/topic. -->
 2 | 
 3 | <!-- Parameters: serviceBusNamespace - Name of your Service Bus namespace -->
 4 | <!-- Parameters: queue/topic - Name of your queue/topic -->
 5 | <!-- Steps required -->
 6 | <!-- 1. Enable System-Assigned Managed Identity on API Management instance -->
 7 | <!-- 2. Assign API Management instance principalId as Azure Service Bus Data Sender Role in the Service Bus Namespace -->
 8 | <!-- 3. You can optionally restrict Service Bus namespace to be accessible only by Trusted services in Firewalls/VirtualNetwork. -->
 9 | 
10 | <policies>
11 |   <inbound>
12 |     <base />
13 |     <authentication-managed-identity resource="https://servicebus.azure.net" output-token-variable-name="msi-access-token" ignore-error="false" />
14 |     <set-header name="Authorization" exists-action="override">
15 |       <value>@((string)context.Variables["msi-access-token"])</value>
16 |     </set-header>
17 |     <set-body>{  
18 |         "Body": "APIM sending request using AAD Token",
19 |         "BrokerProperties":{"Trusted Service":"APIM"},  
20 |         "UserProperties":{"Priority":"Medium","Customer":"Contoso"}  
21 |       }</set-body>
22 |     <set-backend-service base-url="https://{{serviceBusNamespace}}.servicebus.windows.net/{{queue|topic}}/messages?api-version=2015-01" />
23 |   </inbound>
24 |   <backend>
25 |     <base />
26 |   </backend>
27 |   <outbound>
28 |     <base />
29 |   </outbound>
30 |   <on-error>
31 |     <base />
32 |   </on-error>
33 | </policies>
34 | 


--------------------------------------------------------------------------------
/examples/Random load balancer.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- This policy randomly routes (load balances) to one of the two backends -->
 2 | <!-- Backend URLs are assumed to be stored in backend-url-1 and backend-url-2 named values (fka properties), but can be provided inline as well -->
 3 | <policies>
 4 |     <inbound>
 5 |         <base />
 6 |         <set-variable name="urlId" value="@(new Random(context.RequestId.GetHashCode()).Next(1, 3))" />
 7 |         <choose>
 8 |             <when condition="@(context.Variables.GetValueOrDefault<int>("urlId") == 1)">
 9 |                 <set-backend-service base-url="{{backend-url-1}}" />
10 |             </when>
11 |             <when condition="@(context.Variables.GetValueOrDefault<int>("urlId") == 2)">
12 |                 <set-backend-service base-url="{{backend-url-2}}" />
13 |             </when>
14 |             <otherwise>
15 |                 <!-- Should never happen, but you never know ;) -->
16 |                 <return-response>
17 |                     <set-status code="500" reason="InternalServerError" />
18 |                     <set-header name="Microsoft-Azure-Api-Management-Correlation-Id" exists-action="override">
19 |                         <value>@{return Guid.NewGuid().ToString();}</value>
20 |                     </set-header>
21 |                     <set-body>A gateway-related error occurred while processing the request.</set-body>
22 |                 </return-response>
23 |             </otherwise>
24 |         </choose>
25 |     </inbound>
26 |     <backend>
27 |         <base />
28 |     </backend>
29 |     <outbound>
30 |         <base />
31 |     </outbound>
32 |     <on-error>
33 |         <base />
34 |     </on-error>
35 | </policies>
36 | 


--------------------------------------------------------------------------------
/examples/Route requests based on size.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file demonstrates how to route requests based on the size of the message body. -->
 2 | <!-- Content-Length header contains the size of the message body. -->
 3 | 
 4 | <!--  256 KB, a limitation on message size in the Azure Service Bus.  -->
 5 | <!-- The snippet checks if the message is smaller than 256000 bytes. If it's larger, request is routed somewhere else. -->
 6 | 
 7 | <!-- Copy the following snippet into the inbound section. -->
 8 | 
 9 | <policies>
10 |     <inbound>
11 | 	    <base/>
12 | 		    <set-variable name="bodySize" value="@(context.Request.Headers["Content-Length"][0])"/>
13 | 		    <choose>
14 | 			    <when condition="@(int.Parse(context.Variables.GetValueOrDefault<string>("bodySize"))<256000)">
15 | 				    <!-- let it pass through by doing nothing -->
16 | 			    </when>
17 | 			    <otherwise>
18 | 				    <rewrite-uri template="{{alternate-path-and-query}}"/>
19 | 				    <set-backend-service base-url="{{alternate-host}}"/>
20 | 			    </otherwise>
21 | 		    </choose>
22 | 
23 | 		    <!-- In rare cases where Content-Length header is not present we'll have to read the body to get its length. -->
24 |             <!--
25 |             <choose>
26 |         	    <when condition="@(context.Request.Body.As<string>(preserveContent: true).Length<256000)">
27 | 
28 |         	    </when>
29 |         	    <otherwise>
30 |         		    <rewrite-uri template=""/>
31 |         		    <set-backend-service base-url=""/>
32 |         	    </otherwise>
33 |             </choose>
34 | 		    -->
35 | 	</inbound>
36 | 	<backend>
37 | 	    <base/>
38 | 	</backend>
39 | 	<outbound>
40 | 	    <base/>
41 | 	</outbound>
42 | 	<on-error>
43 | 	    <base/>
44 | 	</on-error>
45 | </policies>
46 | 
47 | 
48 | 
49 | 
50 | 


--------------------------------------------------------------------------------
/examples/Add correlation id to inbound request.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file demonstrates how to add a header containing a correlation id to the inbound request. -->
 2 | <!-- The id could be used to correlate requests forwarded by Azure API Management to requests in your backend. -->
 3 | <!-- The snippet uses a COMB GUID as an id value for efficient query performance. -->
 4 | 
 5 | <!-- NOTE: If COMB format is not needed, context.RequestId should be used as a value of correlation id. -->
 6 | <!-- context.RequestId is unique for each request and is stored as part of gateway log records. -->
 7 | 
 8 | <!-- Copy the following snippet into the inbound section. Applying this snippet at the global level will ensure that correlation id is added to all requests. -->
 9 | 
10 | <policies>
11 |     <inbound>
12 |         <base />
13 |         <set-header name="correlationid" exists-action="skip">
14 | 	        <value>@{ 
15 | 				var guidBinary = new byte[16];
16 | 				Array.Copy(Guid.NewGuid().ToByteArray(), 0, guidBinary, 0, 10);
17 | 				long time = DateTime.Now.Ticks;
18 | 				byte[] bytes = new byte[6];
19 | 				unchecked
20 | 				{
21 | 				       bytes[5] = (byte)(time >> 40);
22 | 				       bytes[4] = (byte)(time >> 32);
23 | 				       bytes[3] = (byte)(time >> 24);
24 | 				       bytes[2] = (byte)(time >> 16);
25 | 				       bytes[1] = (byte)(time >> 8);
26 | 				       bytes[0] = (byte)(time);
27 | 				}
28 | 				Array.Copy(bytes, 0, guidBinary, 10, 6);
29 | 				return new Guid(guidBinary).ToString();
30 | 			}
31 | 	        </value>
32 |         </set-header>    
33 |     </inbound>
34 |     <backend>
35 |         <base />
36 |     </backend>
37 |     <outbound>
38 |         <base />
39 |     </outbound>
40 |     <on-error>
41 |         <base />
42 |     </on-error>
43 | </policies>
44 | 


--------------------------------------------------------------------------------
/examples/Authenticate using Managed Identity to access Storage Account.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file provides an example of how to authenticate using Managed Identity to access Storage Account and read a blob. -->
 2 | 
 3 | <!-- Parameters: storageaccountname - Name of your Azure Storage Account -->
 4 | <!-- Parameters: blobtoread - Name of the Blob you want to read contents from. -->
 5 | <!-- Steps required -->
 6 | <!-- 1. Enable System-Assigned Managed Identity on API Management instance -->
 7 | <!-- 2. Assign API Management instance principalId as Storage Blob Data Contributor Role in the Azure Storage Account -->
 8 | <!-- 3. You can optionally restrict Storage Account to be accessible only by Trusted services in Firewalls/VirtualNetwork in the Storage Account. -->
 9 | 
10 | <policies>
11 |     <inbound>
12 |         <send-request mode="new" timeout="20" response-variable-name="blobdata" ignore-error="false">
13 |             <set-url>https://{{storageaccountname}}.blob.core.windows.net/container/{{blobtoread}}</set-url>
14 |             <set-method>GET</set-method>
15 |             <set-header name="x-ms-version" exists-action="override">
16 |                 <value>2019-07-07</value>
17 |             </set-header>
18 |             <authentication-managed-identity resource="https://storage.azure.com" />
19 |         </send-request>
20 |         <return-response>
21 |             <set-status code="200" reason="OK" />
22 |             <set-body>@($"{((IResponse)context.Variables["blobdata"]).Body.As<JObject>() }")</set-body>
23 |         </return-response>
24 |         <base />
25 |     </inbound>
26 |     <backend>
27 |         <base />
28 |     </backend>
29 |     <outbound>
30 |         <base />
31 |     </outbound>
32 |     <on-error>
33 |         <base />
34 |     </on-error>
35 | </policies>
36 | 
37 | 


--------------------------------------------------------------------------------
/examples/Perform basic authentication.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file demonstrates how to perform basic authentication in the inbound request. -->
 2 | 
 3 | <!-- This can be useful when working with clients with limited authentication options. -->
 4 | 
 5 | <!-- The Authorization header is deleted after validation to prevent issues with backend APIs. -->
 6 | 
 7 | <!-- The 'Basic' HTTP Authentication Scheme is described in IETF RFC 7617 https://tools.ietf.org/html/rfc7617 -->
 8 | 
 9 | <!-- Copy the following snippet into the inbound section. -->
10 | 
11 | <policies>
12 |     <inbound>
13 |         <base />
14 |         <check-header name="Authorization" failed-check-httpcode="401" failed-check-error-message="Not authorized" ignore-case="false">
15 | 		</check-header>
16 |         <choose>
17 |             <when condition="@(context.Request.Headers.GetValueOrDefault("Authorization").AsBasic()==null 
18 |             || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().Password==null 
19 |             || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId==null 
20 |             || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().UserId!="{{UserId}}" 
21 |             || context.Request.Headers.GetValueOrDefault("Authorization").AsBasic().Password!="{{Password}}")">
22 |                 <return-response>
23 |                     <set-status code="401" reason="Not authorized" />
24 |                 </return-response>
25 |             </when>
26 |         </choose>
27 |         <set-header name="Authorization" exists-action="delete" />
28 |     </inbound>
29 |     <backend>
30 |         <base />
31 |     </backend>
32 |     <outbound>
33 |         <base />
34 |     </outbound>
35 |     <on-error>
36 |         <base />
37 |     </on-error>
38 | </policies>
39 | 


--------------------------------------------------------------------------------
/examples/Parse a JWT token using expressions.xml:
--------------------------------------------------------------------------------
 1 | <!-- 
 2 |     The policy defined in this file shows how to parse a JSON Web Token (JWT) and conditionally execute policies based on the values of a claim. 
 3 | 
 4 |     Assuming the payload of our JWTs looks like below and the scenario is to check the "permissions" claim.
 5 | 
 6 |     {
 7 |         "sub": "1234567890",
 8 |         "name": "John Doe",
 9 |         "iat": 1516239022,
10 |         "exp": 1557007909,
11 |         "permissions": ["sendEmail", "sendText"]
12 |     }
13 | -->
14 | 
15 | <policies>
16 |     <inbound>
17 |         <base />
18 | 
19 |         <!-- 
20 |           First, check the signature and expiration of the JWT using validate-jwt policy 
21 |          
22 |           The policy will output the jwt into a variable called valid-jwt
23 |         -->
24 |         <validate-jwt header-name="Authorization" output-token-variable-name="valid-jwt">
25 |             <issuer-signing-keys>
26 |                 <key>{{signing-key}}</key>
27 |             </issuer-signing-keys>
28 |         </validate-jwt>
29 |         
30 |         <!--
31 |           Now, we can inspect the JWT with policy expressions and check the values in "permissions"
32 |         -->
33 |         <choose>
34 |             <when condition="@{
35 |                 var jwt = (Jwt)context.Variables["valid-jwt"];
36 |                 var permissions = jwt.Claims["permissions"];
37 |                 return Array.Exists(permissions, element => element == "sendEmail");
38 |             }">
39 |                 <!-- Do something here -->
40 |             </when>
41 |             <otherwise />
42 |         </choose>
43 |     </inbound>
44 |     <backend>
45 |         <base />
46 |     </backend>
47 |     <outbound>
48 |         <base />
49 |     </outbound>
50 |     <on-error>
51 |         <base />
52 |     </on-error>
53 | </policies>
54 | 


--------------------------------------------------------------------------------
/examples/Pre-authorize requests based on HTTP method with validate-jwt.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file shows how to authorize access to specific HTTP methods on an API based on JWT claims. -->
 2 | <!-- To test the policy you can use https://jwt.io to generate tokens. -->
 3 | 
 4 | <!-- Copy the following snippet into the inbound section. -->
 5 | 
 6 | <policies>
 7 |   <inbound>
 8 |     <base />
 9 |       <choose>
10 |         <when condition="@(context.Request.Method.Equals("patch=""",StringComparison.OrdinalIgnoreCase))">
11 |           <validate-jwt header-name="Authorization">
12 |             <issuer-signing-keys>
13 |               <key>{{signing-key}}</key>
14 |             </issuer-signing-keys>
15 |             <required-claims>
16 |               <claim name="edit">
17 |                 <value>true</value>
18 |               </claim>
19 |             </required-claims>
20 |           </validate-jwt>
21 |         </when>
22 |         <when condition="@(new [] {"post=""", "put="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
23 |           <validate-jwt header-name="Authorization">
24 |             <issuer-signing-keys>
25 |               <key>{{signing-key}}</key>
26 |             </issuer-signing-keys>
27 |             <required-claims>
28 |               <claim name="create">
29 |                 <value>true</value>
30 |               </claim>
31 |             </required-claims>
32 |           </validate-jwt>
33 |         </when>
34 |         <otherwise>
35 |           <validate-jwt header-name="Authorization">
36 |             <issuer-signing-keys>
37 |               <key>{{signing-key}}</key>
38 |             </issuer-signing-keys>
39 |           </validate-jwt>
40 |         </otherwise>
41 |       </choose>    
42 |   </inbound>
43 |   <backend>
44 |     <base />
45 |   </backend>
46 |   <outbound>
47 |     <base />
48 |   </outbound>
49 |   <on-error>
50 |     <base />
51 |   </on-error>
52 | </policies>


--------------------------------------------------------------------------------
/examples/Loopback request for service at same API Management service.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     Send request for a service hosted at same API Management service that is deployed with a virtual network
 3 | 
 4 |     This policy will ensure that your API Management service instance knows how to redirect the request into a service that is hosted on the same API Management service instance when is deployed with a virtual network.
 5 | 	
 6 | 	Ensure that you add/set a HOST header with API Management service's domain for the request that could be redirected back into the same API Management service instance.
 7 | 	
 8 | 	Subcription key is retrived from the original request to be forward into the new request. Save the new request result into a variable to return after request.
 9 | 
10 |     Maintainer: @gfchaves
11 | -->
12 | <policies>
13 | 	<inbound>
14 | 		<base />
15 | 		<set-variable name="subscriptionKey" value="@(context.Request.Headers.GetValueOrDefault("Ocp-Apim-Subscription-Key=""","scheme="" param="""))" />
16 | 		<send-request mode="new" response-variable-name="requestResponse" timeout="300" ignore-error="false">
17 | 			<set-url>https://localhost/{your API Management service endpoint url}</set-url>
18 | 			<set-method>GET</set-method>
19 | 			<set-header name="content-type" exists-action="override">
20 | 				<value>application/json</value>
21 | 			</set-header>
22 | 			<set-header name="HOST" exists-action="override">
23 | 				<value>{your API Management service domain}</value>
24 | 			</set-header>
25 | 			<set-header name="Ocp-Apim-Subscription-Key" exists-action="override">
26 | 				<value>@($"{(string)context.Variables["subscriptionKey"]}")</value>
27 | 			</set-header>
28 | 		</send-request>
29 | 		<return-response response-variable-name="requestResponse" />
30 | 	</inbound>	
31 | 	<backend>
32 | 		<base />
33 | 	</backend>
34 | 	<outbound>
35 | 		<base />
36 | 	</outbound>
37 | 	<on-error>
38 | 		<base />
39 | 	</on-error>
40 | </policies>


--------------------------------------------------------------------------------
/examples/Authenticate using Managed Identity to access Event Hub.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file provides an example of how to authenticate using Managed Identity to access EventHub Account. -->
 2 | 
 3 | <!-- Parameters: eventHubNamespace - Name of your Azure EventHub namespace Account -->
 4 | <!-- Parameters: eventhubname - Name of the EventHub where to push messages. -->
 5 | <!-- Steps required -->
 6 | <!-- 1. Enable System-Assigned Managed Identity on API Management instance -->
 7 | <!-- 2. Assign API Management instance principalId as Azure Event Hubs Data Sender Role in the Eventhub Namespace -->
 8 | <!-- 3. You can optionally restrict EventHub namespace to be accessible only by Trusted services in Firewalls/VirtualNetwork. -->
 9 | 
10 | <policies>
11 |     <inbound>
12 |         <!-- base: Begin Api scope -->
13 |         <!-- base: Begin Product scope -->
14 |         <rate-limit calls="5" renewal-period="60" />
15 |         <quota calls="100" renewal-period="604800" />
16 |         <!-- base: End Product scope -->
17 |         <!-- base: End Api scope -->
18 |         <authentication-managed-identity resource="https://eventhubs.azure.net" output-token-variable-name="msi-access-token" ignore-error="false" />
19 |         <set-header name="Authorization" exists-action="override">
20 |             <value>@(String.Concat("Bearer ",(string)context.Variables["msi-access-token"]))</value>
21 |         </set-header>
22 |         <set-body>{ "Event":"apim-using -aad token", "TrustedService":"AAD" }</set-body>
23 |         <set-backend-service base-url="https://{{eventHubNamespace}}.servicebus.windows.net/{{eventhubname}}/messages?api-version=2014-01" />
24 |     </inbound>
25 |     <backend>
26 |         <!-- base: Begin Api scope -->
27 |         <!-- base: Begin Product scope -->
28 |         <!-- base: Begin Global scope -->
29 |         <forward-request />
30 |         <!-- base: End Global scope -->
31 |         <!-- base: End Product scope -->
32 |         <!-- base: End Api scope -->
33 |     </backend>
34 |     <outbound />
35 |     <on-error />
36 | </policies>
37 | 


--------------------------------------------------------------------------------
/examples/Get OAuth2 access token from AAD and forward it to the backend.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file provides an example of using OAuth2 for authorization between the gateway and a backend. -->
 2 | <!-- It shows how to obtain an access token from Azure AD and forward it to the backend. -->
 3 | 
 4 | <!-- Send request to Azure AD to obtain a bearer token -->
 5 | <!-- Parameters: authorizationServer - format https://login.windows.net/TENANT-GUID/oauth2/token -->
 6 | <!-- Parameters: scope - a URI encoded scope value -->
 7 | <!-- Parameters: clientId - an id obtained during app registration -->
 8 | <!-- Parameters: clientSecret - a URL encoded secret, obtained during app registration -->
 9 | 
10 | <!-- Copy the following snippet into the inbound section. -->
11 | 
12 | <policies>
13 |   <inbound>
14 |     <base />
15 |       <send-request ignore-error="true" timeout="20" response-variable-name="bearerToken" mode="new">
16 |         <set-url>{{authorizationServer}}</set-url>
17 |         <set-method>POST</set-method>
18 |         <set-header name="Content-Type" exists-action="override">
19 |           <value>application/x-www-form-urlencoded</value>
20 |         </set-header>
21 |         <set-body>
22 |           @{
23 |               return "client_id={{clientId}}&scope={{scope}}&client_secret={{clientSecret}}&grant_type=client_credentials";
24 | 
25 |               // For Azure AD v1, try return statement below
26 |               // return "client_id={{clientId}}&resource={{scope}}&client_secret={{clientSecret}}&grant_type=client_credentials";
27 |           }
28 |         </set-body>
29 |       </send-request>
30 | 
31 |       <set-header name="Authorization" exists-action="override">
32 |         <value>
33 |           @("Bearer " + (String)((IResponse)context.Variables["bearerToken"]).Body.As<JObject>()["access_token"])
34 | 	  </value>
35 |       </set-header>
36 | 
37 |       <!--  Don't expose APIM subscription key to the backend. -->
38 |       <set-header exists-action="delete" name="Ocp-Apim-Subscription-Key"/>
39 |   </inbound>
40 |   <backend>
41 |     <base />
42 |   </backend>
43 |   <outbound>
44 |     <base />
45 |   </outbound>
46 |   <on-error>
47 |     <base />
48 |   </on-error>
49 | </policies>
50 | 


--------------------------------------------------------------------------------
/examples/Log errors to Stackify.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file shows how to add an error logging policy to send errors to Stackify for logging. -->
 2 | <!-- You must specify the following named values: -->
 3 |   <!-- your-stackify-api-key  -->
 4 |   <!-- stackify-api-key  - Get this from your Stackify account -->
 5 |   <!-- environment-name - This will be send to Stackify for the environment filter, (Production, Dev, Test, etc) -->
 6 |   <!-- app-name - The Application name that will be sent to Stackify -->
 7 | 
 8 | <!-- Copy the following snippet into the on-error section. -->
 9 | 
10 | <policies>
11 |   <inbound>
12 |     <base />
13 |   </inbound>
14 |   <backend>
15 |     <base />
16 |   </backend>
17 |   <outbound>
18 |     <base />
19 |   </outbound>
20 |   <on-error>
21 |     <trace source="OnError">
22 |       On Error
23 |     </trace>
24 |     <send-one-way-request mode="new">
25 |       <set-url>https://api.stackify.com/Log/Save</set-url>
26 |       <set-method>POST</set-method>
27 |       <set-header name="Content-Type" exists-action="override">
28 |         <value>value</value>
29 |       </set-header>
30 |       <set-header name="X-Stackify-PV" exists-action="override">
31 |         <value>V1</value>
32 |       </set-header>
33 |       <set-header name="X-Stackify-Key" exists-action="override">
34 |         <value>{{stackify-api-key}}</value>
35 |       </set-header>
36 |       <set-body>
37 |         @{
38 |         return new JObject(
39 |         new JProperty("Environment","{{environment-name}}"),
40 |         new JProperty("ServerName", context.Deployment.ServiceName),
41 |         new JProperty("AppName", "{{app-name}}"),
42 |         new JProperty("AppLoc", "/usr/local/stackify/stackify-agent"),
43 |         new JProperty("Logger", "stackify-log-log4j12-1.0.12"),
44 |         new JProperty("Platform", "java"),
45 |         new JProperty("Msgs",
46 |         new JArray(
47 |         new JObject(
48 |         new JProperty("Msg", context.LastError.Message),
49 |         new JProperty("Th", "main"),
50 |         new JProperty("EpochMs", (new DateTimeOffset(DateTime.Now)).ToUnixTimeSeconds() * 1000 ),
51 |         new JProperty("Level", "error"),
52 |         new JProperty("SrcMethod", context.LastError.Source)
53 |         )))
54 |         ).ToString();
55 |         }
56 |       </set-body>
57 |     </send-one-way-request>
58 |   </on-error>
59 | </policies>
60 | 


--------------------------------------------------------------------------------
/examples/Extract value from XML.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy sample demonstrates the extraction of a value from a string value such as found in a request body or a response body. 
 3 |     As we are only looking to read a value, not manipulate an XML document, it is much better for memory usage to use an XMLReader with 
 4 |     a forward cursor instead of an  XMLDocument. This is especially important the larger your XML string may be.
 5 | 
 6 |     For ease of demonstration, we assign the value to a return response, which is then returned to the caller of the API operation.
 7 | 
 8 |     Credit to John Scott (jftl6y) for the contribution!
 9 | -->
10 | <policies>
11 |     <inbound>
12 |         <base />
13 |         <return-response>
14 |             <set-status code="200" />
15 |             <set-body>@{
16 |                 // The XML from which you want to extract information may come from various places. 
17 |                 var xml = "<?xml version=\"1.0\" encoding=\"utf-8\"?><soap:Envelope xmlns:soap=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\" xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"><soap:Body><SomeCustomElement><SomeCustomNestedElement>ABCDEF123456789</SomeCustomNestedElement></SomeCustomElement></soap:Body></soap:Envelope>";
18 |                 //var xml = context.Request.Body.As<string>(preserveContent: true);     //read from request body while also preserving the body
19 |                 //var xml = context.Response.Body.As<string>(preserveContent: true);    //read from response body while also preserving the body
20 | 
21 |                 var ret = "";
22 |                 
23 |                 using (XmlReader reader = XmlReader.Create(new StringReader(xml))) 
24 |                 {
25 |                     reader.MoveToContent();
26 |                     reader.Read();
27 | 
28 |                     while (!reader.EOF && ret == "")
29 |                     {
30 |                         // Read until we reach the node of interest, then extract the information into a return value, which will gracefully break out of the loop
31 |                         if (reader.Name == "SomeCustomNestedElement")
32 |                         {
33 |                             var el = XNode.ReadFrom(reader) as XElement;
34 |                             ret = el == null ? "" : el.Value;
35 |                         } else {
36 |                             reader.Read();
37 |                         }
38 |                     }
39 |                 }
40 | 
41 |                 return ret;
42 |             }</set-body>
43 |         </return-response>
44 |     </inbound>
45 |     <backend>
46 |         <base />
47 |     </backend>
48 |     <outbound>
49 |         <base />
50 |     </outbound>
51 |     <on-error>
52 |         <base />
53 |     </on-error>
54 | </policies>


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Azure API Management Policy Snippets
 2 | 
 3 | # Policy Toolkit
 4 | 
 5 | [Azure API Management policy toolkit](https://github.com/Azure/azure-api-management-policy-toolkit) is a set of libraries and tools for authoring policy documents for Azure API Management. The toolkit was designed to help create and test policy documents with complex expressions.
 6 | 
 7 | # Examples
 8 | 
 9 | The `examples/` folder contains policy examples contributed by the product team and the user community. The samples are meant to be re-used verbatim, provide inspiration or serve as learning aids. Some of them are parameterized using [Named Values](https://docs.microsoft.com/en-us/azure/api-management/api-management-howto-properties) (formerly known as Properties), which look like this: `{{some-value}}`. When using parametrized samples, you will have to either define relevant Named Values or replace them with values in place.
10 | 
11 | # Policy expressions cheat-sheet
12 | 
13 | The `policy-expressions` folder contains a [cheat-sheet](policy-expressions/README.md) with common policy expressions that are often used when authoring Azure API Management policies.
14 | 
15 | # Visual Studio Code snippets
16 | 
17 | The `vscode-snippets/` folder contains user snippets for Visual Studio Code. User snippets are helpful for streamlining workflow and simplifying document editing with autocomplete and easy navigation. Please, refer to the [Visual Studio Code documentation](https://code.visualstudio.com/docs/editor/userdefinedsnippets) on how to use them.
18 | 
19 | ![Azure API Management VS Code User Snippet 1](media/vscode-snippets/apim-vscode-snippets-1.png)
20 | 
21 | ![Azure API Management VS Code User Snippet 2](media/vscode-snippets/apim-vscode-snippets-2.png)
22 | 
23 | ![Azure API Management VS Code User Snippet 3](media/vscode-snippets/apim-vscode-snippets-3.png)
24 | 
25 | # Helpful Links
26 | 
27 | - [Policies Reference](https://docs.microsoft.com/en-us/azure/api-management/api-management-policies)
28 | - [Policy Expressions](https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions)
29 | - [Handling Errors in Policies](https://docs.microsoft.com/en-us/azure/api-management/api-management-error-handling-policies)
30 | - [Policy Toolkit](https://github.com/Azure/azure-api-management-policy-toolkit)
31 | - [APIM Samples](https://aka.ms/apim/samples)
32 | 
33 | To learn about Azure API Management go [here](https://azure.microsoft.com/en-us/services/api-management/).
34 | 
35 | # Contributing
36 | 
37 | This project has adopted the [Microsoft Open Source Code of Conduct](https://opensource.microsoft.com/codeofconduct/). For more information see the [Code of Conduct FAQ](https://opensource.microsoft.com/codeofconduct/faq/) or contact [opencode@microsoft.com](mailto:opencode@microsoft.com) with any additional questions or comments.
38 | 


--------------------------------------------------------------------------------
/examples/Call out to an HTTP endpoint and cache the response.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file shows how to use a few policies to add a capability to a backend service. -->
 2 | 
 3 | <!-- https://darksky.net/dev API was used as a backend service in this example. The snippet contains enough information for reconstituting the setup and testing the policy. -->
 4 | <!-- The snippet shows how to accept a name of the place instead of latitude and longitude in a weather forecast API. -->
 5 | 
 6 | <!-- Copy the following snippet into the inbound section and look at the trace window to see it work. -->
 7 | 
 8 | <policies>
 9 |   <inbound>
10 |     <base />
11 |     <!-- Check if lat/long has already been cached for this place and fetch it into a variable. -->
12 |     <cache-lookup-value key="@(context.Request.MatchedParameters.GetValueOrDefault("place", ""))" variable-name="latlong"/>
13 | 
14 |     <!-- If no lat/long found, use external API to get lat/long of the place and cache it. -->
15 |     <choose>
16 |       <when condition="@(!context.Variables.ContainsKey("latlong="""))">
17 | 
18 |         <!-- Lookup lat/long for the place. -->
19 |         <send-request mode="new" response-variable-name="response" timeout="10" ignore-error="false">
20 |           <set-url>
21 |             @{
22 |             var code = context.Request.MatchedParameters.GetValueOrDefault("place");
23 |             var key = "{{google-geo-api-key}}";
24 |             return $"https://maps.googleapis.com/maps/api/geocode/json?address={code}&key={key}";
25 |             }
26 |           </set-url>
27 |           <set-method>GET</set-method>
28 |         </send-request>
29 | 
30 |         <!-- Extract a JSON object containing lat/long from the response and serialize it into a variable. -->
31 |         <set-variable name="latlong" value="@(((IResponse)context.Variables["response="""]).Body.As<JObject>
32 |           ()["results"][0]["geometry"]["location"].ToString())"/>
33 | 
34 |           <!-- Cache lat/long for a an hour (coould be for much longer of course, since places don't move very often). -->
35 |           <cache-store-value key="@(context.Request.MatchedParameters.GetValueOrDefault("latlong="""))" value="@((string)context.Variables["latlong="""])" duration="3600"/>
36 |         </when>
37 |     </choose>
38 | 
39 |     <!-- Change forwarding URL to the form expected by the backend, i.e. containing the key and lat/lng.  -->
40 |     <rewrite-uri template="@{
41 |             var loc = JObject.Parse((string)context.Variables["latlong=""
42 |                                lat=""
43 |                                lng=""
44 |                          forecast=""/{{dark-sky-api-key}}/{lat},{lng}";}"/>
45 | 
46 |   </inbound>
47 |   <backend>
48 |     <base />
49 |   </backend>
50 |   <outbound>
51 |     <base />
52 |   </outbound>
53 |   <on-error>
54 |     <base />
55 |   </on-error>
56 | </policies>
57 | 


--------------------------------------------------------------------------------
/SECURITY.md:
--------------------------------------------------------------------------------
 1 | <!-- BEGIN MICROSOFT SECURITY.MD V0.0.7 BLOCK -->
 2 | 
 3 | ## Security
 4 | 
 5 | Microsoft takes the security of our software products and services seriously, which includes all source code repositories managed through our GitHub organizations, which include [Microsoft](https://github.com/Microsoft), [Azure](https://github.com/Azure), [DotNet](https://github.com/dotnet), [AspNet](https://github.com/aspnet), [Xamarin](https://github.com/xamarin), and [our GitHub organizations](https://opensource.microsoft.com/).
 6 | 
 7 | If you believe you have found a security vulnerability in any Microsoft-owned repository that meets [Microsoft's definition of a security vulnerability](https://aka.ms/opensource/security/definition), please report it to us as described below.
 8 | 
 9 | ## Reporting Security Issues
10 | 
11 | **Please do not report security vulnerabilities through public GitHub issues.**
12 | 
13 | Instead, please report them to the Microsoft Security Response Center (MSRC) at [https://msrc.microsoft.com/create-report](https://aka.ms/opensource/security/create-report).
14 | 
15 | If you prefer to submit without logging in, send email to [secure@microsoft.com](mailto:secure@microsoft.com).  If possible, encrypt your message with our PGP key; please download it from the [Microsoft Security Response Center PGP Key page](https://aka.ms/opensource/security/pgpkey).
16 | 
17 | You should receive a response within 24 hours. If for some reason you do not, please follow up via email to ensure we received your original message. Additional information can be found at [microsoft.com/msrc](https://aka.ms/opensource/security/msrc). 
18 | 
19 | Please include the requested information listed below (as much as you can provide) to help us better understand the nature and scope of the possible issue:
20 | 
21 |   * Type of issue (e.g. buffer overflow, SQL injection, cross-site scripting, etc.)
22 |   * Full paths of source file(s) related to the manifestation of the issue
23 |   * The location of the affected source code (tag/branch/commit or direct URL)
24 |   * Any special configuration required to reproduce the issue
25 |   * Step-by-step instructions to reproduce the issue
26 |   * Proof-of-concept or exploit code (if possible)
27 |   * Impact of the issue, including how an attacker might exploit the issue
28 | 
29 | This information will help us triage your report more quickly.
30 | 
31 | If you are reporting for a bug bounty, more complete reports can contribute to a higher bounty award. Please visit our [Microsoft Bug Bounty Program](https://aka.ms/opensource/security/bounty) page for more details about our active programs.
32 | 
33 | ## Preferred Languages
34 | 
35 | We prefer all communications to be in English.
36 | 
37 | ## Policy
38 | 
39 | Microsoft follows the principle of [Coordinated Vulnerability Disclosure](https://aka.ms/opensource/security/cvd).
40 | 
41 | <!-- END MICROSOFT SECURITY.MD BLOCK -->
42 | 


--------------------------------------------------------------------------------
/examples/Get X-CSRF token from SAP gateway using send request.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file shows how to implement X-CSRF pattern used by many APIs. The example is specific to SAP Gateway.  -->
 2 | 
 3 | <!--	Detailed description of the scenario and solution can be found on: -->
 4 | <!--      https://github.com/MartinPankraz/AzureSAPODataReader. -->
 5 | 
 6 | <policies>
 7 |   <inbound>
 8 |     <base/>
 9 |     <choose>
10 |       <!-- CSRF-token only required for every operation other than GET or HEAD -->
11 |       <when condition="@(context.Request.Method != "GET" && context.Request.Method != "HEAD")">
12 |           <!-- Creating a HEAD subrequest to save request overhead and get the SAP CSRF token and cookie.-->
13 |           <send-request mode="new" response-variable-name="SAPCSRFToken" timeout="10" ignore-error="false">
14 |               <set-url>@(context.Request.Url.ToString())</set-url>
15 |               <set-method>HEAD</set-method>
16 |               <set-header name="X-CSRF-Token" exists-action="override">
17 |                   <value>Fetch</value>
18 |               </set-header>
19 |               <set-header name="Authorization" exists-action="override">
20 |                   <!-- forward authorization for csrf token fetch -->
21 |                   <value>@(context.Request.Headers.GetValueOrDefault("Authorization"))</value>
22 |               </set-header>
23 |           </send-request>
24 |           <!-- Extract the token and cookie from the "SAPCSRFToken" and set as header in the POST request. -->
25 |           <choose>
26 |             <when condition="@(((IResponse)context.Variables["SAPCSRFToken"]).StatusCode == 200)">
27 |               <set-header name="X-CSRF-Token" exists-action="override">
28 |                   <value>@(((IResponse)context.Variables["SAPCSRFToken"]).Headers.GetValueOrDefault("x-csrf-token"))</value>
29 |               </set-header>
30 |               <set-header name="Cookie" exists-action="override">
31 |                   <value>@{
32 |                     string rawcookie = ((IResponse)context.Variables["SAPCSRFToken"]).Headers.GetValueOrDefault("Set-Cookie");
33 |                     string[] cookies = rawcookie.Split(';');
34 |                                 /* new session sends a XSRF cookie */
35 |                     string xsrftoken = cookies.FirstOrDefault( ss => ss.Contains("sap-XSRF"));
36 |                                 /* existing sessions sends a SessionID. No other cases anticipated at this point. Please create a GitHub Pull-Request if you encounter uncovered settings. */
37 |                                 if(xsrftoken == null){
38 |                                     xsrftoken = cookies.FirstOrDefault( ss => ss.Contains("SAP_SESSIONID"));
39 |                                 }
40 |                                 
41 |                     return xsrftoken.Split(',')[1];}</value>
42 |               </set-header>
43 |             </when>
44 |           </choose>
45 |       </when>
46 |     </choose>
47 |   </inbound>
48 |   <backend>
49 |     <base/>
50 |   </backend>
51 |   <outbound>
52 |     <base/>
53 |   </outbound>
54 |   <on-error>
55 |     <base/>
56 |   </on-error>
57 | </policies>
58 | 


--------------------------------------------------------------------------------
/examples/Backend OAuth2 Authentication With Cache.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file provides an example of using OAuth2 for authorization between the gateway and a backend -->
 2 | <!-- It shows how to obtain an access token from AAD, cache it for a configurable amount of time and forward it to the backend. -->
 3 | <!-- The sample is based on the original OAuth2 example provided previously -->
 4 | 
 5 | <!-- Send request to AAD to obtain a bearer token -->
 6 | <!-- Parameters: authorizationServer - format https://login.windows.net/TENANT-GUID/oauth2/token -->
 7 | <!-- Parameters: scope - a URI encoded scope value -->
 8 | <!-- Parameters: clientId - an id obtained during app registration -->
 9 | <!-- Parameters: clientSecret - a URL encoded secret, obtained during app registration -->
10 | 
11 | 
12 | <!-- Copy the following snippet into the inbound section. -->
13 | <policies>
14 |     <inbound>
15 |         <base />
16 |         <cache-lookup-value key="@("bearerToken")" variable-name="bearerToken" />
17 |         <choose>
18 |             <when condition="@(!context.Variables.ContainsKey("bearerToken"))">
19 |                 <send-request ignore-error="true" timeout="20" response-variable-name="accessTokenResult" mode="new">
20 |                     <set-url>{{authorizationServer}}</set-url>
21 |                     <set-method>POST</set-method>
22 |                     <set-header name="Content-Type" exists-action="override">
23 |                         <value>application/x-www-form-urlencoded</value>
24 |                     </set-header>
25 |                     <set-body>@{
26 |               return "client_id={{clientId}}&scope={{scope}}&client_secret={{clientSecret}}&grant_type=client_credentials";
27 |                     }</set-body>
28 |                 </send-request>
29 |                 <set-variable name="accessToken" value="@(((IResponse)context.Variables["accessTokenResult"]).Body.As<JObject>())" />
30 |                 <set-variable name="bearerToken" value="@((string)((JObject)context.Variables["accessToken"])["access_token"])" />
31 |                 <set-variable name="tokenDurationSeconds" value="@((int)((JObject)context.Variables["accessToken"])["expires_in"])" />
32 |                 <cache-store-value key="bearerToken" value="@((string)context.Variables["bearerToken"])" duration="@((int)context.Variables["tokenDurationSeconds"])" />
33 |             </when>
34 |         </choose>
35 |         <set-header name="Authorization" exists-action="override">
36 |             <value>@("Bearer " + (string)context.Variables["bearerToken"])</value>
37 |         </set-header>
38 |         <!--  Don't expose APIM subscription key to the backend. -->
39 |         <set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
40 |     </inbound>
41 |     <backend>
42 |         <base />
43 |     </backend>
44 |     <outbound>
45 |         <choose>
46 |             <when condition="@(context.Response.StatusCode == 401 || context.Response.StatusCode == 403)">
47 |                 <cache-remove-value key="bearerToken" />
48 |             </when>
49 |         </choose>
50 |         <base />
51 |     </outbound>
52 |     <on-error>
53 |         <base />
54 |     </on-error>
55 | </policies>
56 | 


--------------------------------------------------------------------------------
/examples/DELETE a from to blobStorage account.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy sample is a request that Azure API Management service produces into a blob storage account to delete a file with metada.
 3 | 
 4 |     This intends to authenticate with managed-identity account between Azure API Management service and the storage account.
 5 |     If you want, you can specify another account to get the token:
 6 |     
 7 |         <authentication-managed-identity resource="https://storage.azure.com/" client-id="{application-id}" output-token-variable-name="msi-access-token" ignore-error="false" />
 8 | 
 9 |     Usage:         
10 |         StorageAccount.Name => as named value on you Azure API Management service instance with the values of the storage account name;
11 |         blobContainer => as part of the HTTP request path with name of the storage container to save/get the file;
12 |         fileNameWithExtension => as part of the HTTP request path with name and extension of the file you want to save/get;
13 |         Gateway.Name => as named value on you Azure API Management service with the custom domain of the gateway;
14 | 
15 |     Maintainer: gfchaves
16 | -->
17 | <policies>
18 |     <inbound>
19 |         <base />
20 |         <!-- First get the auth token with managed-identity from the storage account and save it on a output token -->
21 |         <authentication-managed-identity resource="https://storage.azure.com/" output-token-variable-name="msi-access-token" ignore-error="false" />
22 |         
23 |         <!-- Send the DELETE request with metadata -->
24 |         <send-request mode="new" response-variable-name="result" timeout="300" ignore-error="false">
25 |             <!-- Get variables to configure your: storageaccount, destination container and file name with extension -->            
26 |             <set-url>@{ return "https://{{StorageAccount.Name}}.blob.core.windows.net/" + (string)context.Request.MatchedParameters("blobContainer") + "/" + (string)context.Request.MatchedParameters("fileNameWithExtension",""); }</set-url>            
27 |             <set-method>DELETE</set-method>
28 |             <set-header name="Host" exists-action="override">
29 |                 <value>{{StorageAccount.Name}}.blob.core.windows.net</value>
30 |             </set-header>
31 |             <set-header name="User-Agent" exists-action="override">
32 |                 <value>{{Gateway.Name}}</value>
33 |             </set-header>          
34 |             <set-header name="X-Ms-Version" exists-action="override">
35 |                 <value>2019-12-12</value>
36 |             </set-header>         
37 |             <!-- Set the header with authorization bearer token that was previously requested -->
38 |             <set-header name="Authorization" exists-action="override">
39 |                 <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
40 |             </set-header>            
41 |         </send-request>
42 |         <!-- Returns directly the response from the storage account -->
43 |         <return-response response-variable-name="result" />
44 |     </inbound>
45 |     <backend>
46 |         <base />
47 |     </backend>
48 |     <outbound>
49 |         <base />
50 |     </outbound>
51 |     <on-error>
52 |         <base />
53 |     </on-error>
54 | </policies>
55 | 


--------------------------------------------------------------------------------
/examples/Authorize requests using external authorizer.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file shows how to secure API access by using an external authorizer encapsulating custom authentication/authorization logic.
 2 | 
 3 |      In this sample we assume that:
 4 | 
 5 |         External authorizer evaluates only the information contained within the Authorization header. Alternatively, for example, a full copy of the incoming request can be forwarded to the authorizer by setting "mode" to copy in the send-request policy.
 6 | 
 7 |         External authorizer URL is stored in a named value called "authorizer-url" and is secured with a key included in a query parameter.
 8 | 
 9 |         External authorizer responds with a JSON object containing a property called "status" that is set to 200 if authorization was successful and 403 if it wasn't.
10 | -->
11 | 
12 | <!-- Copy the following snippet into the inbound section and look at the trace window to see it work. -->
13 | 
14 | <policies>
15 |     <inbound>
16 |         <base/>
17 |         <!-- Ensure presence of Authorization header -->
18 |         <choose>
19 |             <when condition="@(!context.Request.Headers.ContainsKey("Authorization"))">
20 |                 <return-response>
21 |                     <set-status code="401" reason="Unauthorized" />
22 |                     <set-header name="WWW-Authenticate" exists-action="append">
23 |                         <value>@("Bearer realm="+context.Request.OriginalUrl.Host)</value>
24 |                     </set-header>
25 |                 </return-response>
26 |             </when>
27 |         </choose>
28 |         <!-- Check for cached authorization status for the subject -->
29 |         <cache-lookup-value key="@(context.Request.Headers.GetValueOrDefault("Authorization"))" variable-name="status"/>
30 |         <choose>
31 |             <!--
32 | 			    If a cache miss call external authorizer
33 | 		    -->
34 |             <when condition="@(!context.Variables.ContainsKey("status"))">
35 |                 <!-- Invoke -->
36 |                 <send-request mode="new" response-variable-name="response" timeout="10" ignore-error="false">
37 |                     <set-url>{{authorizer-url}}</set-url>
38 |                     <set-method>GET</set-method>
39 |                     <set-header name="Authorization" exists-action="override">
40 |                         <value>@(context.Request.Headers.GetValueOrDefault("Authorization"))</value>
41 |                     </set-header>
42 |                 </send-request>
43 |                 <!-- Extract authorization status from authorizer's response -->
44 |                 <set-variable name="status" value="@(((IResponse)context.Variables["response"]).Body.As<JObject>()["status"].ToString())"/>
45 |                 <!-- Cache authorization result -->
46 |                 <cache-store-value key="@(context.Request.Headers.GetValueOrDefault("Authorization"))" value="@((string)context.Variables["status"])" duration="5"/>
47 |             </when>
48 |         </choose>
49 |         <!-- Authorize the request -->
50 |         <choose>
51 |             <when condition="@((string)context.Variables["status"] == "403")">
52 |                 <return-response>
53 |                     <set-status code="403" reason="Forbidden" />
54 |                 </return-response>
55 |             </when>
56 |         </choose>
57 |     </inbound>
58 |     <backend>
59 |         <base/>
60 |     </backend>
61 |     <outbound>
62 |         <base/>
63 |     </outbound>
64 | </policies>
65 | 


--------------------------------------------------------------------------------
/examples/Back-end API redundancy.policy.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy routes calls to the closest of two backend services, and fails over to the secondary if an HTTP 404 is returned.
 3 |     
 4 |     It assumes that the API Manager is deployed in 'East US' and 'West Europe'. Similarly the policy (as is) assumes two backend services, in the same regions, vis:
 5 |         https://hello-eus.azurewebsites.net/  (for East US); and
 6 |         https://hello-weu.azurewebsites.net/  (for West Europe)
 7 | 
 8 |     If a failure (HTTP 404) is returned from the backend service, the policy will re-route the call to the fail-over region.
 9 |     The policy uses cached values to track which service has returned an error in the last 10 seconds, to avoid routing new requests to a backend which will likely fail.
10 | -->
11 | <policies>
12 |     <inbound>
13 |         <base />
14 |         <set-backend-service base-url="https://hello-eus.azurewebsites.net/" />
15 |         <choose>
16 |             <when condition="@(context.Deployment.Region.Equals("east us", System.StringComparison.InvariantCultureIgnoreCase))">
17 |                 <set-backend-service base-url="https://hello-eus.azurewebsites.net/" />
18 |                 <cache-lookup-value key="@("eus-down")" variable-name="is-eus-down" />
19 |                 <choose>
20 |                     <when condition="@(context.Variables.GetValueOrDefault<bool>("is-eus-down"))">
21 |                         <set-backend-service base-url="https://hello-weu.azurewebsites.net/" />
22 |                     </when>
23 |                 </choose>
24 |             </when>
25 |             <when condition="@(context.Deployment.Region.Equals("west europe", System.StringComparison.InvariantCultureIgnoreCase))">
26 |                 <set-backend-service base-url="https://hello-weu.azurewebsites.net/" />
27 |                 <cache-lookup-value key="@("weu-down")" variable-name="is-weu-down" />
28 |                 <choose>
29 |                     <when condition="@(context.Variables.GetValueOrDefault<bool>("is-weu-down"))">
30 |                         <set-backend-service base-url="https://hello-eus.azurewebsites.net/" />
31 |                     </when>
32 |                 </choose>
33 |             </when>
34 |         </choose>
35 |     </inbound>
36 |     <backend>
37 |         <retry condition="@(context.Response.StatusCode == 404)" count="2" interval="1" max-interval="10" delta="1" first-fast-retry="true">
38 |             <choose>
39 |                 <when condition="@(context.Response != null && (context.Response.StatusCode == 404))">
40 |                     <choose>
41 |                         <when condition="@(context.Request.Url.Host.Contains("hello-eus.azurewebsites.net"))">
42 |                             <set-backend-service base-url="https://hello-weu.azurewebsites.net" />
43 |                             <cache-store-value key="@("eus-down")" value="@(true)" duration="10" />
44 |                         </when>
45 |                         <otherwise>
46 |                             <set-backend-service base-url="https://hello-eus.azurewebsites.net" />
47 |                             <cache-store-value key="@("weu-down")" value="@(true)" duration="10" />
48 |                         </otherwise>
49 |                     </choose>
50 |                 </when>
51 |             </choose>
52 |             <forward-request />
53 |         </retry>
54 |     </backend>
55 |     <outbound>
56 |         <base />
57 |     </outbound>
58 |     <on-error>
59 |         <base />
60 |     </on-error>
61 | </policies>


--------------------------------------------------------------------------------
/examples/Query CosmosDB.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file demonstrates how to query CosmosDB in policies -->
 2 | 
 3 | <!-- The CosmosDB REST API is documented here: https://docs.microsoft.com/en-us/rest/api/documentdb/querying-documentdb-resources-using-the-rest-api-->
 4 | 
 5 | <!-- More detailed explanation can be found in this blog post: https://anthonychu.ca/post/azure-api-management-look-up-user-cosmos-db/ -->
 6 | 
 7 | 
 8 | <policies>
 9 |     <inbound>
10 |         <base />
11 |         <set-variable name="requestDateString" value="@(DateTime.UtcNow.ToString("r"))" />
12 |         <send-request mode="new" response-variable-name="response" timeout="10" ignore-error="false">
13 |             <set-url>https://{database-account}.documents.azure.com/dbs/{db}/colls/{coll}/docs</set-url>
14 |             <set-method>POST</set-method>
15 |             <set-header name="Authorization" exists-action="override">
16 |                 <value>@{
17 |           var verb = "post";
18 |           var resourceType = "docs";
19 |           var resourceLink = "";
20 |           var key = "";
21 |           var keyType = "master";
22 |           var tokenVersion = "1.0";
23 |           var date = context.Variables.GetValueOrDefault<string>("requestDateString");
24 | 
25 |           var hmacSha256 = new System.Security.Cryptography.HMACSHA256 { Key = Convert.FromBase64String(key) };  
26 | 
27 |           verb = verb ?? "";  
28 |           resourceType = resourceType ?? "";
29 |           resourceLink = resourceLink ?? "";
30 | 
31 |           string payLoad = string.Format("{0}\n{1}\n{2}\n{3}\n{4}\n",  
32 |                   verb.ToLowerInvariant(),  
33 |                   resourceType.ToLowerInvariant(),  
34 |                   resourceLink,  
35 |                   date.ToLowerInvariant(),  
36 |                   ""  
37 |           );  
38 | 
39 |           byte[] hashPayLoad = hmacSha256.ComputeHash(System.Text.Encoding.UTF8.GetBytes(payLoad));  
40 |           string signature = Convert.ToBase64String(hashPayLoad);  
41 | 
42 |           return System.Uri.EscapeDataString(String.Format("type={0}&ver={1}&sig={2}",  
43 |               keyType,  
44 |               tokenVersion,  
45 |               signature));
46 |         }</value>
47 |             </set-header>
48 |             <set-header name="Content-Type" exists-action="override">
49 |                 <value>application/query+json</value>
50 |             </set-header>
51 |             <set-header name="x-ms-documentdb-isquery" exists-action="override">
52 |                 <value>True</value>
53 |             </set-header>
54 |             <set-header name="x-ms-date" exists-action="override">
55 |                 <value>@(context.Variables.GetValueOrDefault<string>("requestDateString"))</value>
56 |             </set-header>
57 |             <set-header name="x-ms-version" exists-action="override">
58 |                 <value>2017-02-22</value>
59 |             </set-header>
60 |             <set-header name="x-ms-query-enable-crosspartition" exists-action="override">
61 |                 <value>true</value>
62 |             </set-header>
63 |             <set-body>
64 |         @("{\"query\": \"SELECT * FROM c WHERE c.id = @id\", " +
65 |           "\"parameters\": [{ \"name\": \"@id\", \"value\": \"" + context.User.Id + "\"}]}")
66 |       </set-body>
67 |         </send-request>
68 |     </inbound>
69 |     <backend>
70 |         <base />
71 |     </backend>
72 |     <outbound>
73 |         <base />
74 |     </outbound>
75 |     <on-error>
76 |         <base />
77 |     </on-error>
78 | </policies>


--------------------------------------------------------------------------------
/examples/Look up Key Vault certificate using Managed Service Identity and call backend.policy.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     The policy defined in this file demonstrates how to retrieve a secret from Key Vault using Managed Identity for authentication.
 3 |     This is useful when secrets or other secure data is required from Key Vault to use when calling backends or any other purpose.
 4 |     Cache is used to avoid calling Key Vault on every request and duration attribute on line 31 controls how often to call Key Vault to fetch the secret. 
 5 | 
 6 |     This example shows how to retrieve the latest version of a secret called 'mycert' from a Key Vault called 'msikvtest', which you should change to your own. All it does is call the Key Vault Rest API via send-request using the Managed Identity authorization method, and responds with the response of the Key Vault Rest API call using return-response.
 7 |     Make sure to enable Managed Identities on your API Management instance, and add the appropriate Access Policy in Key Vault so that your API Management account's Managed Identity principal can access secrets. You can use the Azure CLI to find the name of the principal by using 'az ad sp show' and pass it the principal ID, and then use that name when configuring the Key Vault access policy.
 8 |     User assigned identity can be used by adding the optional client-id attribute on line 26
 9 | 
10 |     NOTE - You should not use return secrets in your responses when running in production as this expose your secrets and introduces a security risk of credential leaking without the vault owner knowing it.
11 |            People should request access to the vault owner and consume the secrets from there instead of via a wrapping API.
12 |            However, it clearly shows how easily you can integrate with MSI and can be used for POC purposes
13 |      
14 |     HINT - sending the request to 3rd party test service like https://server.cryptomix.com/secure/ or https://prod.idrix.eu/secure/ can return certificate properties for testing.
15 | 
16 | -->
17 | <policies>
18 |     <inbound>
19 |         <!-- check the cache for secret first -->
20 |         <cache-lookup-value key="mycert" variable-name="keyVaultCertBase64" />
21 |         <!-- call Key Vault if secret is not found in the cache -->
22 |         <choose>
23 |             <when condition="@(!context.Variables.ContainsKey("keyVaultCertBase64"))">
24 |                 <send-request mode="new" response-variable-name="keyVaultCertResponse" timeout="20" ignore-error="false">
25 |                     <set-url>https://msikvtest.vault.azure.net/secrets/mycert/?api-version=2016-10-01</set-url>
26 |                     <set-method>GET</set-method>
27 |                     <authentication-managed-identity resource="https://vault.azure.net" />
28 |                 </send-request>
29 |                 <!-- transform response to string and store in cache -->
30 |                 <set-variable name="keyVaultCertBase64" value="@(((IResponse)context.Variables["keyVaultCertResponse"]).Body.As<JObject>()["value"].ToString())" />
31 |                 <cache-store-value key="mycert" value="@((string)context.Variables["keyVaultCertBase64"])" duration="3600" />
32 |             </when>
33 |         </choose>
34 | 
35 |         <authentication-certificate body="@(Convert.FromBase64String((string)context.Variables["keyVaultCertBase64"]))" />
36 |         <base />
37 |     </inbound>
38 |     <backend>
39 |         <base />
40 |     </backend>
41 |     <outbound>
42 |         <base />
43 |     </outbound>
44 |     <on-error>
45 |         <base />
46 |     </on-error>
47 | </policies>
48 | 


--------------------------------------------------------------------------------
/examples/Look up Key Vault secret using Managed Service Identity.policy.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     The policy defined in this file demonstrates how to retrieve a secret from Key Vault using Managed Identity for authentication.
 3 |     This is useful when secrets or other secure data is required from Key Vault to use when calling backends or any other purpose.
 4 |     Cache is used to avoid calling Key Vault on every request and duration attribute on line 31 controls how often to call Key Vault to fetch the secret. 
 5 | 
 6 |     This example shows how to retrieve the latest version of a secret called 'mysecret' from a Key Vault called 'msikvtest', which you should change to your own. All it does is call the Key Vault Rest API via send-request using the Managed Identity authorization method, and responds with the response of the Key Vault Rest API call using return-response.
 7 |     Make sure to enable Managed Identities on your API Management instance, and add the appropriate Access Policy in Key Vault so that your API Management account's Managed Identity principal can access secrets. You can use the Azure CLI to find the name of the principal by using 'az ad sp show' and pass it the principal ID, and then use that name when configuring the Key Vault access policy.
 8 |     User assigned identity can be used by adding the optional client-id attribute on line 26
 9 | 
10 |     NOTE - You should not use return secrets in your responses when running in production as this expose your secrets and introduces a security risk of credential leaking without the vault owner knowing it.
11 |            People should request access to the vault owner and consume the secrets from there instead of via a wrapping API.
12 |            However, it clearly shows how easily you can integrate with MSI and can be used for POC purposes
13 |     
14 |     Maintainer: @nzthiago
15 | -->
16 | <policies>
17 |     <inbound>
18 |         <!-- check the cache for secret first -->
19 |         <cache-lookup-value key="mysecret" variable-name="keyvaultsecretResponse" />
20 |         <!-- call Key Vault if not found in cache -->
21 |         <choose>
22 |             <when condition="@(!context.Variables.ContainsKey("keyvaultsecretResponse"))">
23 |                 <send-request mode="new" response-variable-name="keyvaultsecret" timeout="20" ignore-error="false">
24 |                     <set-url>https://msikvtest.vault.azure.net/secrets/mysecret/?api-version=7.0</set-url>
25 |                     <set-method>GET</set-method>
26 |                     <authentication-managed-identity resource="https://vault.azure.net" />
27 |                 </send-request>
28 | 
29 |                 <!-- transform response to string and store in cache -->
30 |                 <set-variable name="keyvaultsecretResponse" value="@(((IResponse)context.Variables["keyvaultsecret"]).Body.As<string>())" />
31 |                 <cache-store-value key="mysecret" value="@((string)context.Variables["keyvaultsecretResponse"])" duration="3600" />
32 |             </when>
33 |         </choose>
34 |         <return-response>
35 |             <set-status code="200" reason="Done" />
36 |             <set-header name="content-type" exists-action="override">
37 |                 <value>application/json</value>
38 |             </set-header>
39 |             <set-body>@((string)context.Variables["keyvaultsecretResponse"])</set-body>
40 |         </return-response>
41 |         <base />
42 |     </inbound>
43 |     <backend>
44 |         <base />
45 |     </backend>
46 |     <outbound>
47 |         <base />
48 |     </outbound>
49 |     <on-error>
50 |         <base />
51 |     </on-error>
52 | </policies>
53 | 


--------------------------------------------------------------------------------
/examples/Trigger Azure Data Factory Pipeline.policy.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     Provide the capability to trigger a specific Azure Data Factory Pipeline without parameters.
 3 |     The authentication handshake with Azure Management REST API is handled in the policy itself so that consumers do not need to manage this
 4 |     
 5 |     Maintainer: @tomkerkhove
 6 | -->
 7 | <policies>
 8 |     <inbound>
 9 |         <base />
10 |         
11 |         <!-- Authenticate by using a service pricinciple -->
12 |         <!-- <cache-lookup-value key="azureManagementApiTokenCacheKey" default-value="-noToken-" variable-name="azureManagementApiToken" />
13 |         <choose>
14 |             <when condition="@((string)context.Variables["azureManagementApiToken"] == "-noToken-")">
15 |                 <send-request mode="new" response-variable-name="tokenResponse" timeout="5" ignore-error="false">
16 |                     <set-url>https://login.microsoftonline.com/{{ActiveDirectory-TenantId}}/oauth2/token</set-url>
17 |                     <set-method>POST</set-method>
18 |                     <set-header name="Content-Type" exists-action="override">
19 |                         <value>application/x-www-form-urlencoded</value>
20 |                     </set-header>
21 |                     <set-body>@{
22 |                        return "grant_type=client_credentials&client_id={{ServicePrinciple-ClientId}}&client_secret={{ServicePrinciple-ClientSecret}}&resource=https%3A%2F%2Fmanagement.azure.com%2F";
23 |                        }</set-body>
24 |                 </send-request>
25 |                 <set-variable name="accessToken" value="@(((IResponse)context.Variables["tokenResponse"]).Body.As<JObject>()["access_token"].ToString())" />
26 |                 <cache-store-value key="azureManagementApiTokenCacheKey" value="@((string)context.Variables.GetValueOrDefault("accessToken"))" duration="3000" />
27 |                 <set-header name="Authorization" exists-action="override">
28 |                     <value>@(String.Concat("Bearer ", ((string)context.Variables.GetValueOrDefault("accessToken"))))</value>
29 |                 </set-header>
30 |             </when>
31 |             <otherwise>
32 |                 <set-header name="Authorization" exists-action="override">
33 |                     <value>@(String.Concat("Bearer ", ((string)context.Variables.GetValueOrDefault("azureManagementApiToken"))))</value>
34 |                 </set-header>
35 |             </otherwise>
36 |         </choose> -->
37 | 
38 |         <!-- Authenticate by using a managed identity -->
39 |         <authentication-managed-identity resource="https://management.azure.com" ignore-error="false" output-token-variable-name="managed-identity-token" />
40 |         <set-header name="Authorization" exists-action="override">
41 |             <value>@(String.Concat("Bearer ", ((string)context.Variables.GetValueOrDefault("managed-identity-token"))))</value>
42 |         </set-header>
43 | 
44 |         <!-- Change backend service to talk to ARM APIs -->
45 |         <set-backend-service base-url="https://management.azure.com" />
46 |         <set-header name="Content-Type" exists-action="override">
47 |             <value>application/json</value>
48 |         </set-header>
49 |         <rewrite-uri template="subscriptions/{{Subscription-Id}}/resourceGroups/{{ResourceGroup-Name}}/providers/Microsoft.DataFactory/factories/{{DataFactory-Name}}/pipelines/{{Pipeline-Name}}/createRun?api-version=2017-09-01-preview" />
50 |     </inbound>
51 |     <backend>
52 |         <base />
53 |     </backend>
54 |     <outbound>
55 |         <base />
56 |     </outbound>
57 |     <on-error>
58 |         <base />
59 |     </on-error>
60 | </policies>
61 | 


--------------------------------------------------------------------------------
/examples/Handle Power Query access request to custom API.policy.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy sample demonstrates how to respond to Power Query request to support the "Organizational Account" login flow for a downstream API.
 3 | 
 4 |     References:
 5 |         Expected response from Power Query docuementation:
 6 |             https://docs.microsoft.com/power-query/connectorauthentication#supported-workflow
 7 |         
 8 |         How to map jwt token from AAD obtained via Power Query for SAP OData request and SAP OAuth Server
 9 |             https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Request%20OAuth2%20access%20token%20from%20SAP%20using%20AAD%20JWT%20token.xml
10 | 
11 |     IMPORTANT:
12 |         - Power Query requires a verifiable resource for the login process. Hence a custom domain for APIM needs to be configured.
13 |         - {{AADTenantID}} needs to be maintained via an APIM Named Value configuration.
14 |         - a672d62c-fc7b-4e81-a576-e60dc46e951d is the default client id for Power Query. It should be verified from the documentation: https://docs.microsoft.com/power-query/connectorauthentication#supported-workflow
15 | -->
16 | <policies>
17 |     <inbound>
18 |         <base />
19 |         <choose>
20 |             <!-- if empty Bearer assume Power Query signin request as described here: https://docs.microsoft.com/power-query/connectorauthentication#supported-workflow -->
21 |             <when condition="@(context.Request.Headers.GetValueOrDefault("Authorization","").Trim().Equals("Bearer"))">
22 |                 <return-response>
23 |                     <set-status code="401" reason="Unauthorized" />
24 |                     <set-header name="WWW-Authenticate" exists-action="override">
25 |                         <value>Bearer authorization_uri=https://login.microsoftonline.com/{{AADTenantId}}/oauth2/v2.0/authorize?response_type=code%26client_id=a672d62c-fc7b-4e81-a576-e60dc46e951d</value>
26 |                     </set-header>
27 |                 </return-response>
28 |             </when>
29 |             <otherwise>
30 |                 <validate-jwt header-name="Authorization" failed-validation-httpcode="401" require-scheme="Bearer">
31 |                     <openid-config url="https://login.microsoftonline.com/{{AADTenantId}}/.well-known/openid-configuration" />
32 |                     <audiences>
33 |                         <audience>https://your-custom-apim-domain</audience>
34 |                     </audiences>
35 |                     <issuers>
36 |                         <issuer>https://sts.windows.net/{{AADTenantId}}/</issuer>
37 |                     </issuers>
38 |                     <required-claims>
39 |                         <claim name="scp" match="all" separator=" ">
40 |                             <value>user_impersonation</value>
41 |                         </claim>
42 |                     </required-claims>
43 |                 </validate-jwt>
44 |             </otherwise>
45 |         </choose>
46 |     </inbound>
47 |     <backend>
48 |         <base />
49 |     </backend>
50 |     <outbound>
51 |         <base />
52 |         <choose>
53 |             <!-- URL rewrite in body only required for GET -->
54 |             <when condition="@(context.Request.Method == "GET")">
55 |                 <!-- ensure downstream api metadata matches apim caller domain in Power Query -->
56 |                 <find-and-replace from="@(context.Api.ServiceUrl.Host +":"+ context.Api.ServiceUrl.Port + context.Api.ServiceUrl.Path)" to="@(context.Request.OriginalUrl.Host + ":" + context.Request.OriginalUrl.Port + context.Api.Path)" />
57 |             </when>
58 |         </choose>
59 |     </outbound>
60 |     <on-error>
61 |     </on-error>
62 | </policies>
63 | 


--------------------------------------------------------------------------------
/examples/Trigger Azure Data Factory Pipeline With Parameters.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- 
 2 |     Provide the capability to trigger a specific Azure Data Factory Pipeline with parameters.
 3 |     The authentication handshake with Azure Management REST API is handled in the policy itself so that consumers do not need to manage this.
 4 |     
 5 |     Maintainer: @tomkerkhove
 6 | -->
 7 | <policies>
 8 |     <inbound>
 9 |         <base />
10 |         
11 |         <!-- Authenticate by using a service pricinciple -->
12 |         <!-- <cache-lookup-value key="azureManagementApiTokenCacheKey" default-value="-noToken-" variable-name="azureManagementApiToken" />
13 |         <choose>
14 |             <when condition="@((string)context.Variables["azureManagementApiToken"] == "-noToken-")">
15 |                 <send-request mode="new" response-variable-name="tokenResponse" timeout="5" ignore-error="false">
16 |                     <set-url>https://login.microsoftonline.com/{{ActiveDirectory-TenantId}}/oauth2/token</set-url>
17 |                     <set-method>POST</set-method>
18 |                     <set-header name="Content-Type" exists-action="override">
19 |                         <value>application/x-www-form-urlencoded</value>
20 |                     </set-header>
21 |                     <set-body>@{
22 |                        return "grant_type=client_credentials&client_id={{ServicePrinciple-ClientId}}&client_secret={{ServicePrinciple-ClientSecret}}&resource=https%3A%2F%2Fmanagement.azure.com%2F";
23 |                        }</set-body>
24 |                 </send-request>
25 |                 <set-variable name="accessToken" value="@(((IResponse)context.Variables["tokenResponse"]).Body.As<JObject>()["access_token"].ToString())" />
26 |                 <cache-store-value key="azureManagementApiTokenCacheKey" value="@((string)context.Variables.GetValueOrDefault("accessToken"))" duration="3000" />
27 |                 <set-header name="Authorization" exists-action="override">
28 |                     <value>@(String.Concat("Bearer ", ((string)context.Variables.GetValueOrDefault("accessToken"))))</value>
29 |                 </set-header>
30 |             </when>
31 |             <otherwise>
32 |                 <set-header name="Authorization" exists-action="override">
33 |                     <value>@(String.Concat("Bearer ", ((string)context.Variables.GetValueOrDefault("azureManagementApiToken"))))</value>
34 |                 </set-header>
35 |             </otherwise>
36 |         </choose> -->
37 | 
38 |         <!-- Authenticate by using a managed identity -->
39 |         <authentication-managed-identity resource="https://management.azure.com" ignore-error="false" output-token-variable-name="managed-identity-token" />
40 |         <set-header name="Authorization" exists-action="override">
41 |             <value>@(String.Concat("Bearer ", ((string)context.Variables.GetValueOrDefault("managed-identity-token"))))</value>
42 |         </set-header>
43 | 
44 |         <!-- Change backend service to talk to ARM APIs -->
45 |         <set-backend-service base-url="https://management.azure.com" />
46 |         <set-header name="Content-Type" exists-action="override">
47 |             <value>application/json</value>
48 |         </set-header>
49 |         <set-body template="liquid">
50 |             {
51 |                 "UserEmailAddress": "{{context.Request.MatchedParameters["emailAddress"]}}"
52 |             }
53 |         </set-body>
54 |         <rewrite-uri template="subscriptions/{{Subscription-Id}}/resourceGroups/{{ResourceGroup-Name}}/providers/Microsoft.DataFactory/factories/{{DataFactory-Name}}/pipelines/{{Pipeline-Name}}/createRun?api-version=2017-09-01-preview" />
55 |     </inbound>
56 |     <backend>
57 |         <base />
58 |     </backend>
59 |     <outbound>
60 |         <base />
61 |     </outbound>
62 |     <on-error>
63 |         <base />
64 |     </on-error>
65 | </policies>
66 | 


--------------------------------------------------------------------------------
/examples/Create HMAC SHA256-Signed JWT.policy.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy sample demonstrates the creation of a signed JSON Web Token using HMAC SHA256. As APIM is not an instrument to
 3 |     create JWT tokens, there is presently no policy to achieve this. The policy subsequently uses the JWT in the Authorization header.
 4 | 
 5 |     A use case may be that a different type of caller authentication such as basic auth (e.g. username/password) was used. Once 
 6 |     validated, you may want to create a JWT token containing the username and any number of claims that may be relevant to your backend.
 7 |     There may not be a need to involve your IDP for some of these scenarios, hence this policy snippet was created.
 8 |     
 9 |     Some references you may find useful:
10 | 
11 |     References:
12 |         To view the JWT RFC and verify a token with a secret:
13 |             https://datatracker.ietf.org/doc/html/rfc7519
14 |             https://jwt.io
15 |         
16 |         To quickly base64 encode/decode:
17 |             https://www.base64decode.org
18 |             https://www.base64encode.org
19 | 
20 |         To understand the difference between Base64 and Base64Url encoding and why it matters:
21 |             https://base64.guru/standards/base64url
22 | 
23 |         To verify the timestamp after you decode it with the JWT decoder:
24 |             https://www.epochconverter.com
25 | 
26 |     IMPORTANT:
27 |         {{hashing-secret}} is an APIM Named Value that should ideally be securely sourced from Key Vault in your Named Value configuration.
28 | -->
29 | <policies>
30 |     <inbound>
31 |         <base />
32 | 
33 |         <!-- Obtain the user_name or any other values to use for claims in this section. We are hard-coding username below for ease of example. -->
34 | 
35 |         <set-header name="Authorization" exists-action="override">
36 |             <value>@{
37 |                 // 1) Construct the Base64Url-encoded header
38 |                 var header = new { typ = "JWT", alg = "HS256" };
39 |                 var jwtHeaderBase64UrlEncoded = Convert.ToBase64String(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(header))).Replace("/", "_").Replace("+", "-"). Replace("=", "");
40 |                 // As the header is a constant, you may use this equivalent Base64Url-encoded string instead to save the repetitive computation above.
41 |                 // var jwtHeaderBase64UrlEncoded = "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9";
42 | 
43 |                 // 2) Construct the Base64Url-encoded payload 
44 |                 var exp = new DateTimeOffset(DateTime.Now.AddMinutes(10)).ToUnixTimeSeconds();  // sets the expiration of the token to be 10 minutes from now
45 |                 var username = "john_doe";
46 |                 var payload = new { exp, username };
47 |                 var jwtPayloadBase64UrlEncoded = Convert.ToBase64String(Encoding.UTF8.GetBytes(JsonConvert.SerializeObject(payload))).Replace("/", "_").Replace("+", "-"). Replace("=", "");
48 | 
49 |                 // 3) Construct the Base64Url-encoded signature                
50 |                 var signature = new HMACSHA256(Encoding.UTF8.GetBytes("{{hashing-secret}}")).ComputeHash(Encoding.UTF8.GetBytes($"{jwtHeaderBase64UrlEncoded}.{jwtPayloadBase64UrlEncoded}"));
51 |                 var jwtSignatureBase64UrlEncoded = Convert.ToBase64String(signature).Replace("/", "_").Replace("+", "-"). Replace("=", "");
52 | 
53 |                 // 4) Return the HMAC SHA256-signed JWT as the value for the Authorization header
54 |                 return $"Bearer {jwtHeaderBase64UrlEncoded}.{jwtPayloadBase64UrlEncoded}.{jwtSignatureBase64UrlEncoded}"; 
55 |             }</value>
56 |         </set-header>
57 |     </inbound>
58 |     <backend>
59 |         <base />
60 |     </backend>
61 |     <outbound>
62 |         <base />
63 |     </outbound>
64 |     <on-error>
65 |         <base />
66 |     </on-error>
67 | </policies>
68 | 


--------------------------------------------------------------------------------
/examples/Extracting multiple values from xml documents.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- The policy defined in this file demonstrates how to work with multiple extract values from an xml document. -->
 2 | <!-- If you wanted to assign each of the values from a document to a variable you need to parse the document multiple times which is inefficient.
 3 |      The alternative is to parse the document once and extract the values into a json object variable.  The individual json properties can then be used in both policy expressions and liquid templates.   
 4 | -->
 5 | <!-- The following example assumes a send request call is made in the inbound policy that returns an xml document into a variable. -->
 6 | 
 7 | <policies>
 8 |     <inbound>
 9 |         <base />
10 |         <!-- Make a request to an additional api that will return the following xml response 
11 |         
12 |         <message1>
13 |             <conditionValue>true</conditionValue>
14 |             <value1>MESSAGE1_TEST1</value1>
15 |             <value2>MESSAGE1_TEST2</value2>
16 |             <value3>MESSAGE1_TEST3</value3>
17 |         </message1>
18 |         
19 |         -->
20 |         <send-request mode="new" response-variable-name="sendRequestResponse">
21 |             <set-url>{{my-send-request}}</set-url>
22 |             <set-method>GET</set-method>
23 |             <set-header name="Content-Type" exists-action="override">
24 |                 <value>text/xml</value>
25 |             </set-header>
26 |         </send-request>
27 | 
28 |         <!-- extract specific values from the sendRequestResponse variable into a Json Object -->
29 |         <set-variable name="jsonResponse" value="@{
30 | 
31 |             var doc = XDocument.Parse(((IResponse)context.Variables["sendRequestResponse"]).Body.As<string>());
32 | 
33 |             var obj = new JObject();
34 |             obj["conditionValue"] = doc.Descendants().Where(r=>r.Name.LocalName == "conditionValue").First().Value;
35 |             obj["value1"] = doc.Descendants().Where(r=>r.Name.LocalName == "value1").First().Value;
36 |             obj["value3"] = doc.Descendants().Where(r=>r.Name.LocalName == "value3").First().Value;
37 | 
38 |             return obj;
39 | 
40 |         }" />
41 |         <!-- The jsonResponse variable now contains an object that looks like this...
42 | 
43 |                 {
44 |                     "conditionValue": "true",
45 |                     "value1": "MESSAGE1_TEST1",
46 |                     "value3": "MESSAGE1_TEST3"
47 |                 } 
48 | 
49 |             Individual properties can then be referenced in expressions like this..  
50 |         -->
51 | 
52 |         <choose>
53 |             <when condition="@((bool)((JObject)context.Variables["jsonResponse"])["conditionValue"])">
54 |                 <!-- Do something when condition is met -->
55 |                 <trace source="My API" severity="verbose">
56 |                     <message>Condition was met</message>
57 |                 </trace>
58 |             </when>
59 |         </choose>
60 | 
61 |         <!-- Or in liquid transformations like this.. -->
62 |         
63 |         <return-response>
64 |             <set-status code="200" reason="" />
65 |             <set-header name="Content-Type" exists-action="override">
66 |                 <value>text/xml</value>
67 |             </set-header>
68 |             <set-body template="liquid">
69 |                 {%- assign vars = context.Variables["jsonResponse"] -%}
70 |                 <message3>
71 |                     <data val1="{{ vars['value1'] }}" val3="{{ vars['value3'] }}" />
72 |                 </message3>
73 |             </set-body>
74 |         </return-response>
75 | 
76 |     </inbound>
77 |     <backend>
78 |         <base />
79 |     </backend>
80 |     <outbound>
81 |         <base />
82 |     </outbound>
83 |     <on-error>
84 |         <base />
85 |     </on-error>
86 | </policies>


--------------------------------------------------------------------------------
/examples/Generate Azure Relay Token.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- This policy connects to an Azure Relay endpoint that is secured using RelayToken -->
 2 | <!-- It requires an Azure Relay service setup, and a Shared Acess Policy with at least Send permissions -->
 3 | <!-- Share Access policy name should be stored in Name Values in as accessKeyName name/value pair -->
 4 | <!-- Share Access policy key  should be stored in Name Values in as keyName name/value pair. Create this item as a secret for security. -->
 5 | <!-- If creating relay tokens at operation level, remember to create different cache values (e.g. relayTokenGet, relayTokenPut, so you don't overwrite existing tokens for different resources -->
 6 | <!-- Details on this policy can be found on https://notetoself.tech/2018/10/12/combining-api-management-with-azure-relays/ -->
 7 | <policies>
 8 | 	<inbound>
 9 | 		<!-- Add your wcf relay address as the base URL below -->
10 | 		<set-backend-service base-url="" />
11 | 		<!-- verify if there is a relaytoken key stored in cache -->
12 | 		<cache-lookup-value key="@("relaytoken")" variable-name="relaytoken" />
13 | 		<choose>
14 | 			<!-- If there is no key stored in cache -->
15 | 			<when condition="@(!context.Variables.ContainsKey("relaytoken"))">
16 | 				<set-variable name="resourceUri" value="@(context.Request.Url.ToString())" />
17 | 				<!-- Retrieve Shared Access Policy key from  Name Value store -->
18 | 				<set-variable name="accessKey" value="{{accessKey}}" />
19 | 				<!-- Retrieve Shared Access Policy key name from  Name Value store -->
20 | 				<set-variable name="keyName" value="{{accessKeyName}}" />
21 | 				<!-- Generate the relaytoken key -->
22 | 				<set-variable name="relaytoken" value="@{
23 |                     TimeSpan sinceEpoch = DateTime.UtcNow - new DateTime(1970, 1, 1);
24 |                     string expiry =  Convert.ToString((int)sinceEpoch.TotalSeconds + 3600);
25 |                     string resourceUri = (string)context.Variables["resourceUri"];
26 |                     string stringToSign = Uri.EscapeDataString (resourceUri) + "\n" + expiry;
27 |                     HMACSHA256 hmac = new HMACSHA256(Encoding.UTF8.GetBytes((string)context.Variables["accessKey"]));
28 |                     string signature = Convert.ToBase64String(hmac.ComputeHash(Encoding.UTF8.GetBytes(stringToSign)));
29 |                     string sasToken = String.Format("SharedAccessSignature sr={0}&sig={1}&se={2}&skn={3}",
30 |                     Uri.EscapeDataString(resourceUri), Uri.EscapeDataString(signature), expiry, context.Variables["keyName"]);
31 |                     return sasToken;
32 |                     }" />
33 | 				<!-- Store the relaytoken in the cache -->
34 | 				<cache-store-value key="relaytoken" value="@((string)context.Variables["relaytoken"])" duration="10" />
35 | 			</when>
36 | 		</choose>
37 | 		<!-- If the operation request uses json format, convert it to XML - Azure Relay expects XML format (based on WCF) -->
38 | 		<set-body template="liquid">
39 | 			<!-- set your body transformation here -->
40 | 		</set-body>
41 | 		<!-- Create the ServiceBusAuthorization header using the relaytoken as value -->
42 | 		<set-header name="ServiceBusAuthorization" exists-action="override">
43 | 			<value>@((string)context.Variables["relaytoken"])</value>
44 | 		</set-header>
45 | 		<!-- Set the content type to application/xml -->
46 | 		<set-header name="Content-Type" exists-action="override">
47 | 			<value>application/xml</value>
48 | 		</set-header>
49 | 		<base />
50 | 	</inbound>
51 | 	<backend>
52 | 		<base />
53 | 	</backend>
54 | 	<outbound>
55 | 	<!-- If the operation responses uses json format, convert it from XML - Azure Relay will return XML format (based on WCF) -->
56 | 		<set-body template="liquid">
57 | 			<!-- set your body transformation here -->
58 | 		</set-body>
59 | 		<!-- Set the content type to application/json -->
60 | 		<set-header name="Content-Type" exists-action="override">
61 | 			<value>application/json</value>
62 | 		</set-header>
63 | 	</outbound>
64 | 	<on-error>
65 | 		<base />
66 | 	</on-error>
67 | </policies>
68 | 


--------------------------------------------------------------------------------
/examples/GET a file from blobStorage account.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy sample is a request that Azure API Management service produces into a blob storage account to GET a file with his metada.
 3 | 
 4 |     This intends to authenticate with managed-identity account between Azure API Management service and the storage account.
 5 |     If you want, you can specify another account to get the token:
 6 |     
 7 |         <authentication-managed-identity resource="https://storage.azure.com/" client-id="{application-id}" output-token-variable-name="msi-access-token" ignore-error="false" />
 8 |     
 9 |     Usage:         
10 |         StorageAccount.Name => as named value on you Azure API Management service instance with the values of the storage account name;
11 |         blobContainer => as part of the HTTP request path with name of the storage container to save/get the file;
12 |         fileNameWithExtension => as part of the HTTP request path with name and extension of the file you want to save/get;
13 |         Gateway.Name => as named value on you Azure API Management service with the custom domain of the gateway;
14 | 
15 |     Maintainer: gfchaves
16 | -->
17 | <policies>
18 |     <inbound>
19 |         <base />
20 |         <!-- First get the auth token with managed-identity from the storage account and save it on a output token -->
21 |         <authentication-managed-identity resource="https://storage.azure.com/" output-token-variable-name="msi-access-token" ignore-error="false" />
22 |         
23 |         <!-- Send the GET request with metadata -->
24 |         <send-request mode="new" response-variable-name="result" timeout="300" ignore-error="false">
25 |             <!-- Get variables to configure your: storageaccount, destination container and file name with extension -->            
26 |             <set-url>@{ return "https://{{StorageAccount.Name}}.blob.core.windows.net/" + (string)context.Request.MatchedParameters("blobContainer") + "/" + (string)context.Request.MatchedParameters("fileNameWithExtension",""); }</set-url>            
27 |             <set-method>GET</set-method>
28 |             <set-header name="Host" exists-action="override">
29 |                 <value>{{StorageAccount.Name}}.blob.core.windows.net</value>
30 |             </set-header>
31 |             <set-header name="User-Agent" exists-action="override">
32 |                 <value>{{Gateway.Name}}</value>
33 |             </set-header>
34 |             <set-header name="X-Ms-Blob-Type" exists-action="override">
35 |                 <value>BlockBlob</value>
36 |             </set-header>           
37 |             <set-header name="X-Ms-Client-Request-Id" exists-action="override">
38 |                 <value>@{ return Guid.NewGuid().ToString(); }</value>
39 |             </set-header>
40 |             <set-header name="X-Ms-Version" exists-action="override">
41 |                 <value>2019-12-12</value>
42 |             </set-header>
43 |             <set-header name="Accept" exists-action="override">
44 |                 <value>*/*</value>
45 |             </set-header>            
46 |             <!-- Set the header with authorization bearer token that was previously requested -->
47 |             <set-header name="Authorization" exists-action="override">
48 |                 <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
49 |             </set-header>
50 |         </send-request>
51 |         <!-- Returns directly the response from the storage account. No need to specify headers, but to show how we can override and get the specific data from http blobstorage result-->
52 |         <return-response response-variable-name="result">
53 |             <set-status code="200" />                       
54 |             <set-header name="{MyMetadataName1}" exists-action="override">
55 |                 <value>@(((IResponse)context.Variables["result"]).Headers.GetValueOrDefault("x-ms-meta-{MyMetadataName1}",""))</value>
56 |             </set-header>
57 |             <set-header name="{MyMetadataName2}" exists-action="override">
58 |                 <value>@(((IResponse)context.Variables["result"]).Headers.GetValueOrDefault("x-ms-meta-{MyMetadataName2}",""))</value>
59 |             </set-header>
60 |         </return-response>
61 |     </inbound>
62 |     <on-error>
63 |         <base />
64 |     </on-error>    
65 |     <outbound>
66 |         <base />
67 |     </outbound>
68 | </policies>


--------------------------------------------------------------------------------
/policy-expressions/README.md:
--------------------------------------------------------------------------------
  1 | # Common policy expressions
  2 | This cheat-sheet contains common policy expressions that are often used when authoring Azure API Management policies.
  3 | 
  4 | ## Interact with HTTP headers
  5 | 
  6 | **Get HTTP header**
  7 | ```c#
  8 | context.Request.Headers.GetValueOrDefault("header-name","optional-default-value")
  9 | ```
 10 | **Check HTTP header existence**
 11 | ```c#
 12 | context.Request.Headers.ContainsKey("header-name") == true
 13 | ```
 14 | **Check if HTTP header has expected value**
 15 | ```c#
 16 | context.Request.Headers.GetValueOrDefault("header-name", "").Equals("expected-header-value", StringComparison.OrdinalIgnoreCase)
 17 | ```
 18 | ## Interact with URI parameters
 19 | 
 20 | **Get URI parameter**
 21 | ```c#
 22 | context.Request.MatchedParameters.GetValueOrDefault("parameter-name","optional-default-value")
 23 | ```
 24 | **Check URI parameter existence**
 25 | ```c#
 26 | context.Request.MatchedParameters.ContainsKey("parameter-name") == true
 27 | ```
 28 | **Check if URI parameter has expected value**
 29 | ```c#
 30 | context.Request.MatchedParameters.GetValueOrDefault("parameter-name", "").Equals("expected-value", StringComparison.OrdinalIgnoreCase) == true
 31 | ```
 32 | ## Interact with query string parameters
 33 | 
 34 | **Get query string parameter**
 35 | ```c#
 36 | context.Request.Url.Query.GetValueOrDefault("parameter-name", "optional-default-value")
 37 | ```
 38 | **Check query string parameter existence**
 39 | ```c#
 40 | context.Request.Url.Query.ContainsKey("parameter-name") == true
 41 | ```
 42 | **Check if query string parameter has expected value**
 43 | ```c#
 44 | context.Request.Url.Query.GetValueOrDefault("parameter-name", "").Equals("expected-value", StringComparison.OrdinalIgnoreCase) == true
 45 | ```
 46 | ## Interact with policy variables
 47 | 
 48 | **Get policy variable** *(assuming type string)*
 49 | ```c#
 50 | context.Variables.GetValueOrDefault<string>("variable-name","optional-default-value")
 51 | ```
 52 | **Check policy variable existence**
 53 | ```c#
 54 | context.Variables.ContainsKey("variable-name") == true
 55 | ```
 56 | **Check if policy variable has expected value** *(assuming type string)*
 57 | ```c#
 58 | context.Variables.GetValueOrDefault<string>("variable-name","").Equals("expected-value", StringComparison.OrdinalIgnoreCase)
 59 | ```
 60 | ## Interact with JSON bodies
 61 | 
 62 | **Get value from JSON body**
 63 | ```c#
 64 | (string)context.Request.Body.As<JObject>(preserveContent: true).SelectToken("root.child jsonpath")
 65 | ```
 66 | **Get value from JSON response variable**
 67 | ```c#
 68 | (string)((IResponse)context.Variables["response-variable-name"]).Body.As<JObject>().SelectToken("root.child jsonpath")
 69 | ```
 70 | **Add property to JSON body**
 71 | ```c#
 72 | JObject body = context.Request.Body.As<JObject>(); 
 73 | body.Add(new JProperty("property-name", "property-value"));
 74 | return body.ToString(); 
 75 | ```
 76 | ## Interact with JSON Web Tokens
 77 | 
 78 | **Read claim from bearer token**
 79 | ```c#
 80 | context.Request.Headers.GetValueOrDefault("Authorization")?.Split(' ')?[1].AsJwt()?.Claims["claim-name"].FirstOrDefault()
 81 | ```
 82 | 
 83 | ## Interact with client certificates
 84 | 
 85 | **Check client certificate existence**
 86 | ```c#
 87 | context.Request.Certificate != null
 88 | ```
 89 | **Check if client certificate is valid, including a certificate revocation check**
 90 | ```c#
 91 | context.Request.Certificate.Verify() == true
 92 | ```
 93 | **Check if client certificate is valid, excluding a certificate revocation check**
 94 | ```c#
 95 | context.Request.Certificate.VerifyNoRevocation() == true
 96 | ```
 97 | **Check if client certificate issuer has expected value**
 98 | ```c#
 99 | context.Request.Certificate.Issuer == "trusted-issuer"
100 | ```
101 | **Check if client certificate subject has expected value**
102 | ```c#
103 | context.Request.Certificate.SubjectName.Name == "expected-subject-name"
104 | ```
105 | **Check if client certificate thumbprint has expected value**
106 | ```c#
107 | context.Request.Certificate.Thumbprint == "EXPECTED-THUMBPRINT-IN-UPPER-CASE"
108 | ```
109 | **Check if client certificate is uploaded in API Management, based on thumbprint**
110 | ```c#
111 | context.Deployment.Certificates.Any(c => c.Value.Thumbprint == context.Request.Certificate.Thumbprint) == true
112 | ```


--------------------------------------------------------------------------------
/examples/oauth-proxy/oauth-proxy-sign-out.xml:
--------------------------------------------------------------------------------
 1 | <policies>
 2 |     <inbound>
 3 |         <!-- Grab the incoming session cookie -->
 4 |         <set-variable name="incomingFullSessionCookie" value="@(context.Request.Headers.ContainsKey("cookie") ? context.Request.Headers["cookie"].First().Split(';').Select(cookie => cookie.Trim().Split('=')).SingleOrDefault(cookie => cookie[0] == "oidcsession")?[1] ?? string.Empty : string.Empty)" />
 5 |         <choose>
 6 |             <!-- No cookie - redirect to the sign-in endpoint -->
 7 |             <when condition="@(context.Variables["incomingFullSessionCookie"] == string.Empty)">
 8 |                 <return-response>
 9 |                     <set-status code="302" />
10 |                     <set-header name="Location" exists-action="override">
11 |                         <value>@($"/oauth/signin?redirect={Uri.EscapeDataString(context.Request.OriginalUrl.ToString())}")</value>
12 |                     </set-header>
13 |                 </return-response>
14 |             </when>
15 |             <!-- Cookie not the right format - redirect to the sign-in endpoint -->
16 |             <when condition="@(((string)context.Variables["incomingFullSessionCookie"]).Split('.').Length != 3)">
17 |                 <return-response>
18 |                     <set-status code="401" reason="Incorrect formed cookie" />
19 |                 </return-response>
20 |             </when>
21 |         </choose>
22 |         <!-- clear out the cookies / state / etc and redirect them back to where they came from-->
23 |         <set-variable name="cacheKey" value="@(((string)context.Variables["incomingFullSessionCookie"]).Split('.')[0])" />
24 |         <cache-remove-value key="@($"tokens-{context.Variables["cacheKey"]}-accessToken")" />
25 |         <cache-remove-value key="@($"tokens-{context.Variables["cacheKey"]}-idToken")" />
26 |         <cache-remove-value key="@($"tokens-{context.Variables["cacheKey"]}-refreshToken")" />
27 |         <cache-remove-value key="@($"tokens-{context.Variables["cacheKey"]}-refreshAt")" />
28 |         <!-- Grab the incoming session cookie -->
29 |         <set-variable name="redirect" value="@(Uri.UnescapeDataString(context.Request.Url.Query.GetValueOrDefault("redirect", string.Empty)))" />
30 |         <choose>
31 |             <!-- Without a redirect we don't know where to send them back to. Error out the flow -->
32 |             <when condition="@(context.Variables["redirect"] == string.Empty)">
33 |                 <return-response>
34 |                     <set-status code="200" reason="OK" />
35 |                     <set-header name="Set-Cookie" exists-action="override">
36 |                         <value>@($"{{CookiePrefix}}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
37 |                     </set-header>
38 |                     <set-body />
39 |                 </return-response>
40 |             </when>
41 |             <!-- Check if the redirect is to one of the oauth endpoints. This would create a redirect loop. Let's not allow this -->
42 |             <when condition="@(new Uri((string)context.Variables["redirect"]).AbsolutePath.StartsWith("/oauth", StringComparison.InvariantCultureIgnoreCase))">
43 |                 <return-response>
44 |                     <set-status code="200" reason="OK" />
45 |                     <set-header name="Set-Cookie" exists-action="override">
46 |                         <value>@($"{{CookiePrefix}}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
47 |                     </set-header>
48 |                     <set-body />
49 |                 </return-response>
50 |             </when>
51 |             <otherwise>
52 |                 <return-response>
53 |                     <set-status code="302" reason="OK" />
54 |                     <set-header name="Location" exists-action="override">
55 |                         <value>@((string)context.Variables["redirect"])</value>
56 |                     </set-header>
57 |                     <set-header name="Set-Cookie" exists-action="override">
58 |                         <value>@($"{{CookiePrefix}}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
59 |                     </set-header>
60 |                 </return-response>
61 |             </otherwise>
62 |         </choose>
63 |         <base />
64 |     </inbound>
65 |     <backend>
66 |         <base />
67 |     </backend>
68 |     <outbound>
69 |         <base />
70 |     </outbound>
71 |     <on-error>
72 |         <base />
73 |     </on-error>
74 | </policies>


--------------------------------------------------------------------------------
/examples/Filter on IP Address when using Application Gateway.policy.xml:
--------------------------------------------------------------------------------
 1 | <!-- 
 2 |     The policy defined in this file shows how to filter request IPs when the API Management instance 
 3 |     is accessed from an Application Gateway.  The Application Gateway will write the original request
 4 |     IP to the "X-Forwarded-For" header.  The set-header policy evaluates this IP address against a list of
 5 |     IP ranges (if any).  If a match is found, a value is written to the X-Forwarded-For header and the
 6 |     following check-header policy will validate the match.  If no match is found, the original IP address
 7 |     is retained in the X-Forwarded-For variable.
 8 | -->
 9 | <policies>
10 | 	<inbound>
11 | 		<base />
12 |         <!-- Save the X-Forwarded-For value -->
13 | 		<set-variable name="originalXForwardedForValue" value="@(context.Request.Headers.GetValueOrDefault("X-Forwarded-For"))" />
14 | 		<!-- Check the client IP value in the X-Forwarded-For header-->
15 |         <set-header name="X-Forwarded-For" exists-action="override">
16 | 			<value>@{
17 |             int HostToNetworkOrder(int host)
18 |             {
19 |                 return (((int)HostToNetworkOrderShort((short)host) & 0xFFFF) << 16)
20 |                     | ((int)HostToNetworkOrderShort((short)(host >> 16)) & 0xFFFF);
21 |             }
22 |             short HostToNetworkOrderShort(short host)
23 |             {
24 |                 return (short)((((int)host & 0xFF) << 8) | (int)((host >> 8) & 0xFF));
25 |             }
26 |             
27 |             string ipAddress = context.Request.Headers.GetValueOrDefault("x-forwarded-for",""); 
28 |             if (!string.IsNullOrEmpty(ipAddress))
29 |             {
30 |                 string[] tokens = ipAddress.Split(':'); 
31 |                 if(tokens.Length == 2) 
32 |                 { ipAddress = tokens[0]; } 
33 |                 //Place IP Ranges into this list in CIDR notation (e.g. "0.0.0.0/0") and separate with commas
34 |                 List<string> cidrList = new List<string>(){
35 |                     "10.0.0.0/8",
36 |                     "172.16.0.0/12",
37 |                     "192.168.0.0/16"
38 |                 };
39 |                 foreach (string cidrAddress in cidrList)
40 |                 {
41 |                     string[] cidrParts = cidrAddress.Split('/');
42 |                     string[] inputIPParts = ipAddress.Split('.');
43 |                     string[] cidrIPArray = cidrParts[0].Split('.');
44 | 
45 |                     if (inputIPParts.Length == 4 && cidrIPArray.Length == 4)
46 |                     {
47 |                         byte[] inputIPBytes = new byte[] {Convert.ToByte(int.Parse(inputIPParts[0])), 
48 |                             Convert.ToByte(int.Parse(inputIPParts[1])), 
49 |                             Convert.ToByte(int.Parse(inputIPParts[2])),
50 |                             Convert.ToByte(int.Parse(inputIPParts[3])), };
51 |                         byte[] cidrIPBytes = new byte[] {Convert.ToByte(int.Parse(cidrIPArray[0])), 
52 |                             Convert.ToByte(int.Parse(cidrIPArray[1])), 
53 |                             Convert.ToByte(int.Parse(cidrIPArray[2])),
54 |                             Convert.ToByte(int.Parse(cidrIPArray[3])), };
55 |                 
56 |                         int cidrAddr = BitConverter.ToInt32(inputIPBytes,0);
57 |                         int ipAddr = BitConverter.ToInt32(cidrIPBytes,0);
58 |                         
59 |                         var host = int.Parse(cidrParts[1]);
60 |                         host = -1 << (32-host);
61 |                         var mask = HostToNetworkOrder(host);
62 |                         
63 |                         if (((ipAddr & mask) == (cidrAddr & mask)))
64 |                         {
65 |                             return "{{ipValidated}}";
66 |                         }
67 |                     }
68 |                 }
69 |             }
70 |             return ipAddress; }</value>
71 | 		</set-header>
72 | 		<check-header name="x-forwarded-for" failed-check-httpcode="403" failed-check-error-message="Unauthorized" ignore-case="true">
73 | 			<value>10.33.215.173</value>
74 | 			<value>10.33.215.175</value>
75 | 			<value>{{ipValidated}}</value>
76 | 		</check-header>
77 |         <!-- Revert X-Forwarded-For to its original value-->
78 | 		<set-header name="X-Forwarded-For" exists-action="override">
79 | 			<value>@{
80 |                 return context.Variables.GetValueOrDefault<string>("originalXForwardedForValue");
81 |                 }
82 |             </value>
83 | 		</set-header>
84 |     </inbound>
85 | </policies>
86 | 


--------------------------------------------------------------------------------
/examples/Replay request on error.policy.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy sample demonstrates a pattern of replaying a request. 
 3 |     For eg: one scenario could be when we are using quota and rate limit policies and for some special tier consumers, 
 4 |     we would like to serve the request even if there was a quota error but with a different backend.
 5 |     In such cases, we can replay the request to a different backend with the same request headers and body.    
 6 |     The "example-policy-name" string in the when condition is just for example and needs to be replaced with the actual policy name accordingly.
 7 | 
 8 |     Important Note: 
 9 |     Although this pattern works, an important point to note here is since we are now replaying the request 
10 |     we would end up having 2 log entries for the same request in the APIM logs.
11 | -->
12 | <policies>
13 |     <inbound>
14 |         <base />
15 |     </inbound>
16 |     <backend>
17 |         <base />
18 |     </backend>
19 |     <outbound>
20 |         <base />
21 |     </outbound>
22 |     <on-error>
23 |         <base />
24 |         <choose>
25 |             <when condition="@(context.LastError.Source == "example-policy-name")">
26 |                 <set-variable name="replay-url" value="@("http://" + context.Request.Headers.GetValueOrDefault("X-Original-Host") + context.Request.Headers.GetValueOrDefault("X-Original-Url"))" />
27 |                 <set-variable name="original-error-source" value="@(context.LastError.Source)" />
28 |                 <set-variable name="original-error-reason" value="@(context.LastError.Reason)" />
29 |                 
30 |                 <!-- Following snipped demonstrates the replya pattern,
31 |                 For this, we are using send request's "copy" mode which would copy the original request's headers and body accoridngly.
32 |                 Policy Documentation link https://learn.microsoft.com/en-us/azure/api-management/send-request-policy#attributes
33 |                 -->
34 |                 <!-- Note: 
35 |                 As per the policy documentation,  the send request method will copy the request headers and body accordingly 
36 |                 but we should always validate this and we can expclitly set the the request body and headers as needed.
37 |                 -->
38 |                 <send-request mode="copy" response-variable-name="replay-response" timeout="60" ignore-error="false">
39 |                     <set-url>@(context.Variables.GetValueOrDefault<string>("replay-url"))</set-url>
40 |                     <!-- While replaying the request this time, we might need to pass some additional information
41 |                     this time in our request with corresponding logic in the inbound section to process such requests  
42 |                     The string "skip-example-policy-error" here is just an example of additional header we are sending here 
43 |                     -->
44 |                     <set-header name="skip-example-policy-error" exists-action="override">
45 |                         <value>true</value>
46 |                     </set-header>
47 |                 </send-request>
48 |                 <!-- THIS IS AN IMPORTANT STEP i.e. the response captured in the send-request policy attribute 
49 |                 "response-variable-name" defined above has to be explicity sent back 
50 |                 -->
51 |                 <return-response response-variable-name="replay-response">
52 |                     <!-- Any additional headers like below can further be added as part of response tracking -->
53 |                     <set-header name="x-request-replayed" exists-action="override">
54 |                         <value>true</value>
55 |                     </set-header>
56 |                     <set-header name="x-original-error-source" exists-action="override">
57 |                         <value>@(context.Variables.GetValueOrDefault<string>("original-error-source"))</value>
58 |                     </set-header>
59 |                     <set-header name="x-original-error-reason" exists-action="override">
60 |                         <value>@(context.Variables.GetValueOrDefault<string>("original-error-reason"))</value>
61 |                     </set-header>
62 |                 </return-response>
63 |             </when>
64 |             <otherwise>
65 |                 <!-- Any additional headers like below can further be added as part of response tracking -->
66 |                 <set-header name="x-request-replayed" exists-action="override">
67 |                     <value>"false"</value>
68 |                 </set-header>
69 |             </otherwise>
70 | 	    </choose>
71 |     </on-error>
72 | </policies>


--------------------------------------------------------------------------------
/examples/PUT a file to blobStorage account.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     This policy sample is a request that Azure API Management service produces into a blob storage account to create a file with metadata.
 3 | 
 4 |     This intends to authenticate with managed-identity account between Azure API Management service and the storage account.
 5 |     
 6 |     If you want, you can specify another account to get the token:
 7 |     
 8 |         <authentication-managed-identity resource="https://storage.azure.com/" client-id="{application-id}" output-token-variable-name="msi-access-token" ignore-error="false" />
 9 | 
10 |     Usage: 
11 |         StorageAccount.Name => as named value on you Azure API Management service instance with the values of the storage account name;
12 |         blobContainer => as part of the HTTP request path with name of the storage container to save/get the file;
13 |         fileNameWithExtension => as part of the HTTP request path with name and extension of the file you want to save/get;
14 |         Gateway.Name => as named value on you Azure API Management service with the custom domain of the gateway;
15 |         
16 |     Maintainer: gfchaves
17 | -->
18 | <policies>
19 |     <inbound>
20 |         <base />
21 |         <!-- First get the auth token with managed-identity from the storage account and save it on a output token -->
22 |         <authentication-managed-identity resource="https://storage.azure.com/" output-token-variable-name="msi-access-token" ignore-error="false" />
23 |         
24 |         <!-- Send the PUT request with metadata -->
25 |         <send-request mode="new" response-variable-name="result" timeout="300" ignore-error="false">
26 |             <!-- Get variables to configure your: storageaccount, destination container and file name with extension -->            
27 |             <set-url>@{ return "https://{{StorageAccount.Name}}.blob.core.windows.net/" + (string)context.Request.MatchedParameters("blobContainer") + "/" + (string)context.Request.MatchedParameters("fileNameWithExtension",""); }</set-url>            
28 |             <set-method>PUT</set-method>
29 |             <set-header name="Host" exists-action="override">
30 |                 <value>{{StorageAccount.Name}}.blob.core.windows.net</value>
31 |             </set-header>
32 |             <set-header name="User-Agent" exists-action="override">
33 |                 <value>{{Gateway.Name}}</value>
34 |             </set-header>
35 |             <set-header name="X-Ms-Blob-Type" exists-action="override">
36 |                 <value>BlockBlob</value>
37 |             </set-header>
38 |             <set-header name="X-Ms-Blob-Cache-Control" exists-action="override">
39 |                 <value />
40 |             </set-header>
41 |             <set-header name="X-Ms-Blob-Content-Disposition" exists-action="override">
42 |                 <value />
43 |             </set-header>
44 |             <set-header name="X-Ms-Blob-Content-Encoding" exists-action="override">
45 |                 <value />
46 |             </set-header>
47 |             <set-header name="X-Ms-Blob-Content-Language" exists-action="override">
48 |                 <value />
49 |             </set-header>
50 |             <!-- Set custom blob metadata headers by using x-ms-{my metadata name} -->
51 |             <set-header name="x-ms-meta-{MyMetadataName1}" exists-action="override">
52 |                 <value>@((string)context.Request.Headers.GetValueOrDefault("x-ms-meta-{MyMetadataName1}"))</value>
53 |             </set-header>
54 |              <set-header name="x-ms-meta-{MyMetadataName2}" exists-action="override">
55 |                 <value>@((string)context.Request.Headers.GetValueOrDefault("x-ms-meta-{MyMetadataName2}"))</value>
56 |             </set-header>
57 |             <set-header name="X-Ms-Client-Request-Id" exists-action="override">
58 |                 <value>@{ return Guid.NewGuid().ToString(); }</value>
59 |             </set-header>
60 |             <set-header name="X-Ms-Version" exists-action="override">
61 |                 <value>2019-12-12</value>
62 |             </set-header>
63 |             <set-header name="Accept" exists-action="override">
64 |                 <value>application/json</value>
65 |             </set-header>            
66 |             <!-- Set the header with authorization bearer token that was previously requested -->
67 |             <set-header name="Authorization" exists-action="override">
68 |                 <value>@("Bearer " + (string)context.Variables["msi-access-token"])</value>
69 |             </set-header>
70 |             <!-- Set the file content from the original request body data -->
71 |             <set-body>@(context.Request.Body.As<string>())</set-body>
72 |         </send-request>
73 |         <!-- Returns directly the response from the storage account -->
74 |         <return-response response-variable-name="result" />
75 |     </inbound>
76 |     <backend>
77 |         <base />
78 |     </backend>
79 |     <outbound>
80 |         <base />
81 |     </outbound>
82 |     <on-error>
83 |         <base />
84 |     </on-error>
85 | </policies>


--------------------------------------------------------------------------------
/examples/Forward Azure Event Grid Event.xml:
--------------------------------------------------------------------------------
 1 | <!--
 2 |     Forward Azure Event Grid Event
 3 | 
 4 |     This policy will get the first event in a list of events and forward it to a downstream system.
 5 |     If you want to support more, then you need to remove the choose that returns a 400 and implement this capability or simply pass the full list downstream.
 6 | 
 7 |     In order to successfully subscribe to an Azure Event Grid Topic, this policy also handles the initial validation handshake to prove ownership.
 8 | 
 9 |     Maintainer: @tomkerkhove
10 | -->
11 | <policies>
12 |     <inbound>
13 |         <base />
14 |         <set-variable name="Request" value="@(context.Request.Body.As<JArray>())" />
15 |         <choose>
16 |             <when condition="@(context.Variables.GetValueOrDefault<JArray>("Request").Count != 1)">
17 |                 <return-response>
18 |                     <set-status code="400" />
19 |                     <set-header name="Content-Type" exists-action="override">
20 |                         <value>application/json</value>
21 |                     </set-header>
22 |                     <set-body>{"error":"We only support one event"}</set-body>
23 |                 </return-response>
24 |             </when>
25 |             <otherwise>
26 |                 <set-variable name="Event" value="@(context.Variables.GetValueOrDefault<JArray>("Request")[0])" />
27 |                 <choose>
28 |                     <when condition="@(context.Variables.GetValueOrDefault<JObject>("Event")["eventType"].ToString() == "Microsoft.EventGrid.SubscriptionValidationEvent")">
29 |                         <return-response>
30 |                             <set-status code="200" />
31 |                             <set-header name="Content-Type" exists-action="override">
32 |                                 <value>application/json</value>
33 |                             </set-header>
34 |                             <set-body>@{
35 |                                         var validationResponse = new JObject(new JProperty("validationResponse",context.Variables.GetValueOrDefault<JObject>("Event")["data"]["validationCode"].ToString()));
36 |                                         return validationResponse.ToString();
37 |                                     }</set-body>
38 |                         </return-response>
39 |                     </when>
40 |                     <otherwise>
41 |                         <set-header name="Content-Type" exists-action="override">
42 |                             <value>application/json</value>
43 |                         </set-header>
44 |                         <set-header name="X-Event-Id" exists-action="override">
45 |                             <value>@(context.Variables.GetValueOrDefault<JObject>("Event")["id"].ToString())</value>
46 |                         </set-header>
47 |                         <set-header name="X-Event-Subject" exists-action="override">
48 |                             <value>@(context.Variables.GetValueOrDefault<JObject>("Event")["subject"].ToString())</value>
49 |                         </set-header>
50 |                         <set-header name="X-Event-Type" exists-action="override">
51 |                             <value>@(context.Variables.GetValueOrDefault<JObject>("Event")["eventType"].ToString())</value>
52 |                         </set-header>
53 |                         <set-header name="X-Event-Time" exists-action="override">
54 |                             <value>@(context.Variables.GetValueOrDefault<JObject>("Event")["eventTime"].ToString())</value>
55 |                         </set-header>
56 |                         <set-header name="X-Event-Data-Version" exists-action="override">
57 |                             <value>@(context.Variables.GetValueOrDefault<JObject>("Event")["dataVersion"].ToString())</value>
58 |                         </set-header>
59 |                         <set-header name="X-Event-Metadata-Version" exists-action="override">
60 |                             <value>@(context.Variables.GetValueOrDefault<JObject>("Event")["metadataVersion"].ToString())</value>
61 |                         </set-header>
62 |                         <set-header name="X-Event-Topic" exists-action="override">
63 |                             <value>@(context.Variables.GetValueOrDefault<JObject>("Event")["topic"].ToString())</value>
64 |                         </set-header>
65 |                         <set-body>@(context.Variables.GetValueOrDefault<JObject>("Event")["data"].ToString())</set-body>
66 | 
67 |                         <!-- Your custom logic here, for example forwarding to a downstream system -->
68 |                         <!-- can be browsed at https://pipedream.com/r/en4co4ars2s5v/ -->
69 |                         <set-backend-service base-url="https://en4co4ars2s5v.x.pipedream.net" />
70 |                     </otherwise>
71 |                 </choose>
72 |             </otherwise>
73 |         </choose>
74 |     </inbound>
75 |     <backend>
76 |         <base />
77 |     </backend>
78 |     <outbound>
79 |         <base />
80 |     </outbound>
81 |     <on-error>
82 |         <base />
83 |     </on-error>
84 | </policies>


--------------------------------------------------------------------------------
/examples/oauth-proxy/oauth-proxy-sign-in.xml:
--------------------------------------------------------------------------------
 1 | <policies>
 2 |     <inbound>
 3 |         <set-variable name="redirect" value="@(Uri.UnescapeDataString(context.Request.Url.Query.GetValueOrDefault("redirect", string.Empty)))" />
 4 |         <choose>
 5 |             <!-- Without a redirect we don't know where to send them back to. Error out the flow -->
 6 |             <when condition="@(context.Variables["redirect"] == string.Empty)">
 7 |                 <return-response>
 8 |                     <set-status code="400" reason="Bad Request" />
 9 |                     <set-body>Missing redirect parameter</set-body>
10 |                 </return-response>
11 |             </when>
12 |             <otherwise>
13 |                 <choose>
14 |                     <!-- Assert redirect starts with '/'
15 |                     This would create a redirect loop. Let's not allow this -->
16 |                     <when condition="@(!((string)context.Variables["redirect"]).StartsWith("/", StringComparison.InvariantCultureIgnoreCase))">
17 |                         <return-response>
18 |                             <set-status code="400" reason="Bad Request" />
19 |                             <set-body>Invalid redirect</set-body>
20 |                         </return-response>
21 |                     </when>
22 |                     <!-- Check if the redirect is to one of the oauth endpoints. 
23 |                     This would create a redirect loop. Let's not allow this -->
24 |                     <when condition="@(((string)context.Variables["redirect"]).StartsWith("/oauth", StringComparison.InvariantCultureIgnoreCase))">
25 |                         <return-response>
26 |                             <set-status code="400" reason="Bad Request" />
27 |                             <set-body>Invalid redirect</set-body>
28 |                         </return-response>
29 |                     </when>
30 |                     <otherwise>
31 |                         <!-- create 2 secrets to hold the state / nonce and a unique cookie -->
32 |                         <set-variable name="stateRaw" value="@(Guid.NewGuid().ToString() + Guid.NewGuid().ToString())" />
33 |                         <set-variable name="nonceRaw" value="@(Guid.NewGuid().ToString() + Guid.NewGuid().ToString())" />
34 |                         <set-variable name="codeChallenge" value="@(Guid.NewGuid().ToString() + Guid.NewGuid().ToString())" />
35 | 
36 |                         <!-- Build code-challenge by base-64 url encoding as described here: https://datatracker.ietf.org/doc/html/rfc7636#page-14 -->
37 |                         <set-variable name="codeChallengeSha256" value="@(Convert.ToBase64String(SHA256.Create().ComputeHash(Encoding.UTF8.GetBytes((string)context.Variables["codeChallenge"]))).Split('=')[0].Replace('+', '-').Replace('/', '_'))" />
38 | 
39 |                         <!-- Create a unique guid to represent this particular sign-in flow 
40 |                         We will look for this when the IdP responds with a code. That will help
41 |                         correlate this call with the callback -->
42 |                         <set-variable name="cookie" value="@(Guid.NewGuid().ToString())" />
43 | 
44 |                         <!-- Store the state and the nonce in the cache. We'll need to confirm these for security purposes when the corresponding callback appears to complete the flow -->
45 |                         <!-- Use the state to store the redirect. We could send it in the round-trip, but let's keep it here for now -->
46 |                         <cache-store-value key="@($"signin-{(string)context.Variables["cookie"]}-state")" value="@((string)context.Variables["redirect"])" duration="300" />
47 |                         <cache-store-value key="@($"signin-{(string)context.Variables["cookie"]}-nonce")" value="@((string)context.Variables["nonceRaw"])" duration="300" />
48 |                         <cache-store-value key="@($"signin-{(string)context.Variables["cookie"]}-code-challenge")" value="@((string)context.Variables["codeChallenge"])" duration="300" />
49 | 
50 |                         <!-- look for x-forwarded header in-case there's a layer-7 reverse proxy in-front of us  -->
51 |                         <set-variable name="oauth-proxy-callback" value="@{
52 |                             var forwardedHost = (string)context.Request.Headers.GetValueOrDefault("X-Forwarded-Host", context.Request.OriginalUrl.Host);
53 |                             var forwardedPort = (string)context.Request.Headers.GetValueOrDefault("X-Forwarded-Port", "");
54 |                             var port = forwardedPort == "" ? 443 : int.Parse(forwardedPort);
55 | 
56 |                             //construct the expected redirect. If the port is 443, then don't add it on as we hardcode https
57 |                             return $"https://{forwardedHost}{(port != 443 ? $":{port}" : "")}/oauth/callback";
58 |                         }" />
59 | 
60 |                         <set-variable name="state" value="@(Uri.EscapeDataString((string)context.Variables["stateRaw"]))" />
61 |                         <set-variable name="nonce" value="@(Uri.EscapeDataString((string)context.Variables["nonceRaw"]))" />
62 | 
63 |                         <!-- Invoke fragment that will set the idpRedirect variable -->
64 |                         <include-fragment fragment-id="oauth-proxy-construct-authorization-redirect-fragment" />
65 | 
66 |                         <return-response>
67 |                             <set-status code="302" />
68 |                             <set-header name="Location" exists-action="override">
69 |                                 <value>@((string)context.Variables["idpRedirect"])</value>
70 |                             </set-header>
71 |                             <set-header name="Set-Cookie" exists-action="override">
72 |                                 <value>@($"{{CookiePrefix}}-{(string)context.Variables["state"]}={(string)context.Variables["cookie"]}; Secure; SameSite=None; Path=/; Expires={DateTimeOffset.Now.AddSeconds(300).ToString("R")}; Secure; HttpOnly")</value>
73 |                             </set-header>
74 |                         </return-response>
75 |                     </otherwise>
76 |                 </choose>
77 |             </otherwise>
78 |         </choose>
79 |         <base />
80 |     </inbound>
81 |     <backend>
82 |         <base />
83 |     </backend>
84 |     <outbound>
85 |         <base />
86 |     </outbound>
87 |     <on-error>
88 |         <base />
89 |     </on-error>
90 | </policies>


--------------------------------------------------------------------------------
/examples/Generate Shared Access Signature and forward request to Azure storage.policy.xml:
--------------------------------------------------------------------------------
  1 | <!-- The policy defined in this file shows how to generate Shared Access Signature (https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas - Table Storage) using expressions. -->
  2 | <!-- The snippet forwards the request to Azure Table storage with rewrite-uri policy. -->
  3 | 
  4 | <!-- Copy the following snippet into the inbound section. -->
  5 | 
  6 | <policies>
  7 |     <inbound>
  8 |         <base />
  9 |         <!-- Initialize context variables with property values. -->
 10 |         <set-variable name="contentType" value="application/json" />
 11 |         <set-variable name="accessKey" value="{{storageAccountAccessKey}}" />
 12 |         <set-variable name="storageAccount" value="{{storageAccountName}}" />
 13 |         <set-variable name="resourcePath" value="{{tableName}}" />
 14 |         <set-variable name="x-ms-date" value="@(DateTime.UtcNow.ToString("R"))" />
 15 |         <set-variable name="x-ms-version" value="2021-06-08" />
 16 |         <set-variable name="signedPermissions" value="raud" />
 17 |         <set-variable name="signedStart" value="" />
 18 |         <set-variable name="signedExpiry" value="@(DateTime.UtcNow.AddDays(1).ToString("yyyy-MM-ddTHH:mm:ssZ"))" />
 19 |         <set-variable name="canonicalizedResource" value="@{
 20 |             // /table/{storageAccount}/{resourcePath}
 21 |             return string.Format("/table/{0}/{1}",(string)context.Variables["storageAccount"],(string)context.Variables["resourcePath"]);
 22 |             }" />
 23 |         <set-variable name="signedIdentifier" value="" />
 24 |         <set-variable name="signedIP" value="" />
 25 |         <set-variable name="signedProtocol" value="" />
 26 |         <set-variable name="startingPartitionKey" value="" />
 27 |         <set-variable name="startingRowKey" value="" />
 28 |         <set-variable name="endingPartitionKey" value="" />
 29 |         <set-variable name="endingRowKey" value="" />
 30 |         <!-- https://docs.microsoft.com/en-us/rest/api/storageservices/create-service-sas#version-2015-04-05-and-later - Version 2015-04-05 and later
 31 |         StringToSign = signedPermissions + "\n" +  
 32 |                signedStart + "\n" +  
 33 |                signedExpiry + "\n" +  
 34 |                canonicalizedResource + "\n" +  
 35 |                signedIdentifier + "\n" +  
 36 |                signedIP + "\n" +  
 37 |                signedProtocol + "\n" +  
 38 |                signedVersion + "\n" +  
 39 |                startingPartitionKey + "\n"  
 40 |                startingRowKey + "\n"  
 41 |                endingPartitionKey + "\n"  
 42 |                endingRowKey
 43 |         -->
 44 |         <set-variable name="stringToSign" value="@{                
 45 |                 return string.Format(
 46 |                 "{0}\n{1}\n{2}\n{3}\n{4}\n{5}\n{6}\n{7}\n{8}\n{9}\n{10}\n{11}",
 47 |                 (string)context.Variables["signedPermissions"],
 48 |                 (string)context.Variables["signedStart"],
 49 |                 (string)context.Variables["signedExpiry"],
 50 |                 (string)context.Variables["canonicalizedResource"],
 51 |                 (string)context.Variables["signedIdentifier"],
 52 |                 (string)context.Variables["signedIP"],
 53 |                 (string)context.Variables["signedProtocol"],
 54 |                 (string)context.Variables["x-ms-version"],
 55 |                 (string)context.Variables["startingPartitionKey"],
 56 |                 (string)context.Variables["startingRowKey"],
 57 |                 (string)context.Variables["endingPartitionKey"],
 58 |                 (string)context.Variables["endingRowKey"]);
 59 |             }" />
 60 |         <set-variable name="signature" value="@{
 61 |                 // https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/authentication-for-the-azure-storage-services
 62 |                 // Hash-based Message Authentication Code (HMAC) using SHA256 hash
 63 |                 System.Security.Cryptography.HMACSHA256 hasher = new System.Security.Cryptography.HMACSHA256(Convert.FromBase64String((string)context.Variables["accessKey"]));
 64 |                 return Convert.ToBase64String(hasher.ComputeHash(System.Text.Encoding.UTF8.GetBytes((string)context.Variables["stringToSign"])));
 65 |             }" />
 66 |         <set-variable name="sasToken" value="@{
 67 |             return string.Format("?sv={0}&sp={1}&se={2}&tn={3}&sig={4}",
 68 |                 (string)context.Variables["x-ms-version"],
 69 |                 (string)context.Variables["signedPermissions"],
 70 |                 System.Net.WebUtility.HtmlEncode((string)context.Variables["signedExpiry"]),
 71 |                 (string)context.Variables["resourcePath"],
 72 |                 System.Net.WebUtility.HtmlEncode((string)context.Variables["signature"])
 73 |             );
 74 |         }" />
 75 |         <!-- Set required headers. -->
 76 |         <set-header name="Content-Type" exists-action="override">
 77 |             <value>@((string)context.Variables["contentType"])</value>
 78 |         </set-header>
 79 |         <set-header name="Accept" exists-action="override">
 80 |             <value>application/json;odata=nometadata</value>
 81 |         </set-header>
 82 |         <set-header name="Accept-Charset" exists-action="override">
 83 |             <value>UTF-8</value>
 84 |         </set-header>
 85 |         <set-header name="x-ms-date" exists-action="override">
 86 |             <value>@((string)context.Variables["x-ms-date"])</value>
 87 |         </set-header>
 88 |         <set-header name="x-ms-version" exists-action="override">
 89 |             <value>@((string)context.Variables["x-ms-version"])</value>
 90 |         </set-header>
 91 |         <!-- Beginning with version 2009-09-19, the Table service requires that all REST calls include the DataServiceVersion and MaxDataServiceVersion headers. -->
 92 |         <!-- See https://docs.microsoft.com/en-us/rest/api/storageservices/fileservices/setting-the-odata-data-service-version-headers for more information. -->
 93 |         <set-header name="MaxDataServiceVersion" exists-action="override">
 94 |             <value>3.0</value>
 95 |         </set-header>
 96 |         <set-header name="DataServiceVersion" exists-action="override">
 97 |             <value>1.0;NetFx</value>
 98 |         </set-header>
 99 |         
100 |         <!-- Add $filter here: -->
101 |         <rewrite-uri template="@{ return string.Format("/{0}{1}", (string)context.Variables["resourcePath"], (string)context.Variables["sasToken"]); }" />
102 |     </inbound>
103 |     <backend>
104 |         <base />
105 |     </backend>
106 |     <outbound>
107 |         <base />
108 |     </outbound>
109 |     <on-error>
110 |         <base />
111 |     </on-error>
112 | </policies>
113 | 


--------------------------------------------------------------------------------
/examples/Get OAuth2 access token from AAD using client id and certificate using key vault manage identity.xml:
--------------------------------------------------------------------------------
  1 | <!-- The policy defined in this file provides an example of using OAuth2 for authorization between the gateway and a backend using Certificate from Key Vault -->
  2 | <!-- It shows how to obtain an access token from AAD, cache it for a configurable amount of time and forward it to the backend. -->
  3 | 
  4 | 
  5 | <!-- Send request to AAD to obtain a bearer token -->
  6 | <!-- Parameters: authorizationServer - format https://login.windows.net/TENANT-GUID/oauth2/token -->
  7 | <!-- Parameters: scope - a URI encoded scope value -->
  8 | <!-- Parameters: clientId - an id obtained during app registration -->
  9 | <!-- Parameters: KeyVaultName - Key Vault name where we need to get certificate -->
 10 | <!-- Parameters: CertName - Certificate name in Key Vault -->
 11 | <!-- Parameters: cachetime - Cache time in seconds for token -->
 12 | <!-- Copy the following snippet into the inbound section. -->
 13 | 
 14 | <policies>
 15 |   <inbound>
 16 |     <cache-lookup-value key="@("bearerToken")" variable-name="bearerToken" />
 17 |     <choose>
 18 |       <when condition="@(!context.Variables.ContainsKey("bearerToken"))">
 19 |         <set-variable name="authorizationServer" value="{{authorizationServer}}" />
 20 |         <set-variable name="clientId" value="{{clientId}}" />
 21 |         <!-- check the cache for secret first -->
 22 |         <cache-lookup-value key="mycert" variable-name="keyVaultCertBase64" />
 23 |         <!-- call Key Vault if secret is not found in the cache -->
 24 |         <choose>
 25 |           <when condition="@(!context.Variables.ContainsKey("keyVaultCertResponse"))">
 26 |             <send-request mode="new" response-variable-name="keyVaultCertResponse" timeout="20" ignore-error="false">
 27 |               <set-url>https://{{KeyVaultName}}.vault.azure.net/secrets/{{CertName}}/?api-version=2016-10-01</set-url>
 28 |               <set-method>GET</set-method>
 29 |               <authentication-managed-identity resource="https://vault.azure.net" />
 30 |             </send-request>
 31 |             <!-- transform response to string and store in cache -->
 32 |             <set-variable name="keyVaultCertBase64" value="@(((IResponse)context.Variables["keyVaultCertResponse"]).Body.As<JObject>
 33 |               ()["value"].ToString())" />
 34 |               <cache-store-value key="mycert" value="@((string)context.Variables["keyVaultCertBase64"])" duration="3600" />
 35 |             </when>
 36 |         </choose>
 37 |         <cache-lookup-value key="@("signedClientAssertion")" variable-name="signedClientAssertion" />
 38 |         <choose>
 39 |           <when condition="@(!context.Variables.ContainsKey("signedClientAssertion"))">
 40 |             <set-variable name="signedClientAssertion" value="@{
 41 |                         
 42 | 
 43 |                         //below code is to get claims
 44 |                         string aud = (string)context.Variables["authorizationServer"];//{{authorizationServer}};//authority + "/oauth2/token";
 45 |             string clientID = (string)context.Variables["clientId"];//{{clientId}};
 46 |             const uint JwtToAadLifetimeInSeconds = 60 * 20; // Ten minutes
 47 |             DateTime validFrom = DateTime.UtcNow;
 48 |             var nbf = ((DateTimeOffset)validFrom).ToUnixTimeSeconds().ToString();
 49 |             var exp = ((DateTimeOffset)(validFrom + TimeSpan.FromSeconds(JwtToAadLifetimeInSeconds))).ToUnixTimeSeconds().ToString();
 50 | 
 51 |             var claims =  new Dictionary<string, string>
 52 |               ()
 53 |               {
 54 |               { "aud", aud },
 55 |               { "exp", exp.ToString() },
 56 |               { "iss", clientID },
 57 |               { "jti", Guid.NewGuid().ToString() },
 58 |               { "nbf", nbf.ToString() },
 59 |               { "sub", clientID }
 60 |               };
 61 | 
 62 | 
 63 |               X509Certificate2 certificate = new X509Certificate2(Convert.FromBase64String((string)context.Variables["keyVaultCertBase64"]), (string)null);
 64 |               string signedClientAssertion = "";
 65 |               RSACng rsa = certificate.GetRSAPrivateKey() as RSACng;
 66 | 
 67 |               //Encoding variable
 68 |               char Base64PadCharacter = '=';
 69 |               char Base64Character62 = '+';
 70 |               char Base64Character63 = '/';
 71 |               char Base64UrlCharacter62 = '-';
 72 |               char Base64UrlCharacter63 = '_';
 73 | 
 74 |               string certEncode = Convert.ToBase64String(certificate.GetCertHash()).Split(Base64PadCharacter)[0].Replace(Base64Character62, Base64UrlCharacter62).Replace(Base64Character63, Base64UrlCharacter63);
 75 | 
 76 |               //alg represents the desired signing algorithm, which is SHA-256 in this case
 77 |               //kid represents the certificate thumbprint
 78 |               var header = new Dictionary<string, string>
 79 |                 ()
 80 |                 {
 81 |                 { "alg", "RS256"},
 82 |                 { "kid", certEncode }
 83 |                 };
 84 | 
 85 |                 string headerEncode = Convert.ToBase64String(Encoding.UTF8.GetBytes(JObject.FromObject(header).ToString())).Split(Base64PadCharacter)[0].Replace(Base64Character62, Base64UrlCharacter62).Replace(Base64Character63, Base64UrlCharacter63);
 86 |                 string claimsEncode = Convert.ToBase64String(Encoding.UTF8.GetBytes(JObject.FromObject(claims).ToString())).Split(Base64PadCharacter)[0].Replace(Base64Character62, Base64UrlCharacter62).Replace(Base64Character63, Base64UrlCharacter63);
 87 |                 string token = headerEncode + "." + claimsEncode;
 88 |                 string signature = Convert.ToBase64String(rsa.SignData(Encoding.UTF8.GetBytes(token), HashAlgorithmName.SHA256, System.Security.Cryptography.RSASignaturePadding.Pkcs1)).Split(Base64PadCharacter)[0].Replace(Base64Character62, Base64UrlCharacter62).Replace(Base64Character63, Base64UrlCharacter63);
 89 |                 signedClientAssertion = string.Concat(token, ".", signature);
 90 |                 return signedClientAssertion;
 91 |                 }" />
 92 |                 <cache-store-value key="signedClientAssertion" value="@((string)context.Variables["signedClientAssertion"])" duration="{{cachetime}]" />
 93 |               </when>
 94 |           <otherwise />
 95 |         </choose>
 96 |         <send-request ignore-error="true" timeout="20" response-variable-name="bearerToken" mode="new">
 97 |           <set-url>@((string)context.Variables["authorizationServer"])</set-url>
 98 |           <set-method>POST</set-method>
 99 |           <set-header name="Content-Type" exists-action="override">
100 |             <value>application/x-www-form-urlencoded</value>
101 |           </set-header>
102 |           <set-body>
103 |             @{
104 |             return "client_id={{clientId}}&resource={{scope}}&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=" + ((string)context.Variables["signedClientAssertion"]) + "&grant_type=client_credentials";
105 | 
106 |             // For identity providers other than Azure AD, try return statement below
107 |             // return "client_id={{clientId}}&scope={{scope}}&client_secret={{clientSecret}}&grant_type=client_credentials";
108 |             }
109 |           </set-body>
110 |         </send-request>
111 |         <set-variable name="bearerToken" value="@((String)((IResponse)context.Variables["bearerToken"]).Body.As<JObject>
112 |           ()["access_token"])" />
113 |           <cache-store-value key="bearerToken" value="@((string)context.Variables["bearerToken"])" duration="{{cachetime}}" />
114 |         </when>
115 |     </choose>
116 |     <set-header name="Authorization" exists-action="override">
117 |       <value>@("Bearer " + (string)context.Variables["bearerToken"])</value>
118 |     </set-header>
119 |     <!--  Don't expose APIM subscription key to the backend. -->
120 |     <set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
121 |   </inbound>
122 |   <backend>
123 |     <forward-request />
124 |   </backend>
125 |   <outbound />
126 |   <on-error />
127 | </policies>
128 | 


--------------------------------------------------------------------------------
/examples/Return a blob URL signed with a user delegation SAS token.xml:
--------------------------------------------------------------------------------
  1 | <!--
  2 |     This policy sample demonstrates how to check if a blob exists and then return the URL of the blob signed with a 
  3 |     User Delegation SAS token leveraging Managed Identity.
  4 |     
  5 |     The policy takes care of:
  6 |     - Checking if the blob exists 
  7 |     - Obtaining the User Delegation Key 
  8 |     - Generating the URL of the blob with a SAS token
  9 |     
 10 |     Usage:    
 11 |     - Grant the Storage Blob Data Reader role for the APIM instance at the Storage Account level
 12 |         - You can also grant Storage Blob Delegator role at the Storage Account level, and Storage Blob Data Reader at the container/blob level
 13 |     - The storage account name will be provided as a path parameter with name 'storageAccountName'
 14 |     - The container name will be provided as a path parameter with name containerName
 15 |     - The blob name will be provided as a path parameter with name blobName
 16 |     - The SAS TTL in seconds will be provided as a path parameter with name ttlInSeconds
 17 |        - Example of the URL: https://the-name-of-your-apim-instance.azure-api.net/someapi/getbloburi/{storageAccountName}/{containerName}/{blobName}/{ttlInSeconds}
 18 | 
 19 |     The policy will return:
 20 |     - 200-OK with the URL of the blob signed with a User Delegation SAS token
 21 |     - 404-NotFound if the Blob does not exist
 22 |     - 403-Forbidden if the APIM instance does not have permission to read the blob or to get the User Delegation key
 23 | -->
 24 | <policies>
 25 |     <inbound>
 26 |         <set-variable name="blobUri" value="@("https://" + ((string)context.Request.MatchedParameters["storageAccountName"]) + ".blob.core.windows.net/" + ((string)context.Request.MatchedParameters["containerName"]) + "/" + ((string)context.Request.MatchedParameters["blobName"]))" />
 27 |         <base />
 28 |         <!--Check if blob exists-->
 29 |         <send-request mode="new" timeout="20" response-variable-name="blobdata" ignore-error="true">
 30 |             <set-url>@((string)context.Variables["blobUri"])</set-url>
 31 |             <set-method>GET</set-method>
 32 |             <set-header name="x-ms-version" exists-action="override">
 33 |                 <value>2020-12-06</value>
 34 |             </set-header>
 35 |             <authentication-managed-identity resource="https://storage.azure.com" />
 36 |         </send-request>
 37 |         <choose>
 38 |             <when condition="@(((IResponse)context.Variables["blobdata"]).StatusCode == 403)">
 39 |                 <return-response response-variable-name="response">
 40 |                     <set-status code="403" reason="Forbidden" />
 41 |                     <set-body>@("Missing permission to read blob " + (string)context.Variables["blobUri"] + ". Make sure the 'Storage Blob Data Reader' role is granted for APIM '"+ context.Deployment.ServiceName +"' either at the Storage Account or Container level.")</set-body>
 42 |                 </return-response>
 43 |             </when>
 44 |             <when condition="@(((IResponse)context.Variables["blobdata"]).StatusCode == 404)">
 45 |                 <return-response response-variable-name="response">
 46 |                     <set-status code="404" reason="Not found" />
 47 |                     <set-body>@("Cannot find blob " + (string)context.Variables["blobUri"])</set-body>
 48 |                 </return-response>
 49 |             </when>
 50 |         </choose>
 51 |         <!--Get User Delegation Key using Managed Identity-->
 52 |         <send-request mode="new" timeout="20" response-variable-name="userdelegationkey" ignore-error="true">
 53 |             <set-url>@("https://"+((string)context.Request.MatchedParameters["storageAccountName"]) + ".blob.core.windows.net/?restype=service&comp=userdelegationkey")</set-url>
 54 |             <set-method>POST</set-method>
 55 |             <set-header name="x-ms-version" exists-action="override">
 56 |                 <value>2020-12-06</value>
 57 |             </set-header>
 58 |             <set-body>@{
 59 |                 return "<KeyInfo>" +
 60 |                     "<Start>" + DateTime.UtcNow.ToString("u").Replace(" ", "T") + "</Start>" +
 61 |                     "<Expiry>" + DateTime.UtcNow.AddSeconds((string)context.Request.MatchedParameters["ttlInSeconds"]).ToString("u").Replace(" ", "T") + "</Expiry>" + 
 62 |                 "</KeyInfo>";
 63 |                 }</set-body>
 64 |             <authentication-managed-identity resource="https://storage.azure.com" />
 65 |         </send-request>
 66 |         <choose>
 67 |             <when condition="@(((IResponse)context.Variables["userdelegationkey"]).StatusCode == 403)">
 68 |                 <return-response response-variable-name="response">
 69 |                     <set-status code="403" reason="Forbidden" />
 70 |                     <set-body>@("Missing permission to generate SAS for blob " + (string)context.Variables["blobUri"] + ". Make sure the 'Storage Blob Delegator' role is granted for APIM '"+ context.Deployment.ServiceName +"' at the Storage Account level.")</set-body>
 71 |                 </return-response>
 72 |             </when>
 73 |         </choose>
 74 |         <return-response>
 75 |             <set-body>@{
 76 |                 XmlDocument xml = new XmlDocument();
 77 |                 string userDelegationKeyResponse = ((IResponse)context.Variables["userdelegationkey"]).Body.As<string>();
 78 |                 xml.LoadXml(userDelegationKeyResponse);
 79 |                 var signedKeyObjectId = xml.DocumentElement.SelectSingleNode("/UserDelegationKey/SignedOid").InnerText;
 80 |                 var signedKeyTenantId = xml.DocumentElement.SelectSingleNode("/UserDelegationKey/SignedTid").InnerText;
 81 |                 var signedKeyStart = xml.DocumentElement.SelectSingleNode("/UserDelegationKey/SignedStart").InnerText;
 82 |                 var signedKeyExpiry = xml.DocumentElement.SelectSingleNode("/UserDelegationKey/SignedExpiry").InnerText;
 83 |                 var signedKeyService = xml.DocumentElement.SelectSingleNode("/UserDelegationKey/SignedService").InnerText;
 84 |                 var signedKeyVersion = xml.DocumentElement.SelectSingleNode("/UserDelegationKey/SignedVersion").InnerText;
 85 |                 var signedKey = xml.DocumentElement.SelectSingleNode("/UserDelegationKey/Value").InnerText;
 86 | 
 87 |                 var signedPermissions = "r";
 88 |                 var signedStart = "";
 89 |                 var signedExpiry = DateTime.UtcNow.AddSeconds((string)context.Request.MatchedParameters["storageAccountName"]).ToString("yyyy-MM-ddTHH:mm:ssZ");
 90 |                 var canonicalizedResource = $"/blob/{((string)context.Request.MatchedParameters["storageAccountName"])}/{((string)context.Request.MatchedParameters["containerName"])}/{((string)context.Request.MatchedParameters["blobName"])}";
 91 |                 var signedAuthorizedUserObjectId = "";
 92 |                 var signedUnauthorizedUserObjectId = "";
 93 |                 var signedCorrelationId = "";
 94 |                 var signedIP = "";
 95 |                 var signedProtocol = "https";
 96 |                 var signedVersion = "2020-12-06";
 97 |                 var signedResource = "b";
 98 |                 var signedSnapshotTime = "";
 99 |                 var signedEncryptionScope = "";
100 |                 var rscc = "";
101 |                 var rscd = "";
102 |                 var rsce = "";
103 |                 var rscl = "";
104 |                 var rsct = "";
105 | 
106 |                 var stringToSign = signedPermissions + "\n" +
107 |                     signedStart + "\n" +
108 |                     signedExpiry + "\n" +
109 |                     canonicalizedResource + "\n" +
110 |                     signedKeyObjectId + "\n" +
111 |                     signedKeyTenantId + "\n" +
112 |                     signedKeyStart + "\n" +
113 |                     signedKeyExpiry + "\n" +
114 |                     signedKeyService + "\n" +
115 |                     signedKeyVersion + "\n" +
116 |                     signedAuthorizedUserObjectId + "\n" +
117 |                     signedUnauthorizedUserObjectId + "\n" +
118 |                     signedCorrelationId + "\n" +
119 |                     signedIP + "\n" +
120 |                     signedProtocol + "\n" +
121 |                     signedVersion + "\n" +
122 |                     signedResource + "\n" +
123 |                     signedSnapshotTime + "\n" +
124 |                     signedEncryptionScope + "\n" +
125 |                     rscc + "\n" +
126 |                     rscd + "\n" +
127 |                     rsce + "\n" +
128 |                     rscl + "\n" +
129 |                     rsct;
130 |                 System.Security.Cryptography.HMACSHA256 hasher = new System.Security.Cryptography.HMACSHA256(Convert.FromBase64String(signedKey));
131 | 
132 |                 var sig = System.Net.WebUtility.UrlEncode(Convert.ToBase64String(hasher.ComputeHash(System.Text.Encoding.UTF8.GetBytes(stringToSign))));
133 | 
134 |                 var sas = $"?sv={signedVersion}&sp={signedPermissions}&se={signedExpiry}&sr={signedResource}&skoid={signedKeyObjectId}&sktid={signedKeyTenantId}&skt={signedKeyStart}&ske={signedKeyExpiry}&sks={signedKeyService}&skv={signedKeyVersion}&spr={signedProtocol}&sig={sig}";
135 | 
136 |                 return (string)context.Variables["blobUri"] + sas;
137 |             }</set-body>
138 |         </return-response>
139 |     </inbound>
140 |     <backend>
141 |         <base />
142 |     </backend>
143 |     <outbound>
144 |         <base />
145 |     </outbound>
146 |     <on-error>
147 |         <base />
148 |     </on-error>
149 | </policies>
150 | 


--------------------------------------------------------------------------------
/examples/oauth-proxy/readme.md:
--------------------------------------------------------------------------------
  1 | # OAuth Proxy Azure API Management policies
  2 | 
  3 | The policies in this folder provide support for an OAuth Proxy that works in a similar way to App Service Authentication.
  4 | 
  5 | ## Setup
  6 | 
  7 | ### Required Named Values
  8 | 
  9 | | Named Value | Purpose |
 10 | | -- | -- |
 11 | | AdditionalScopes | Space separated string of other scopes to request delegated consent for |
 12 | | ClientId | AAD ClientId Id representing the application you are signing in against |
 13 | | ClientSecret | AAD Client Secret used to exchange codes for tokens |
 14 | | CookiePrefix | The name we use for the cookie used to control the oauth-proxy |
 15 | | CookieEncryptionKey | 1 or 2. Selects the key (CookieEncryptionKey**1** or CookieEncryptionKey**2**) used to protect newly issued cookies. This allows you to periodically rotate keys |
 16 | | CookieEncryptionKey1 | A Base 64 Encoded string of a 32 random bytes array. Used by an AES 256 encryption algorithm to encrypt cookies |
 17 | | CookieEncryptionKey2 | A Base 64 Encoded string of a 32 random bytes array. Used by an AES 256 encryption algorithm to encrypt cookies |
 18 | | TokenEncryptionKey | 1 or 2. Selects the key (TokenEncryptionKey**1** or TokenEncryptionKey**2**)  used to protect newly issued tokens. This allows you to periodically rotate keys  |
 19 | | TokenEncryptionKey1 | A Base 64 Encoded string of 32 random bytes. Used as the Key for an AES 256 encryption algorithm for encrypting tokens at rest |
 20 | | TokenEncryptionKey2 | A Base 64 Encoded string of 32 random bytes. Used as the Key for an AES 256 encryption algorithm for encrypting tokens at rest |
 21 | | SessionCookieExpirationInSeconds | How long to allow session cookies to stay active for |
 22 | | RefreshTokenExpirationInSeconds | How long to cache refresh tokens for (a good guide would be how long your average user's session lasts for) |
 23 | 
 24 | > You can generate the Base 64 random bytes in dotnet using ``` Convert.ToBase64String(RandomNumberGenerator.GetBytes(<size>)) ```, or in bash using ```openssl rand -base64 32```
 25 | 
 26 | ### Required Named Values for Azure Active Directory
 27 | 
 28 | | Named Value | Purpose |
 29 | | -- | -- | 
 30 | | TenantId | AAD Tenant Id that owns the ClientId you want users to sign-in to |
 31 | 
 32 | 
 33 | ## Fragments
 34 | | Fragment File Name | Fragment Name | Purpose | How to use |
 35 | | -- | -- | -- | -- |
 36 | | [oauth-proxy-token-endpoint-fragment.xml](oauth-proxy-token-endpoint-fragment.xml) | oauth-proxy-token-endpoint-fragment | Identifies the token endpoint to obtains tokens from | You **must** place this fragment above the ```oauth-proxy-session-fragment``` as it sets a required variable used by other policies.  |
 37 | | [oauth-proxy-validate-token-fragment.xml](oauth-proxy-validate-token-fragment.xml) | oauth-proxy-validate-token-fragment | Custom token validation policy | Place it after the ```oauth-proxy-session-fragment``` to provide an additional JWT validation step on the access-token returned by your IdP. The reference implementation uses the  [validate-azure-ad-token](https://learn.microsoft.com/en-us/azure/api-management/validate-azure-ad-token-policy) policy. For other IdPs use the [validate-jwt](https://learn.microsoft.com/en-us/azure/api-management/validate-jwt-policy) policy. |
 38 | | [oauth-proxy-session-fragment.xml](oauth-proxy-session-fragment.xml) | oauth-proxy-session-fragment | A fragment that checks for a Session cookie, and either initiate a sign-in flow, or attaches valid tokens to the ongoing request. This will refresh tokens if necessary | Place inside the ```<inbound>``` policy of any Web Apps you want to protect with a session cookie |
 39 | | [oauth-proxy-construct-authorization-redirect-fragment.xml](oauth-proxy-construct-authorization-redirect-fragment.xml) | oauth-proxy-construct-authorization-redirect-fragment | A fragment that constructs an OIDC Authorize request to your endpoint | If using a different IdP, use ```oauth-proxy-construct-authorization-redirect.xml``` as a guide to configuring for your IdP |
 40 | | [oauth-proxy-slide-session-fragment.xml](oauth-proxy-slide-session-fragment.xml) | oauth-proxy-slide-session-fragment | A fragment that slides any issued session cookie | Place inside the ```<outbound>``` policy of any Web Apps you want to protect with a session cookie |
 41 | 
 42 | ## Policies for Oidc Endpoints 
 43 | | Policy Name | API path | Method | Purpose | How to use |
 44 | | -- | -- | -- | -- | -- |
 45 | | [oauth-proxy-sign-in.xml](oauth-proxy-sign-in.xml) | ```/oauth/signin``` | GET | Initiates a front-channel code / pkce flow with an IdP  | Configure this as the 'signin' operation within an API called 'OAuth' |
 46 | | [oauth-proxy-callback.xml](oauth-proxy-callback.xml) | ```/oauth/callback``` | POST | Handles an IdP's callback in response to a sign-in request  | Configure this as the 'callback' operation within an API called 'OAuth' |
 47 | | [oauth-proxy-sign-out.xml](oauth-proxy-sign-out.xml) | ```/oauth/signout``` | GET | Clears a user's session cookie, and removes all token data from the cache.  | Configure this as the 'signout' operation within an API called 'OAuth' |
 48 | 
 49 | ## Simple policy to protect Web Applications
 50 | 
 51 | ```xml
 52 | <policies>
 53 |     <inbound>
 54 |         <include-fragment fragment-id="oauth-proxy-token-endpoint-fragment" />
 55 |         <include-fragment fragment-id="oauth-proxy-session-fragment" />
 56 |         <include-fragment fragment-id="oauth-proxy-validate-token-fragment" />
 57 |         
 58 |         <!-- Adds the following headers to the downstream request: 
 59 |             
 60 |             Authorization: Bearer {access-token}
 61 |             x-proxy-id-token: {id-token} 
 62 |             x-proxy-id-token-name: {id-token name claim}
 63 |             x-proxy-id-token-preferred-username: {id-token preferred-username claim}
 64 |             -->
 65 |         <base />
 66 |     </inbound>
 67 |     <backend>
 68 |         <base />
 69 |     </backend>
 70 |     <outbound>
 71 |         <include-fragment fragment-id="oauth-proxy-slide-session-fragment" />
 72 |         <base />
 73 |     </outbound>
 74 |     <on-error>
 75 |         <include-fragment fragment-id="oauth-proxy-slide-session-fragment" />
 76 |         <base />
 77 |     </on-error>
 78 | </policies>
 79 | 
 80 | ```
 81 | 
 82 | 
 83 | # Policy Details
 84 | 
 85 | ## oauth-proxy-session-fragment
 86 | 
 87 | ### Purpose
 88 | This fragment is intended to sit at a high-level around any calls you need to protect.
 89 | 
 90 | It checks for an incoming session-cookie and either
 91 |  - Redirects to oauth/signin if invalid / expired
 92 |  - Fetches tokens from Redis, and decrypts them using the Session-Id (IV), and the TokenEncryptionKey(1 or 2) key
 93 |  - Renews access tokens using a refresh-token if they are nearing expiration
 94 |  - Appends the Bearer token to the request for use by the downstream API.
 95 | 
 96 | ## oauth-proxy-construct-authorization-redirect-fragment
 97 | 
 98 | ### Purpose
 99 | Assigns a valid URI to the ```oauth-proxy-redirect``` variable that will redirect a User to an IdP to initiate a sign-in.
100 | 
101 | The following variables are set by the ```oauth-proxy-sign-in``` policy to use here:
102 | - state
103 | - nonce
104 | - codeChallengeSha256
105 | 
106 | This fragment must set a variable called ```oauth-proxy-redirect``` which initiates the sign-in flow.
107 | 
108 | ## oauth-proxy-slide-session-fragment
109 | 
110 | ### Purpose
111 | An Outbound processing fragment that slides the current session cookie. Use it at the same API scope as the above Session check fragment.
112 | 
113 | ### Steps
114 | - Issues a new session cookie on all requests, which slides forward to ```UtcNow + SessionCookieExpirationInSeconds```
115 | 
116 | ## oauth-proxy-token-endpoint-fragment
117 | 
118 | ### Purpose
119 | This fragment creates a valid URI that where we can exchange a code for a token.
120 | 
121 | This fragment must set a variable called ```idpTokenEndpoint``` where we can POST to.
122 | 
123 | 
124 | ## oauth-proxy-sign-in
125 | 
126 | ### Purpose
127 | This policy initiates an OIDC 3-legged sign-in flow.
128 | 
129 | ### Steps
130 | - Checks for a valid redirect on the incoming URL
131 | - Creates state, nonce, and code-challenges which are stored in Redis
132 | - Uses the ```oauth-proxy-construct-authorization-redirect-fragment``` to construct the authorisation request
133 | - Returns a cookie with a lookup the the above state, nonce and code-challenge
134 | - 302 Redirects the browser to initiate the front-channel sign-in.
135 | 
136 | ### Required QueryString Values
137 | 
138 | | Query String key | Purpose |
139 | | -- | -- |
140 | | redirect | Url to redirect to after a successful sign-in flow. This must be a root path beginning with '/'.  |
141 | 
142 | ## oauth-proxy-callback
143 | > Implemented by [oauth-proxy-callback.xml](./oauth-proxy-callback.xml)
144 | 
145 | ### Purpose
146 | This policy handles a callback from an IdP to complete an OIDC flow.
147 | 
148 | ### Steps
149 | - Get the ```code``` and ```state``` parameter from the incoming querystring
150 | - Check for an incoming ```oidc``` cookie suffixed with the ```state``` parameter 
151 | - Lookup the state and nonce properties from cache which were previously stored in the ```signin``` policy
152 | - Return 401 if we cannot find them
153 | - If the state parameter in the querystring from the IdP matches the cookie, and was stored in our cache, then switch the code for a token using a PKCE code-
154 | - Check the nonce in the returned token matches the nonce stored in session
155 | - Return 401 if we cannot match the nonce
156 | - Creates an IV which is round-tripped in the session cookie (not stored server-side)
157 | - Encrypts the tokens using the above IV, and the TokenEncryptionKey(1 or 2)
158 | - Store the encrypted tokens in Redis
159 | - Set a session-cookie which comprises of our cache-key, the IV, the cookies expiry timestamp. Signs it using a HMAC-SHA-512 signature creating using the SessionCookieKey(1 or 2) named value.
160 | 
161 | ## oauth-proxy-sign-out
162 | > Implemented by [oauth-proxy-signout.xml](./oauth-proxy-signout.xml)
163 | 
164 | ### Purpose
165 | This policy performs a User 'sign-out'. It removes the session cookies, and also removes all tokens from cache.
166 | 
167 | ### Steps
168 | - Clears all cached tokens
169 | - Clears the session cookie
170 | - Redirects the user to the provided redirect parameter (returns a 200 OK if no, or invalid redirect).
171 | 
172 | NB: This does not invalidate the access tokens. If any API cached the token it will still be valid until its expiry date.
173 | 


--------------------------------------------------------------------------------
/examples/Request OAuth2 access token from SuccessFactors using AAD JWT token.xml:
--------------------------------------------------------------------------------
  1 | <!-- The policy defined in this file provides an best-practice implementation of OAuth2SAMLBearerAssertion for SAP SuccessFactors OData services.
  2 |      The mechanism to map an IdP associated user (in this case Microsoft Entra ID (formerly Azure Active Directory - AAD) to a SAP backend user
  3 |      is often referred to as SAP Principal Propagation.
  4 | -->
  5 | <!-- The policy shows how to exchange an Entra ID issued access token for an SAP issued Bearer token and forward it to the backend.
  6 |      It requires a user-assigned managed identity associated with the API Management instance for secure platform-internal token exchange.
  7 |      In addition to that it caches the tokens, so that clients can focus on app logic rather than SAP Principal Propagation and to scale the approach.
  8 |      Furthermore, it handles the X-CSRF-Token handling for update requests. -->
  9 | <!-- Find further details in our blog series on the SAP community: https://community.powerplatform.com/blogs/post/?postid=c6a609ab-3556-ef11-a317-6045bda95bf0
 10 |      Find a Postman collection to test the policy flow (with client secret instead of managed identity!) here: https://raw.githubusercontent.com/MartinPankraz/AzureSAPODataReader/master/Templates/SuccessFactors%20Entra%20ID%20principal%20propagation.postman_collection.json -->
 11 | <!-- Parameters: AADTenantId - format TENANT-GUID, can be optained from Azure portal view for Entra ID for instance -->
 12 | <!-- Parameters: APIMAADRegisteredAppClientId - format APP-GUID, obtained during app registration of Azure APIM instance -->
 13 | <!-- Parameters: APIMUserAssignedManagedIdentityId - Client ID of user-assigned managed identity of APIM instance https://community.sap.com/t5/technology-blogs-by-members/sap-principal-propagation-without-secrets-how-managed-identity-in-apim/ba-p/14091769 -->
 14 | <!-- Parameters: APIMAADRegisteredAppClientSecret (DEPRECATED!) - a URL encoded secret, obtained during app registration. Use managed identity instead! -->
 15 | <!-- Parameters: EntraIDSAPSFResource - an id obtained during app registration for SuccessFactors. Our guide leverages the SF domain for this (e.g. my.successfactors.eu) -->
 16 | <!-- Parameters: SAPSFApiKey - API Key obtained from SuccessFactors during OAuth2 client app creation. https://help.sap.com/docs/SAP_SUCCESSFACTORS_PLATFORM/d599f15995d348a1b45ba5603e2aba9b/6b3c741483de47b290d075d798163bc1.html -->
 17 | <!-- Parameters: SAPSFCompanyId - your SuccessFactors company id. Find it from here: https://userapps.support.sap.com/sap/support/knowledge/en/2655655 -->
 18 | <!-- Parameters: SAPSFOAuthServerAdressForTokenEndpoint - format https://{{SAPSFOAuthServerAdressForTokenEndpoint}}/oauth/token -->
 19 | <!-- To create the parameters (APIM named values) used in this policy, we provided a Azure Cloud shell script here: https://github.com/MartinPankraz/AzureSAPODataReader/blob/master/Templates/UpdateAPIMwithVariablesForSAPPolicy.sh -->
 20 | <policies>
 21 |     <inbound>
 22 |         <base />
 23 |         <validate-jwt header-name="Authorization" failed-validation-httpcode="401" require-scheme="Bearer">
 24 |             <openid-config url="https://login.microsoftonline.com/{{AADTenantId}}/.well-known/openid-configuration" />
 25 |             <audiences>
 26 |                 <audience>api://{{APIMAADRegisteredAppClientId}}</audience>
 27 |             </audiences>
 28 |             <issuers>
 29 |                 <issuer>https://login.microsoftonline.com/{{AADTenantId}}/v2.0</issuer>
 30 |             </issuers>
 31 |             <required-claims>
 32 |                 <claim name="scp" match="all" separator=" ">
 33 |                     <value>user_impersonation</value>
 34 |                 </claim>
 35 |             </required-claims>
 36 |         </validate-jwt>
 37 |         <!-- avoid "br" encoding, because it breaks domain rewrite on outbound. SAP OData doesn't support br -->
 38 |         <set-header name="Accept-Encoding" exists-action="override">
 39 |             <value>gzip, deflate</value>
 40 |         </set-header>
 41 |         <set-variable name="APIMAADRegisteredAppClientId" value="{{APIMAADRegisteredAppClientId}}" />
 42 |         <!--<set-variable name="APIMAADRegisteredAppClientSecret" value="{{APIMAADRegisteredAppClientSecret}}" /> Kept as fallback. Use managed identity APIMUserAssignedManagedIdentityId instead! -->
 43 |         <set-variable name="EntraIDSAPSFResource" value="{{EntraIDSAPSFResource}}" />
 44 |         <set-variable name="SAPSFApiKey" value="{{SAPSFApiKey}}" />
 45 |         <set-variable name="SAPSFCompanyId" value="{{SAPSFCompanyId}}" />
 46 |         <!-- check APIM cache for existing user SAP and refresh token for OData service -->
 47 |         <cache-lookup-value key="@("SAPSFPrincipal" + context.Request.Headers.GetValueOrDefault("Authorization","").AsJwt()?.Subject)" variable-name="SAPBearerToken" />
 48 |         <choose>
 49 |             <!-- if SAP token is not in cache, get it from Entra ID and store -->
 50 |             <when condition="@(!context.Variables.ContainsKey("SAPBearerToken"))">
 51 |                 <!-- Get jwt for token exchange using APIM user-assigned managed identity -->
 52 |                 <authentication-managed-identity resource="api://azureadtokenexchange" client-id="{{APIMUserAssignedManagedIdentityId}}" output-token-variable-name="msi-access-token" ignore-error="false" />
 53 |                 <!-- Exchange Entra ID Bearer token for Entra ID issued SAML token on behalf of logged in user -->
 54 |                 <send-request mode="new" response-variable-name="fetchSAMLAssertion" timeout="10" ignore-error="false">
 55 |                     <set-url>https://login.microsoftonline.com/{{AADTenantId}}/oauth2/v2.0/token</set-url>
 56 |                     <set-method>POST</set-method>
 57 |                     <set-header name="Content-Type" exists-action="override">
 58 |                         <value>application/x-www-form-urlencoded</value>
 59 |                     </set-header>
 60 |                     <set-body>@{
 61 |                             var _AADRegisteredAppClientId = context.Variables["APIMAADRegisteredAppClientId"];
 62 |                             /*var _AADRegisteredAppClientSecret = context.Variables["APIMAADRegisteredAppClientSecret"];*/
 63 |                             var _EntraIDSAPSFResource = context.Variables["EntraIDSAPSFResource"];
 64 |                             var user_assertion = context.Request.Headers.GetValueOrDefault("Authorization","").Replace("Bearer ","");
 65 |                             var apim_assertion = context.Variables["msi-access-token"];
 66 |                             return $"grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&client_assertion={apim_assertion}&client_id={_AADRegisteredAppClientId}&client_assertion_type=urn:ietf:params:oauth:client-assertion-type:jwt-bearer&assertion={user_assertion}&scope={_EntraIDSAPSFResource}/.default&requested_token_use=on_behalf_of&requested_token_type=urn:ietf:params:oauth:token-type:saml2";
 67 |                             /* Kept as fallback only: return $"grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={user_assertion}&client_id={_AADRegisteredAppClientId}&client_secret={_AADRegisteredAppClientSecret}&scope={_EntraIDSAPSFResource}/.default&requested_token_use=on_behalf_of&requested_token_type=urn:ietf:params:oauth:token-type:saml2"; */
 68 |                         }</set-body>
 69 |                 </send-request>
 70 |                 <set-variable name="accessToken" value="@((string)((IResponse)context.Variables["fetchSAMLAssertion"]).Body.As<JObject>()["access_token"])" />
 71 |                 <!-- Get SAP backend issued Bearer token for presented AAD issued SAML token using OAuth2SAMLBearerAssertion flow. -->
 72 |                 <send-request mode="new" response-variable-name="fetchSAPBearer" timeout="10" ignore-error="false">
 73 |                     <set-url>https://{{SAPSFOAuthServerAdressForTokenEndpoint}}/oauth/token</set-url>
 74 |                     <set-method>POST</set-method>
 75 |                     <set-header name="Content-Type" exists-action="override">
 76 |                         <value>application/x-www-form-urlencoded</value>
 77 |                     </set-header>
 78 |                     <set-body>@{
 79 |                             var _SAPSFApiKey = context.Variables["SAPSFApiKey"];
 80 |                             var _SAPSFCompanyId = context.Variables["SAPSFCompanyId"];
 81 |                             var assertion2 = context.Variables["accessToken"];
 82 |                             return $"grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion={assertion2}&client_id={_SAPSFApiKey}&company_id={_SAPSFCompanyId}";
 83 |                         }</set-body>
 84 |                 </send-request>
 85 |                 <!-- Remember SAP Bearer tokens, deal with dictionary of objects -->
 86 |                 <set-variable name="SAPResponseObject" value="@(((IResponse)context.Variables["fetchSAPBearer"]).Body.As<JObject>())" />
 87 |                 <set-variable name="SAPBearerTokenExpiry" value="@(((JObject)context.Variables["SAPResponseObject"])["expires_in"].ToString())" />
 88 |                 <set-variable name="iSAPBearerTokenExpiry" value="@(int.Parse((string)context.Variables["SAPBearerTokenExpiry"]))" />
 89 |                 <set-variable name="SAPBearerToken" value="@(((JObject)context.Variables["SAPResponseObject"])["access_token"].ToString())" />
 90 |                 <!-- take random time off the actual expiry to avoid login bursts (clustered expired tokens). Assuming a third of the total expiry as lower boundary -->
 91 |                 <set-variable name="RandomBackOffDelay" value="@(new Random().Next(0,(int)context.Variables["iSAPBearerTokenExpiry"]/3))" />
 92 |                 <!--cache Bearer and refresh token till expiry. We recommend 36 hours to mitigate "morning" login bursts efficiently. -->
 93 |                 <cache-store-value key="@("SAPSFPrincipal" + context.Request.Headers.GetValueOrDefault("Authorization","").AsJwt()?.Subject)" value="@((string)context.Variables["SAPBearerToken"])" duration="@((int)context.Variables["iSAPBearerTokenExpiry"]  - (int)context.Variables["RandomBackOffDelay"])" />
 94 |                 <!-- optionally store duration for diagnostics endpoint
 95 |                 <cache-store-value key="@("SAPBearerDuration" + context.Request.Headers.GetValueOrDefault("Authorization","").AsJwt()?.Subject)" value="@((int)context.Variables["iSAPBearerTokenExpiry"] - (int)context.Variables["RandomBackOffDelay"])" duration="3600" />-->
 96 |             </when>
 97 |         </choose>
 98 |         <!-- check CSRF -->
 99 |         <choose>
100 |             <!-- CSRF-token only required for every operation other than GET or HEAD -->
101 |             <when condition="@(context.Request.Method != "GET" && context.Request.Method != "HEAD")">
102 |                 <!-- Creating a HEAD subrequest to save request overhead and get the SAP CSRF token and cookie.-->
103 |                 <send-request mode="new" response-variable-name="SAPCSRFToken" timeout="10" ignore-error="false">
104 |                     <set-url>@(context.Request.Url.ToString())</set-url>
105 |                     <set-method>HEAD</set-method>
106 |                     <set-header name="X-CSRF-Token" exists-action="override">
107 |                         <value>Fetch</value>
108 |                     </set-header>
109 |                     <set-header name="Authorization" exists-action="override">
110 |                         <value>@("Bearer " + (string)context.Variables["SAPBearerToken"])</value>
111 |                     </set-header>
112 |                 </send-request>
113 |                 <!-- Extract the token from the "SAPCSRFToken" and set as header in the POST request. -->
114 |                 <choose>
115 |                     <when condition="@(((IResponse)context.Variables["SAPCSRFToken"]).StatusCode == 200)">
116 |                         <set-header name="X-CSRF-Token" exists-action="override">
117 |                             <value>@(((IResponse)context.Variables["SAPCSRFToken"]).Headers.GetValueOrDefault("x-csrf-token"))</value>
118 |                         </set-header>
119 |                     </when>
120 |                 </choose>
121 |             </when>
122 |         </choose>
123 |         <set-header name="Authorization" exists-action="override">
124 |             <value>@("Bearer " + (string)context.Variables["SAPBearerToken"])</value>
125 |         </set-header>
126 |         <choose>
127 |             <!--introduce json format conversion only for non-metadata calls and only for GET operations. Otherwise bad request.-->
128 |             <when condition="@(!context.Request.Url.Path.Contains("/$metadata") && context.Request.Method == "GET")">
129 |                 <set-query-parameter name="$format" exists-action="override">
130 |                     <value>json</value>
131 |                 </set-query-parameter>
132 |             </when>
133 |         </choose>
134 |     </inbound>
135 |     <backend>
136 |         <base />
137 |     </backend>
138 |     <outbound>
139 |         <base />
140 |         <!-- OPTIONAL: Ensure that APIM domain, port and path are reflected on the OData response from SAP
141 |              Otherwise deferred items like /secondManager are represented by SAP known host and port. Example:
142 |              https://demo-sap-apim.azure-api.net/odata/v2/User('0100000000')/secondManager vs.
143 |              https://demo-sap-apim.azure-api.net/my-prefix/odata/v2/User('0100000000')/secondManager
144 |              URL rewrite in body required for returned OData paths.
145 |              - Consider adding "/" + "context.Api.Version" to reflect your versioning scheme: https://learn.microsoft.com/azure/api-management/api-management-versions
146 |              - Consider Using expression "ToString().ToUpper()" to cater for upper case SAP host names.
147 |                context.Api.ServiceUrl.Host.ToString().ToUpper()
148 |         -->
149 |         <find-and-replace from="@(context.Api.ServiceUrl.Host + context.Api.ServiceUrl.Path)" to="@(context.Request.OriginalUrl.Host + context.Api.Path)" />
150 |     </outbound>
151 |     <on-error>
152 |         <base />
153 |         <set-header name="ErrorSource" exists-action="override">
154 |             <value>@(context.LastError.Source)</value>
155 |         </set-header>
156 |         <set-header name="ErrorReason" exists-action="override">
157 |             <value>@(context.LastError.Reason)</value>
158 |         </set-header>
159 |         <set-header name="ErrorMessage" exists-action="override">
160 |             <value>@(context.LastError.Message)</value>
161 |         </set-header>
162 |         <set-header name="ErrorScope" exists-action="override">
163 |             <value>@(context.LastError.Scope)</value>
164 |         </set-header>
165 |         <set-header name="ErrorSection" exists-action="override">
166 |             <value>@(context.LastError.Section)</value>
167 |         </set-header>
168 |         <set-header name="ErrorPath" exists-action="override">
169 |             <value>@(context.LastError.Path)</value>
170 |         </set-header>
171 |         <set-header name="ErrorPolicyId" exists-action="override">
172 |             <value>@(context.LastError.PolicyId)</value>
173 |         </set-header>
174 |         <set-header name="ErrorStatusCode" exists-action="override">
175 |             <value>@(context.Response.StatusCode.ToString())</value>
176 |         </set-header>
177 |     </on-error>
178 | </policies>


--------------------------------------------------------------------------------
/examples/oauth-proxy/oauth-proxy-session-fragment.xml:
--------------------------------------------------------------------------------
  1 | <!--
  2 |     IMPORTANT:
  3 |     - Policy fragment are included as-is whenever they are referenced.
  4 |     - If using variables. Ensure they are setup before use.
  5 |     - Copy and paste your code here or simply start coding
  6 | -->
  7 | <fragment>
  8 | 	<!-- Grab the incoming session cookie -->
  9 | 	<set-variable name="encryptedIncomingFullSessionCookie" value="@(context.Request.Headers.ContainsKey("cookie") ? context.Request.Headers.GetValueOrDefault("cookie", "").Split(';').Select(x => x.Trim()).Select(cookie => cookie.Split('=')).SingleOrDefault(cookie => cookie[0] == "{{CookiePrefix}}")?[1] ?? string.Empty : string.Empty)" />
 10 | 	<set-variable name="redirect" value="@(Uri.EscapeDataString(context.Request.OriginalUrl.Path + context.Request.OriginalUrl.QueryString))" />
 11 | 	<choose>
 12 | 		<!-- No cookie - redirect to the sign-in endpoint -->
 13 | 		<when condition="@(context.Variables["encryptedIncomingFullSessionCookie"] == string.Empty)">
 14 | 			<return-response>
 15 | 				<set-status code="302" />
 16 | 				<set-header name="Location" exists-action="override">
 17 | 					<value>@($"/oauth/signin?redirect={(string)context.Variables["redirect"]}")</value>
 18 | 				</set-header>
 19 | 			</return-response>
 20 | 		</when>
 21 | 		<!-- Cookie malformed. Redirect to the sign-in endpoint -->
 22 | 		<when condition="@(((string)context.Variables["encryptedIncomingFullSessionCookie"]).Split('.').Length != 3)">
 23 | 			<return-response>
 24 | 				<set-status code="302" />
 25 | 				<set-header name="Location" exists-action="override">
 26 | 					<value>@($"/oauth/signin?redirect={(string)context.Variables["redirect"]}")</value>
 27 | 				</set-header>
 28 | 			</return-response>
 29 | 		</when>
 30 | 	</choose>
 31 | 
 32 | 	<!-- get the IV from cache, and decrypt the contents of the cookie -->
 33 | 	<set-variable name="encryptedCookie" value="@(((string)context.Variables["encryptedIncomingFullSessionCookie"]).Split('.')[0])" />
 34 | 	<set-variable name="ivCookie" value="@(((string)context.Variables["encryptedIncomingFullSessionCookie"]).Split('.')[1])" />
 35 | 	<set-variable name="cookieKey" value="@(((string)context.Variables["encryptedIncomingFullSessionCookie"]).Split('.')[2])" />
 36 | 
 37 | 	<choose>
 38 | 		<!-- Cookie not the right format - redirect to the sign-in endpoint -->
 39 | 		<when condition="@(((string)context.Variables["ivCookie"]) == string.Empty)">
 40 | 			<return-response>
 41 | 				<set-status code="302" />
 42 | 				<set-header name="Location" exists-action="override">
 43 | 					<value>@($"/oauth/signin?redirect={(string)context.Variables["redirect"]}")</value>
 44 | 				</set-header>
 45 | 			</return-response>
 46 | 		</when>
 47 | 	</choose>
 48 | 
 49 | 	<!-- next step is to decrypt the cookie. This will yield an IV that can decrypt the tokens, and a timestamp-->
 50 | 	<set-variable name="incomingFullSessionCookie" value="@{
 51 | 		try {
 52 | 			var cookieBytes = Convert.FromBase64String(((string)context.Variables["encryptedCookie"]));
 53 | 			var iv = Guid.Parse((string)context.Variables["ivCookie"]).ToByteArray();
 54 | 			var key1 = Convert.FromBase64String("{{CookieEncryptionKey1}}");
 55 | 			var key2 = Convert.FromBase64String("{{CookieEncryptionKey2}}");
 56 | 			var key = (string)context.Variables["cookieKey"]  == "1" ? key1 : key2;
 57 | 			var decryptedBytes = cookieBytes.Decrypt("Aes", key, iv);
 58 | 			return Encoding.UTF8.GetString(decryptedBytes);
 59 | 		} catch (Exception e) {
 60 | 			return "";
 61 | 		}
 62 | 	}" />
 63 | 
 64 | 	<choose>
 65 | 		<!-- Failed to decrypt the incoming cookie -->
 66 | 		<when condition="@(((string)context.Variables["incomingFullSessionCookie"]) == string.Empty)">
 67 | 			<return-response>
 68 | 				<set-status code="302" />
 69 | 				<set-header name="Location" exists-action="override">
 70 | 					<value>@($"/oauth/signin?redirect={(string)context.Variables["redirect"]}")</value>
 71 | 				</set-header>
 72 | 			</return-response>
 73 | 		</when>
 74 | 	</choose>
 75 | 
 76 | 	<!-- The cookies second part has the key to the cache where we have stored the tokens / refresh times -->
 77 | 	<set-variable name="cacheKey" value="@(((string)context.Variables["incomingFullSessionCookie"]).Split('.')[0])" />
 78 | 	<set-variable name="ivTokens" value="@(((string)context.Variables["incomingFullSessionCookie"]).Split('.')[1])" />
 79 | 	<!-- The cookies expiry date is the 2nd part of the cookie -->
 80 | 	<set-variable name="expires-at" value="@(long.Parse(((string)context.Variables["incomingFullSessionCookie"]).Split('.')[2]))" />
 81 | 	<choose>
 82 | 		<!-- If the cookie has expired, redirect to the signin-page -->
 83 | 		<when condition="@(DateTimeOffset.UtcNow > DateTimeOffset.FromUnixTimeMilliseconds((long)context.Variables["expires-at"]))">
 84 | 			<return-response>
 85 | 				<set-status code="302" />
 86 | 				<set-header name="Location" exists-action="override">
 87 | 					<value>@($"/oauth/signin?redirect={(string)context.Variables["redirect"]}")</value>
 88 | 				</set-header>
 89 | 			</return-response>
 90 | 		</when>
 91 | 	</choose>
 92 | 
 93 | 	<!-- Let's get the token from session and do some checks on it -->
 94 | 	<cache-lookup-value key="@($"tokens-{context.Variables["cacheKey"]}-accessToken")" default-value="" variable-name="encryptedAccessToken" />
 95 | 	<cache-lookup-value key="@($"tokens-{context.Variables["cacheKey"]}-idToken")" default-value="" variable-name="encryptedIdToken" />
 96 | 	<cache-lookup-value key="@($"tokens-{context.Variables["cacheKey"]}-refreshAt")" default-value="" variable-name="refreshAt" />
 97 | 
 98 | 	<choose>
 99 | 		<!-- If we've lost any of these tokens then just redirect back to the sign-in endpoint -->
100 | 		<when condition="@((string)context.Variables["encryptedAccessToken"] == "" || (string)context.Variables["encryptedIdToken"] == ""  || (long)context.Variables["refreshAt"] == 0 )">
101 | 			<return-response>
102 | 				<set-status code="302" />
103 | 				<set-header name="Location" exists-action="override">
104 | 					<value>@($"/oauth/signin?redirect={(string)context.Variables["redirect"]}")</value>
105 | 				</set-header>
106 | 			</return-response>
107 | 		</when>
108 | 	</choose>
109 | 
110 | 	<!-- decrypt and turn back into a JObject -->
111 | 	<set-variable name="accessToken" value="@{
112 | 		var tokenParts = ((string)context.Variables["encryptedAccessToken"]).Split('.');
113 | 		var token = Convert.FromBase64String(tokenParts[0]);
114 | 		var keySet = tokenParts[1];
115 | 		var iv = Guid.Parse((string)context.Variables["ivTokens"]).ToByteArray();
116 | 		var key1 = Convert.FromBase64String("{{TokenEncryptionKey1}}");
117 | 		var key2 = Convert.FromBase64String("{{TokenEncryptionKey2}}");
118 | 		var key = keySet == "1" ? key1 : key2;
119 | 		var decryptedBytes = token.Decrypt("Aes", key, iv);
120 |         return Encoding.UTF8.GetString(decryptedBytes);
121 | 	}" />
122 | 
123 | 	<!-- decrypt and turn back into a JObject -->
124 | 	<set-variable name="idToken" value="@{
125 | 		var tokenParts = ((string)context.Variables["encryptedIdToken"]).Split('.');
126 | 		var token = Convert.FromBase64String(tokenParts[0]);
127 | 		var keySet = tokenParts[1];
128 | 		var iv = Guid.Parse((string)context.Variables["ivTokens"]).ToByteArray();
129 | 		var key1 = Convert.FromBase64String("{{TokenEncryptionKey1}}");
130 | 		var key2 = Convert.FromBase64String("{{TokenEncryptionKey2}}");
131 | 		var key = keySet == "1" ? key1 : key2;
132 | 		var decryptedBytes = token.Decrypt("Aes", key, iv);
133 |         return Encoding.UTF8.GetString(decryptedBytes);
134 | 	}" />
135 | 
136 | 	<choose>
137 | 		<!-- Check the current date against when we want to refresh the token. This is about half of the tokens lifetime (so we don't miss our chance to refresh) -->
138 | 		<when condition="@(DateTimeOffset.UtcNow > DateTimeOffset.FromUnixTimeSeconds((long)context.Variables["refreshAt"]))">
139 | 			<!-- If it's time to refresh then post to AAD to get new tokens -->
140 | 			<cache-lookup-value key="@($"tokens-{context.Variables["cacheKey"]}-refreshToken")" default-value="" variable-name="encryptedRefreshToken" />
141 | 
142 | 			<!-- decrypt and turn back into a JObject -->
143 | 			<set-variable name="refreshToken" value="@{
144 | 				var tokenParts = ((string)context.Variables["encryptedRefreshToken"]).Split('.');
145 | 				var token = Convert.FromBase64String(tokenParts[0]);
146 | 				var keySet = tokenParts[1];
147 | 				var iv = Guid.Parse((string)context.Variables["ivTokens"]).ToByteArray();
148 | 				var key1 = Convert.FromBase64String("{{TokenEncryptionKey1}}");
149 | 				var key2 = Convert.FromBase64String("{{TokenEncryptionKey2}}");
150 | 				var key = keySet == "1" ? key1 : key2;
151 | 				var decryptedBytes = token.Decrypt("Aes", key, iv);
152 | 				return Encoding.UTF8.GetString(decryptedBytes);
153 | 			}" />
154 | 
155 |             <choose>
156 |                 <!-- If we've lost our fresh token then we'll have to redirect to the sign-in -->
157 |                 <when condition="@( (string)context.Variables["refreshToken"] == "" )">
158 |                     <return-response>
159 |                         <set-status code="302" />
160 |                         <set-header name="Location" exists-action="override">
161 | 					<value>@($"/oauth/signin?redirect={(string)context.Variables["redirect"]}")</value>
162 |                         </set-header>
163 |                     </return-response>
164 |                 </when>
165 |             </choose>
166 | 
167 | 			<set-variable name="tokenRefreshData" value="@($"client_id={{ClientId}}&refresh_token={(string)context.Variables["refreshToken"]}&grant_type=refresh_token&client_secret={Uri.EscapeDataString("{{ClientSecret}}")}")" />
168 | 
169 | 			<send-request mode="new" response-variable-name="tokens" timeout="60" ignore-error="false">
170 | 				<set-url>@((string)context.Variables["idpTokenEndpoint"])</set-url>
171 | 				<set-method>POST</set-method>
172 | 				<set-header name="Content-Type" exists-action="override">
173 | 					<value>application/x-www-form-urlencoded</value>
174 | 				</set-header>
175 | 				<set-body>@((string)context.Variables["tokenRefreshData"])</set-body>
176 | 			</send-request>
177 | 			<choose>
178 | 				<!-- No joy getting tokens. We'll have to 302 back to the sign-in flow. Let the user sign-in, and come back here. -->
179 | 				<when condition="@(((IResponse)context.Variables["tokens"]).StatusCode != 200)">
180 | 					<return-response>
181 | 						<set-status code="302" />
182 | 						<set-header name="Set-Cookie" exists-action="override">
183 | 							<value>@($"{{CookiePrefix}}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
184 | 						</set-header>
185 | 						<set-header name="Location" exists-action="override">
186 |         					<value>@($"/oauth/signin?redirect={(string)context.Variables["redirect"]}")</value>
187 | 						</set-header>
188 | 					</return-response>
189 | 				</when>
190 | 				<otherwise>
191 | 					<!-- update the access_token variable with the new token -->
192 | 
193 | 					<set-variable name="tokenResponse" value="@(((IResponse)context.Variables["tokens"]).Body.As<JObject>())" />
194 | 					<!-- Find when the tokens expire. We'll make the tokens in the cache drop out at this time -->
195 | 					<set-variable name="refreshTime" value="@((int)((JObject)context.Variables["tokenResponse"])["expires_in"])" />
196 | 					<set-variable name="accessToken" value="@( ((JObject)context.Variables["tokenResponse"])["access_token"].ToString())" />
197 | 					<set-variable name="refreshToken" value="@( ((JObject)context.Variables["tokenResponse"])["refresh_token"].ToString())" />
198 | 					<set-variable name="idtoken" value="@( ((JObject)context.Variables["tokenResponse"])["id_token"].ToString())" />
199 | 
200 | 					<!-- Encrypt the tokenResponse variable, and store that in cache. We'll handle the refresh token separately as it lasts longer -->
201 | 					<set-variable name="encryptedAccessToken" value="@{
202 | 						var token = Encoding.UTF8.GetBytes((string)context.Variables["accessToken"]);
203 | 						var iv = Guid.Parse((string)context.Variables["ivTokens"]).ToByteArray();
204 | 						var key1 = Convert.FromBase64String("{{TokenEncryptionKey1}}");
205 | 						var key2 = Convert.FromBase64String("{{TokenEncryptionKey2}}");
206 | 						var key = {{TokenEncryptionKey}};
207 | 						var encryptionKey = key == 1 ? key1 : key2;
208 | 						var encryptedToken = token.Encrypt("Aes", encryptionKey, iv);
209 | 						return $"{Convert.ToBase64String(encryptedToken)}.{key}";
210 | 					}" />
211 | 
212 | 					<set-variable name="encryptedIdToken" value="@{
213 | 						var token = Encoding.UTF8.GetBytes((string)context.Variables["idtoken"]);
214 | 						var iv = Guid.Parse((string)context.Variables["ivTokens"]).ToByteArray();
215 | 						var key1 = Convert.FromBase64String("{{TokenEncryptionKey1}}");
216 | 						var key2 = Convert.FromBase64String("{{TokenEncryptionKey2}}");
217 | 						var key = {{TokenEncryptionKey}};
218 | 						var encryptionKey = key == 1 ? key1 : key2;
219 | 						var encryptedToken = token.Encrypt("Aes", encryptionKey, iv);
220 | 						return $"{Convert.ToBase64String(encryptedToken)}.{key}";
221 | 					}" />
222 | 
223 | 					<set-variable name="encryptedRefreshToken" value="@{
224 | 						var token = Encoding.UTF8.GetBytes((string)context.Variables["refreshToken"]);
225 | 						var iv = Guid.Parse((string)context.Variables["ivTokens"]).ToByteArray();
226 | 						var key1 = Convert.FromBase64String("{{TokenEncryptionKey1}}");
227 | 						var key2 = Convert.FromBase64String("{{TokenEncryptionKey2}}");
228 | 						var key = {{TokenEncryptionKey}};
229 | 						var encryptionKey = key == 1 ? key1 : key2;
230 | 						var encryptedToken = token.Encrypt("Aes", encryptionKey, iv);
231 | 						return $"{Convert.ToBase64String(encryptedToken)}.{key}";
232 | 					}" />
233 | 
234 | 					<!-- Store the encrypted token in the cache. -->
235 | 					<cache-store-value key="@($"tokens-{context.Variables["cacheKey"]}-accessToken")" value="@((string)context.Variables["encryptedAccessToken"])" duration="@((int)context.Variables["refreshTime"])" />
236 | 					<!-- Store the encrypted token in the cache. -->
237 | 					<cache-store-value key="@($"tokens-{context.Variables["cacheKey"]}-idToken")" value="@((string)context.Variables["encryptedIdToken"])" duration="@((int)context.Variables["refreshTime"])" />
238 | 					<!-- Store another refresh time... We'll refresh the tokens half way to their expiry date. Try to avoid last minute timing errors -->
239 | 					<cache-store-value key="@($"tokens-{context.Variables["cacheKey"]}-refreshAt")" value="@(DateTimeOffset.UtcNow.AddSeconds((int)context.Variables["refreshTime"] / 2).ToUnixTimeSeconds())" duration="@((int)context.Variables["refreshTime"])" />
240 | 					<!-- Store the refresh token separately. We probably want to cache it for longer than the token (avg user session length is a good idea) -->
241 | 					<cache-store-value key="@($"tokens-{context.Variables["cacheKey"]}-refreshToken")" value="@((string)context.Variables["encryptedRefreshToken"])" duration="{{RefreshTokenExpirationInSeconds}}" />
242 | 				</otherwise>
243 | 			</choose>
244 | 		</when>
245 | 	</choose>
246 | 	<!-- Add the access token to the request (change this to pass whatever you need onwards) -->
247 | 	<set-header name="Authorization" exists-action="override">
248 | 		<value>@($"Bearer {(string)context.Variables["accessToken"]}")</value>
249 | 	</set-header>
250 | 	<set-header name="x-proxy-id-token" exists-action="override">
251 | 		<value>@((string)context.Variables["idToken"])</value>
252 | 	</set-header>
253 | 
254 | 	<set-variable name="idTokenJwt" value="@(((string)context.Variables["idToken"]).AsJwt())" />
255 | 
256 | 	<set-header name="x-proxy-id-token-name" exists-action="override">
257 | 		<value>@(((Jwt)context.Variables["idTokenJwt"]).Claims["name"][0])</value>
258 | 	</set-header>
259 | 
260 | 	<!-- Auth0 id-token didn't have a preferred_username claim. Just name. -->
261 |     <choose>
262 |         <when condition="@(((Jwt)context.Variables["idTokenJwt"]).Claims.ContainsKey("preferred_username"))">
263 |             <set-header name="x-proxy-id-token-preferred-username" exists-action="override">
264 |                 <value>@(((Jwt)context.Variables["idTokenJwt"]).Claims["preferred_username"][0])</value>
265 |             </set-header>
266 |         </when>
267 |     </choose>
268 | 
269 | </fragment>


--------------------------------------------------------------------------------
/examples/oauth-proxy/oauth-proxy-callback.xml:
--------------------------------------------------------------------------------
  1 | <policies>
  2 |     <inbound>
  3 |         <!-- Get the authentication code from the incoming form post. -->
  4 |         <set-variable name="code" value="@(context.Request.Body.AsFormUrlEncodedContent(preserveContent: true)["code"].Single())" />
  5 |         <!-- Get the state from the incoming form post. -->
  6 |         <set-variable name="state" value="@(context.Request.Body.AsFormUrlEncodedContent()["state"].Single())" />
  7 |         <!-- Grab the cookie that comes in. The state should match that of the cookie. -->
  8 |         <set-variable name="cacheKey" value="@(context.Request.Headers.GetValueOrDefault("cookie", "").Split(';').Select(x => x.Trim()).Select(cookie => cookie.Split('=')).Single(cookie => cookie[0] == $"{{CookiePrefix}}-{(string)context.Variables["state"]}")[1])" />
  9 |         <!-- get the state and the nonce so we can check them against the token we exchange for -->
 10 |         <cache-lookup-value key="@($"signin-{context.Variables["cacheKey"]}-state")" default-value="" variable-name="expected-state" />
 11 |         <cache-lookup-value key="@($"signin-{context.Variables["cacheKey"]}-nonce")" default-value="" variable-name="expected-nonce" />
 12 |         <cache-lookup-value key="@($"signin-{context.Variables["cacheKey"]}-code-challenge")" default-value="" variable-name="code-challenge" />
 13 |         <cache-remove-value key="@($"signin-{context.Variables["cacheKey"]}-state")" />
 14 |         <cache-remove-value key="@($"signin-{context.Variables["cacheKey"]}-nonce")" />
 15 |         <cache-remove-value key="@($"signin-{context.Variables["cacheKey"]}-code-challenge")" />
 16 |         <choose>
 17 |             <when condition="@((string)context.Variables["expected-state"] == string.Empty)">
 18 |                 <!-- Couldn't find a matching state variable. Error the callback. -->
 19 |                 <return-response>
 20 |                     <set-status code="401" reason="Unexpected state" />
 21 |                     <set-header name="Set-Cookie" exists-action="override">
 22 |                         <value>@($"{{CookiePrefix}}-{(string)context.Variables["state"]}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
 23 |                     </set-header>
 24 |                     <!-- <set-body>@($"{(string)context.Variables["state"]} != {(string)context.Variables["expected-state"]}")</set-body> -->
 25 |                 </return-response>
 26 |             </when>
 27 | 
 28 |             <!-- If we found something in the cache using the incoming state, then the callback is linked to a known original request. -->
 29 |             <!-- This proves that the callback is correlated to the original token request -->
 30 |             <when condition="@((string)context.Variables["expected-state"] != "")">
 31 |                 <!-- Get a backchannel call ready to switch the code for the token -->
 32 | 
 33 |                 <set-variable name="oauth-proxy-callback" value="@{
 34 |                     var forwardedHost = (string)context.Request.Headers.GetValueOrDefault("X-Forwarded-Host", context.Request.OriginalUrl.Host);
 35 |                     var forwardedPort = (string)context.Request.Headers.GetValueOrDefault("X-Forwarded-Port", "");
 36 |                     var port = forwardedPort == "" ? 443 : int.Parse(forwardedPort);
 37 | 
 38 |                     //construct the expected redirect. If the port is 443, then don't add it on as we hardcode https
 39 |                     return $"https://{forwardedHost}{(port != 443 ? $":{port}" : "")}/oauth/callback";
 40 |                 }" />
 41 | 
 42 |                 <set-variable name="tokenData" value="@($"client_id={{ClientId}}&code={(string)context.Variables["code"]}&redirect_uri={(string)context.Variables["oauth-proxy-callback"]}&grant_type=authorization_code&client_secret={Uri.EscapeDataString("{{ClientSecret}}")}&code_verifier={(string)context.Variables["code-challenge"]}")" />
 43 |                 <include-fragment fragment-id="oauth-proxy-token-endpoint-fragment" />
 44 |                 <!-- Backchannel call to get the tokens -->
 45 |                 <send-request mode="new" response-variable-name="tokens" timeout="60" ignore-error="false">
 46 |                     <set-url>@((string)context.Variables["idpTokenEndpoint"])</set-url>
 47 |                     <set-method>POST</set-method>
 48 |                     <set-header name="Content-Type" exists-action="override">
 49 |                         <value>application/x-www-form-urlencoded</value>
 50 |                     </set-header>
 51 |                     <set-body>@((string)context.Variables["tokenData"])</set-body>
 52 |                 </send-request>
 53 |                 <choose>
 54 |                     <when condition="@(((IResponse)context.Variables["tokens"]).StatusCode != 200)">
 55 |                         <return-response>
 56 |                             <set-status code="401" reason="An error occurred" />
 57 |                             <set-header name="Set-Cookie" exists-action="override">
 58 |                                 <value>@($"{{CookiePrefix}}-{(string)context.Variables["state"]}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
 59 |                             </set-header>
 60 |                         </return-response>
 61 |                     </when>
 62 |                 </choose>
 63 |                 <set-variable name="tokenResponse" value="@(((IResponse)context.Variables["tokens"]).Body.As<JObject>())" />
 64 |                 <!-- check the nonce matches the one in the cookie. Then we know this token is in response to the original request -->
 65 |                 <set-variable name="idToken" value="@((string)((JObject)context.Variables["tokenResponse"] )["id_token"])" />
 66 |                 <!-- Check the nonce. If it matches then we are good to issue the session cookie -->
 67 |                 <!-- build a session cookie. We can slide the expiration of this. Store the associated tokens in the cache. Set the expiration to be same as the refresh token -->
 68 |                 <set-variable name="idTokenNonce" value="@((((string)context.Variables["idToken"]).AsJwt()).Claims.GetValueOrDefault("nonce", "missing"))" />
 69 |                 <choose>
 70 |                     <!-- Check the nonce matches the one we stoerd in cache -->
 71 |                     <when condition="@((string)context.Variables["expected-nonce"] == (string)context.Variables["idTokenNonce"])">
 72 |                         <!-- Find when the tokens expire. We'll make the tokens in the cache drop out at this time -->
 73 |                         <set-variable name="refreshTime" value="@((int)((JObject)context.Variables["tokenResponse"])["expires_in"])" />
 74 |                         <set-variable name="accessToken" value="@( ((JObject)context.Variables["tokenResponse"])["access_token"].ToString())" />
 75 |                         <set-variable name="refreshToken" value="@( ((JObject)context.Variables["tokenResponse"])["refresh_token"].ToString())" />
 76 |                         <set-variable name="idtoken" value="@( ((JObject)context.Variables["tokenResponse"])["id_token"].ToString())" />
 77 | 
 78 |                         <!-- The plan -->
 79 |                         <!-- Encrypt all the tokens using the current TokenEncryptionKey value (as indicated by the named-value, TokenEncryptionKey). IV is a new Guid -->
 80 |                         <!-- Store all of these in the APIM cache suffixed with '.1' or '.2' to indicate which TokenEncryptionKey was used -->
 81 |                         <!-- The plain-text of the cookie is [cacheKey].[tokenIv].[cookieExpiry] -->
 82 |                         <!-- Encrypt the cookie using the Cookie Encryption key, and another new Guid as the IV-->
 83 |                         <!-- Return the cookie as [encrypted-plain-text].[cookieIv].[1|2] -->
 84 | 
 85 |                         <!-- The IV for the tokens is only stored inside the cookie meaning no-one can decrypt the tokens without the cookie -->
 86 |                         <!-- The tokens are not accessible to the client-apps meaning they cannot leak through a front channel -->
 87 |                         <!-- The tokens are stored with information about which of the 2 possible keys encrypted them, allowing key refresh -->
 88 |                         <!-- The cookie sent to the client also has information about which of the 2 possible keys encrypted it, allowing key refresh -->
 89 | 
 90 |                         <!-- create the IV used in encrypting the cookie. This is stored in our cache and looked up using the cache key -->
 91 |                         <set-variable name="ivCookie" value="@(Guid.NewGuid().ToString())" />
 92 |                         <!-- create the IV used in encrypting the tokens. We don't store this server side. It flows encrypted in cookies -->
 93 |                         <set-variable name="ivTokens" value="@(Guid.NewGuid().ToString())" />
 94 |                         <!-- A new GUID used to lookup the IV in the cache. Keeping it different to the other cache key -->
 95 |                         <set-variable name="ivCookieCacheKey" value="@(Guid.NewGuid().ToString())" />
 96 |                         <!-- Encrypt the tokenResponse variable, and store that in cache. We'll handle the refresh token separately as it lasts longer -->
 97 |                         <set-variable name="encryptedAccessToken" value="@{
 98 |                             var token = Encoding.UTF8.GetBytes((string)context.Variables["accessToken"]);
 99 |                             var iv = Guid.Parse((string)context.Variables["ivTokens"]).ToByteArray();
100 |                             var key1 = Convert.FromBase64String("{{TokenEncryptionKey1}}");
101 |                             var key2 = Convert.FromBase64String("{{TokenEncryptionKey2}}");
102 |                             var key = {{TokenEncryptionKey}};
103 |                             var encryptionKey = key == 1 ? key1 : key2;
104 |                             var encryptedToken = token.Encrypt("Aes", encryptionKey, iv);
105 |                             return $"{Convert.ToBase64String(encryptedToken)}.{key}";
106 |                         }" />
107 |                         <set-variable name="encryptedIdToken" value="@{
108 |                             var token = Encoding.UTF8.GetBytes((string)context.Variables["idtoken"]);
109 |                             var iv = Guid.Parse((string)context.Variables["ivTokens"]).ToByteArray();
110 |                             var key1 = Convert.FromBase64String("{{TokenEncryptionKey1}}");
111 |                             var key2 = Convert.FromBase64String("{{TokenEncryptionKey2}}");
112 |                             var key = {{TokenEncryptionKey}};
113 |                             var encryptionKey = key == 1 ? key1 : key2;
114 |                             var encryptedToken = token.Encrypt("Aes", encryptionKey, iv);
115 |                             return $"{Convert.ToBase64String(encryptedToken)}.{key}";
116 |                         }" />
117 |                         <set-variable name="encryptedRefreshToken" value="@{
118 |                             var token = Encoding.UTF8.GetBytes((string)context.Variables["refreshToken"]);
119 |                             var iv = Guid.Parse((string)context.Variables["ivTokens"]).ToByteArray();
120 |                             var key1 = Convert.FromBase64String("{{TokenEncryptionKey1}}");
121 |                             var key2 = Convert.FromBase64String("{{TokenEncryptionKey2}}");
122 |                             var key = {{TokenEncryptionKey}};
123 |                             var encryptionKey = key == 1 ? key1 : key2;
124 |                             var encryptedToken = token.Encrypt("Aes", encryptionKey, iv);
125 |                             return $"{Convert.ToBase64String(encryptedToken)}.{key}";
126 |                         }" />
127 |                         <!-- Store the encrypted token in the cache. -->
128 |                         <cache-store-value key="@($"tokens-{context.Variables["cacheKey"]}-accessToken")" value="@((string)context.Variables["encryptedAccessToken"])" duration="@((int)context.Variables["refreshTime"])" />
129 |                         <!-- Store the encrypted token in the cache. -->
130 |                         <cache-store-value key="@($"tokens-{context.Variables["cacheKey"]}-idToken")" value="@((string)context.Variables["encryptedIdToken"])" duration="@((int)context.Variables["refreshTime"])" />
131 |                         <!-- Store another refresh time... We'll refresh the tokens half way to their expiry date. Try to avoid last minute timing errors -->
132 |                         <cache-store-value key="@($"tokens-{context.Variables["cacheKey"]}-refreshAt")" value="@(DateTimeOffset.UtcNow.AddSeconds((int)context.Variables["refreshTime"] / 2).ToUnixTimeSeconds())" duration="@((int)context.Variables["refreshTime"])" />
133 |                         <!-- Store the refresh token separately. We probably want to cache it for longer than the token (avg user session length is a good idea) -->
134 |                         <cache-store-value key="@($"tokens-{context.Variables["cacheKey"]}-refreshToken")" value="@((string)context.Variables["encryptedRefreshToken"])" duration="{{RefreshTokenExpirationInSeconds}}" />
135 |                         <!-- Get the cookie details -->
136 |                         <set-variable name="cookie-expiry" value="@(DateTimeOffset.UtcNow.AddSeconds({{SessionCookieExpirationInSeconds}}).ToUnixTimeMilliseconds())" />
137 |                         <set-variable name="cookie-prefix" value="@($"{(string)context.Variables["cacheKey"]}.{(string)context.Variables["ivTokens"]}.{(long)context.Variables["cookie-expiry"]}")" />
138 |                         <!-- encrypt this using the cookie-iv-->
139 |                         <set-variable name="encryptedCookie" value="@{
140 |                             var cookie = Encoding.UTF8.GetBytes((string)context.Variables["cookie-prefix"]);
141 |                             var ivString = (string)context.Variables["ivCookie"];
142 |                             var iv = Guid.Parse(ivString).ToByteArray();
143 |                             var key1 = Convert.FromBase64String("{{CookieEncryptionKey1}}");
144 |                             var key2 = Convert.FromBase64String("{{CookieEncryptionKey2}}");
145 |                             var key = {{CookieEncryptionKey}};
146 |                             var encryptionKey = key == 1 ? key1 : key2;
147 |                             var encryptedCookie = cookie.Encrypt("Aes", encryptionKey, iv);
148 |                             return $"{Convert.ToBase64String(encryptedCookie)}.{ivString}.{key}";
149 |                         }" />
150 |                         <return-response>
151 |                             <set-status code="302" reason="Found" />
152 |                             <set-header name="Set-Cookie" exists-action="override">
153 |                                 <value>@($"{{CookiePrefix}}-{(string)context.Variables["state"]}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
154 |                             </set-header>
155 |                             <set-header name="Set-Cookie" exists-action="append">
156 |                                 <value>@($"{{CookiePrefix}}={(string)context.Variables["encryptedCookie"]}; SameSite=Lax; secure; path=/; expires={DateTimeOffset.FromUnixTimeMilliseconds((long)context.Variables["cookie-expiry"]).ToString("R")}; Secure; HttpOnly")</value>
157 |                             </set-header>
158 |                             <set-header name="Location" exists-action="override">
159 |                                 <value>@((string)context.Variables["expected-state"])</value>
160 |                             </set-header>
161 |                         </return-response>
162 |                     </when>
163 |                     <otherwise>
164 |                         <!-- handle the case where the nonces don't match. Could be a hijack attempt to get our cookie using a different unfinished front-channel flow -->
165 |                         <return-response>
166 |                             <set-status code="401" reason="Unexpected nonce" />
167 |                             <set-header name="Set-Cookie" exists-action="override">
168 |                                 <value>@($"{{CookiePrefix}}-{(string)context.Variables["state"]}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
169 |                             </set-header>
170 |                             <!-- <set-body>@($"{(string)context.Variables["expected-nonce"]} != {(string)context.Variables["idTokenNonce"]}")</set-body> -->
171 |                         </return-response>
172 |                     </otherwise>
173 |                 </choose>
174 |             </when>
175 |             <otherwise>
176 |                 <!-- We didn't have a cache entry for this state. It's either made-up, or this is an attempt to reuse it. Either way, it's a 401 -->
177 |                 <return-response>
178 |                     <set-status code="401" reason="Unexpected state" />
179 |                     <set-header name="Set-Cookie" exists-action="override">
180 |                         <value>@($"{{CookiePrefix}}-{(string)context.Variables["state"]}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
181 |                     </set-header>
182 |                     <!-- <set-body>@($"{(string)context.Variables["state"]} != {(string)context.Variables["expected-state"]}")</set-body> -->
183 |                 </return-response>
184 |             </otherwise>
185 |         </choose>
186 |         <base />
187 |     </inbound>
188 |     <backend>
189 |         <base />
190 |     </backend>
191 |     <outbound>
192 |         <base />
193 |     </outbound>
194 |     <on-error>
195 |         <base />
196 |         <!-- Any errors lets clean-up the cookies we were using to track the 3 legged flow so they don't stack up -->
197 |         <set-header name="Set-Cookie" exists-action="override">
198 |             <value>@($"{{CookiePrefix}}-{(string)context.Variables["state"]}=; path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT")</value>
199 |         </set-header>
200 |         <!-- removing cache values will error if they are not there. Let's check - the error might've occurred after already removing these -->
201 |         <cache-lookup-value key="@($"signin-{context.Variables["cacheKey"]}-state")" default-value="_" variable-name="check-state" />
202 |         <cache-lookup-value key="@($"signin-{context.Variables["cacheKey"]}-nonce")" default-value="_" variable-name="check-nonce" />
203 |         <cache-lookup-value key="@($"signin-{context.Variables["cacheKey"]}-code-challenge")" default-value="_" variable-name="check-code-challenge" />
204 |         <choose>
205 |             <when condition="@((string)context.Variables["check-state"] != "_")">
206 |                 <cache-remove-value key="@($"signin-{context.Variables["cacheKey"]}-state")" />
207 |             </when>
208 |         </choose>
209 |         <choose>
210 |             <when condition="@((string)context.Variables["check-nonce"] != "_")">
211 |                 <cache-remove-value key="@($"signin-{context.Variables["cacheKey"]}-nonce")" />
212 |             </when>
213 |         </choose>
214 |         <choose>
215 |             <when condition="@((string)context.Variables["check-code-challenge"] != "_")">
216 |                 <cache-remove-value key="@($"signin-{context.Variables["cacheKey"]}-code-challenge")" />
217 |             </when>
218 |         </choose>
219 |     </on-error>
220 | </policies>


--------------------------------------------------------------------------------