We Keep Coding

Azure APIM How to assign Header response to a variable

I have the following policy fragment that connects to an API we are using for authorization.
<fragment>
<send-request mode="new" response-variable-name="bearerToken" timeout="20" ignore-error="true">
<set-url>{{url}}</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>#{ return "{{target-url}}"; }</set-body>
</send-request>
<set-header name="Authorization" exists-action="override">
<value>#("Bearer " + (String)((IResponse)context.Variables["bearerToken"]).Body.As<JObject>()["access_token"])</value>
</set-header>
</fragment>
This works fine with no issues, however, I would like to capture the information pushed to the Authorization Header and push it to a variable for later use in my APIs.
When I do something similar to the following or it's variants, I only receive errors and no information as to what has happened.
<set-variable name="BearerToken" value="#("Bearer " + (String)((IResponse)context.Variables["bearerToken"]).Body.As<JObject>()["access_token"]" />
I'm not sure if this is an order of execution or something else I might have missed?
Thank you - Greg.

Azure APIM calls function even though there was an error

I have an Azure APIM which checks the request bearer JWT token:
<inbound>
<base />
<set-variable name="TenantId" value="
#{
var tenantId = context.Request.Headers.GetValueOrDefault("TenantId","");
if (tenantId != null) {
return tenantId;
}
return null;
}" />
<limit-concurrency key="#((string)context.Variables["TenantId"])" max-count="1">
<set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
<set-header name="subscription-key" exists-action="delete" />
<set-variable name="JWTIssuer" value="
#{
var authStr = context.Request.Headers.GetValueOrDefault("Authorization","");
if (authStr.StartsWith("Bearer")) {
var jwt = authStr.Substring("Bearer ".Length).AsJwt();
if (jwt != null) {
return jwt.Issuer;
}
}
return null;
}" />
<choose>
<when condition="#(context.Variables.GetValueOrDefault("JWTIssuer", "") == "<URL of issuer>")">
<!-- Authorisation using HPCA token -->
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Unauthorized" require-expiration-time="true" require-scheme="Bearer" require-signed-tokens="true">
<openid-config url="<Open Id Url>" />
<required-claims>
<claim name="MyClaim" match="any" separator=",">
<value>X</value>
</claim>
</required-claims>
</validate-jwt>
</when>
<!-- HPCA Error handling -->
<otherwise>
<return-response>
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error "Invalid HPCA token"</value>
</set-header>
</return-response>
</otherwise>
</choose>
</limit-concurrency>
</inbound>
<on-error>
<base />
<return-response>
<set-status code="#(context.Response.StatusCode)" reason="#(context.Response.StatusReason)" />
</return-response>
</on-error>
This all works as expected: if either the issuer is incorrect or the JWT token is invalid, then the OnError handler is invoked and a 401 error status is returned to the caller. The problem is, if i add a call to a function after the Choose policy:
</otherwise>
</choose>
<send-request mode="copy" response-variable-name="Response" timeout="10" ignore-error="false">
<set-url>https://myfuncApp.azurewebsites.net/api/Function1</set-url>
<set-method>POST</set-method>
</send-request>
<return-response response-variable-name="Response">
<set-status code="#(context.Response.StatusCode)" reason="#(context.Response.StatusReason)" />
</return-response>
</limit-concurrency>
</inbound>
Then even with a invalid bearer token and the error handler being invoked, the APIM still proceeds to call the function: the return response within the error handler is seemingly ignored - why ? I can fudge it by wrapping the send-request within another conditional (i.e. check the context.Response.StatusCode isn't 401) but this doesn't seem right to me.

For your question, I think the result of your test is normal.
You added the <send-request> to request the function in <inbound> area. The <validate-jwt> can just determine if the APIM to continue request the backend url but can not determine if it continues to request function url in <inbound> area.

How Do I Throw An Error In Azure API Management Policy?

In my Azure API Management Policy I am checking for some headers and do certain actions depending on what is found.
How do I throw an error when none of the conditions are matched (i.e. in the otherwise block)
<policies>
<inbound>
<choose>
<when condition="">
</when>
<when condition="">
</when>
<otherwise>
</otherwise>
</choose>
<base/>
</inbound>
<backend>
<base/>
</backend>
<outbound>
<base/>
</outbound>
<on-error>
<base/>
</on-error>
</policies>
I probably want to return a 401 since I am checking groups in the headers.

You can use a <choose> policy to detect and report failure, return a 401 response.
<otherwise>
<return-response >
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error="invalid_token"</value>
</set-header>
</return-response>
</otherwise>
Here is also a similar SO thread you could refer to.

Mule JSON Payload null check in Choice Filter

Am I doing anything wrong here? Even the json payload is [], it's going to the default instead of Error log.
<choice doc:name="If Payload is Null">
<when expression="#[payload == empty]">
<mule-logger-module:logger-exception message="Null Payload" doc:name="Log Error"/>
</when>
<otherwise>
<mule-logger-module:log-default message="Payload Received" type="EXIT" doc:name="Log End"/>
</otherwise>
</choice>

Convert to a Array of Maps first, then use the MEL expressions to test empty:
<json:json-to-object-transformer
returnClass="java.util.HashMap[]" doc:name="JSON to Object" />
<choice doc:name="If Payload is Null">
<when expression="#[payload == empty]">
<mule-logger-module:logger-exception message="Null Payload" doc:name="Log Error"/>
</when>
<otherwise>
<mule-logger-module:log-default message="Payload Received" type="EXIT" doc:name="Log End"/>
</otherwise>

Work with URL template parameter values in policy templates

In API Management, how do you access URL template parameters through a policy?
In this instance, my operation is called test, the HTML verb is GET, and the URL template is as below -
/test/{variable_name1}/{variable_name2}
I was under the impression that accessing the value of a parameter was as simple as {variable_name1}. However, the example below does not set the variable "rowkey" as expected. Rather it has a value of {variable_name1}-{variable_name2}.
What am I doing wrong here?
<policies>
<inbound>
<set-variable name="rowkey" value="{variable_name1}-{variable_name2}" />
</inbound>
<backend>
<base />
</backend>
<outbound>
<set-header name="Row-Key" exists-action="override">
<value>#((string)context.Variables["rowkey"])</value>
</set-header>
</outbound>
</policies>

You'd have to use expressions to achieve what you want, like:
<set-variable
name="rowkey"
value="#(context.Request.MatchedParameters["variable_name1"] + "-" + context.Request.MatchedParameters["variable_name2"])" />
or use string interpolation:
<set-variable
name="rowkey"
value="#($"{context.Request.MatchedParameters["variable_name1"]}-{context.Request.MatchedParameters["variable_name2"]}")" />