Reusing APIM policy expression via Named Value

Question

I have a problem reusing APIM expression.

Specificially, a named value below is created like above,

name      
JWTValidator 

@(
@"<validate-jwt header-name='Authorization' failed-validation-httpcode='401' failed-validation-error-message='Error: expired token or invalid token' require-expiration-time='true' require-scheme='Bearer' require-signed-tokens='true'>
    <openid-config url='xxx' />
    <audiences>
        <audience>xxx</audience>
    </audiences>
    <issuers>
        <issuer>https://xxx</issuer>
    </issuers>
</validate-jwt>"
)

and the policy below:

<policies>
    <inbound>
        <base />
        {{JWTValidator}}
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

However, the policy element is removed and not inserted.

Any idea?

Is there a better way to reusing policy?

Upate

I want to define JWTValidator as Named value, and use it on Product level if possible, otherwise, API level.

Upate 2

I have changed to below, however, {{JWTValidator}} is auto-removed when it is saved.

Please note that the value of JWTValidator is saved successfully, which might mean the syntax is correct.

<policies>
    <inbound>
        {{JWTValidator}}
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

https://learn.microsoft.com/en-us/azure/api-management/api-management-howto-properties

https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions

Reusing APIM policy expressions

https://feedback.azure.com/forums/248703-api-management/suggestions/16951852-code-re-use-in-api-policies-using-of-custom-functi

Vitaliy Kurokhtin · Answer 1 · 2019-06-13T23:15:44.893

0

This is actually UI issue. You should be able to see in browser dev tools that PUT request to save policy succeeds and returns proper saved content. It is UI merely removing property reference before presenting policy. Will be fixed soon.

Property may be used to fill in value of XML attribute or XML element in full. In your case you're trying to set value of in part with static element and in another part with property value. That is not supported, unfortunately. In other words, this is supported:

<inbound>
    {{JWTValidator}}
</inbound>

and this is not:

<inbound>
    <base />
    {{JWTValidator}}
</inbound>

Property can only replace element value as a whole, and it cannot be used side by side with another element, like in your example, next to <base/>.

In you case I feel that it would be best to place this policy at outer scope: at API level if you need it applied to many operations, at Product/Global level if it's for multiple APIs. And have policy to apply it conditionally based on context.Operation.Id/context.Api.Id.

edited Jun 13 '19 at 23:15

answered Jun 04 '19 at 17:56

Vitaliy Kurokhtin

7,205
1
19
18

I don't really understand what you mean. Please find update on OP. – Pingpong Jun 04 '19 at 21:51
Updated answer. The only way for you to reuse validate-jwt policy is to put it on the upper scope. If you want to use it for many APIs - put it into product level inside choose policy with a condition checking for context.Api.Id to match one of API ids. – Vitaliy Kurokhtin Jun 05 '19 at 01:17
When will it be fixed? Is there a ticket that I can subscribe to? – Pingpong Jun 14 '19 at 10:18
Is there a plan to support both `` and `{{JWTValidator}}`? – Pingpong Jun 14 '19 at 10:52
Combination of and property reference will be fixed as well. Sometime next week. – Vitaliy Kurokhtin Jun 14 '19 at 21:11

Reusing APIM policy expression via Named Value

1 Answers1