APIM Policy & CORS

Question

Hi,
I have CORS defind in my APIM "All operations" like this:

<cors allow-credentials="true">
            <allowed-origins>
                <origin>http://localhost:6432/</origin>
                <origin>https://xyz1.net</origin>
                <origin>https://xyz2.net</origin>
                <origin>https://xyz3.net</origin>
            </allowed-origins>
 </cors>

I have the need to configure the allowed-origins with APIM named values,
but each environment may have a different number of allowed origins. How can I set allowed origins using APIM named values with this non-uniform amount of origins per environment?
Or other better approach like Azure Configuration service?

Thanks,
JD

Answer 1

Thank you for reaching out to Microsoft Q&A

You can use APIM named values to set the allowed origins in your CORS policy. This will allow you to have different values for each environment, and you can update the named values independently of the policy.

To achieve this, you can modify the CORS policy to use the named values by using the following syntax:

context.Variables["AllowedOrigins"] below references the named value that contains the list of allowed origins. You can set this named value in each environment with a comma-separated list of allowed origins.

For ex:

you can set the named value to http://localhost:6432/ in the development environment

https://xyz1.net,https://xyz2.net and https://xyz3.net in the production environment

<cors allow-credentials="true">
    <allowed-origins>
        <origin>@(context.Variables["AllowedOrigins"])</origin>
    </allowed-origins>
</cors>

Answer 2

juni dev Thanks for posting your question in Microsoft Q&A. Currently, allowed-origins accept either * or single origin at a time (reference: https://learn.microsoft.com/en-us/azure/api-management/cors-policy#allowed-origins-elements). You can use Policy Fragments to define cors policy for different environments, but it has to be entire cors policy (not just allowed-origins). This may include policy expressions as well named values like example below:

Policy Fragment:

<fragment>
	<cors allow-credentials="true">
		<allowed-origins>
			<origin>{{nv-localhost}}</origin>
			<origin>https://xyz1.net</origin>
			<origin>https://xyz2.net</origin>
			<origin>https://xyz3.net</origin>
		</allowed-origins>
	</cors>
</fragment>

Policy definition:

<inbound>
        <base />
        <include-fragment fragment-id="testcorsvalue" />
    </inbound>

I hope this helps with your question and let me know if any questions or face issues. Feel free to submit your feedback or idea directly to our product team via https://aka.ms/apimwish.

---

If you found the answer to your question helpful, please take a moment to mark it as "Yes" for others to benefit from your experience. Or simply add a comment tagging me and would be happy to answer your questions.

Answer 3

You can try this:

1. add named values in Azure Portal API Management.

1. use it in your policy configuration.

I've tried this in my project. And it works.

Answer 4

You can create a named value like follows:

code: web-allowed-origins
type: Plain
# value will be different based on environment
value: http://localhost:6432, https://xyz1.net, https://xyz2.net, https://xyz3.net

And then modify the CORS policy as follows:

<cors allow-credentials="true">
  <allowed-origins>
    <origin>@{
      string[] allowedOrigins = "{{web-allowed-origins}}"
        .Replace(" ", string.Empty)
        .Split(',');
      string requestOrigin = context.Request.Headers.GetValueOrDefault("Origin", "");
      bool isAllowed = Array.Exists(allowedOrigins, origin => origin == requestOrigin);
      return isAllowed ? requestOrigin : string.Empty;
    }</origin>
  </allowed-origins>
  <allowed-methods>
    <method>*</method>
  </allowed-methods>
  <allowed-headers>
    <header>*</header>
  </allowed-headers>
  <expose-headers>
    <header>*</header>
  </expose-headers>
</cors>

That should do.