How to forward Cookies from a send-request policy's response to backend in Azure API management service?

Question

How to forward Cookies from a send-request policy's response to backend in Azure API management service?

Fawad Arshad 25

I have an operation in Azure API management platform, which calls a server for authentication, the server responds with cookies and I have to pass those cookies to the backend to be authorized.

The problem is that there is no policy or any piece of code in Microsoft Docs which allows me to do so.

Sample policy to understand the API operation more clearly:

<policies>
    <inbound>
        <base />
        <send-request mode="new" response-variable-name="response" timeout="10" ignore-error="false">
            <set-url>https://authserver.com</set-url>
            <set-method>POST</set-method>
        </send-request>
        <set-backend-service base-url="https://backend.com" />
        Now I want a policy or a piece of code which gets cookies from the above request's response and then forwards them to the backend
<value>@(((IResponse)context.Variables["response"]).Headers.GetValueOrDefault("Set-Cookie"))</value>
        </set-header>
        <choose>
            <when condition="@(((IResponse)context.Variables["response"]).StatusCode == 200)">
                <set-header name="CSRFTOKEN" exists-action="override">
                    <value>@(((IResponse)context.Variables["response"]).Headers.GetValueOrDefault("CSRFTOKEN"))</value>
                </set-header>
                <set-header name="Cookie" exists-action="override">
                    <value>@{
                    string rawcookie = ((IResponse)context.Variables["response"]).Headers.GetValueOrDefault("Set-Cookie");
                    string[] cookies = rawcookie.Split(';');
                    string cookie = cookies.FirstOrDefault( ss => ss.Contains("HASH_JSESSIONID"));                              
                    return cookie.Split(',')[1];}</value>
                </set-header>
            </when>
        </choose>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-05-16T20:36:44.3666667+00:00

Fawad Arshad Thanks for posting your question in Microsoft Q&A. Based on your description, you are looking to get cookie from send-request policy's response and set it in the header before calling backend API.

Looking at the sample policy expression you shared, it appears to follow code snippet similar to Get X-CSRF token from SAP gateway using send request.policy.xml available in repo api-management-policy-snippets and I don't see any issues. Have you experienced any issues with that? If so, please share the details, full error message, sample request/response etc. to assist you further.

However, if this is feedback about MS docs, I would like to let you know that we generally provide policy reference with few examples of each policy and its usage, but scenarios/real examples are listed in api-management-policy-snippets. You are free to submit feedback via issue and submit PR in the repo. I will also pass on your feedback to our product team internally.

I hope this helps and let me know if you have any questions.

Fawad Arshad 25

The code that I edited seems to be not there, but what I want is to not set a header but send the cookie. Something like this:

I have to get cookie and forward that to backend.

<policies>
    <inbound>
        <base />
        <send-request mode="new" response-variable-name="response" timeout="10" ignore-error="false">
            <set-url>https://authserver.com</set-url>
            <set-method>POST</set-method>
        </send-request>
        <set-backend-service base-url="https://backend.com" />
        Now I want a policy or a piece of code which gets cookies from the above request's response and then forwards them to the backend
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-05-17T12:04:49.7733333+00:00

Fawad Arshad The backend URL is https, if you don't want to set it in the header, how would you like to send the cookie value? Via Query string or request body?
Fawad Arshad 25 Reputation points

2023-05-17T12:13:17.88+00:00
In python I can do this, with same https backend and intermediate request.

How can I do the same with API management. Note that I am not setting any header in python I am getting and sending cookies.

Also in postman, I can call the authserver and get cookies which are then sent with the request to the backend.

but in API management Its not that simple to just call the apis and get the cookies and attach them to backend request like how it is with postman and python.

login_response = requests.post("https://authserver.com") status_response = requests.get("https://backend.com",cookies=login_response.cookies)

Accepted answer

0 additional answers

Your answer

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-05-16T20:36:44.3666667+00:00

Fawad Arshad Thanks for posting your question in Microsoft Q&A. Based on your description, you are looking to get cookie from send-request policy's response and set it in the header before calling backend API.

Looking at the sample policy expression you shared, it appears to follow code snippet similar to Get X-CSRF token from SAP gateway using send request.policy.xml available in repo api-management-policy-snippets and I don't see any issues. Have you experienced any issues with that? If so, please share the details, full error message, sample request/response etc. to assist you further.

However, if this is feedback about MS docs, I would like to let you know that we generally provide policy reference with few examples of each policy and its usage, but scenarios/real examples are listed in api-management-policy-snippets. You are free to submit feedback via issue and submit PR in the repo. I will also pass on your feedback to our product team internally.

I hope this helps and let me know if you have any questions.
Fawad Arshad 25 Reputation points

2023-05-17T09:25:49.8333333+00:00

The code that I edited seems to be not there, but what I want is to not set a header but send the cookie. Something like this:

I have to get cookie and forward that to backend.

<policies> <inbound> <base /> <send-request mode="new" response-variable-name="response" timeout="10" ignore-error="false"> <set-url>https://authserver.com</set-url> <set-method>POST</set-method> </send-request> <set-backend-service base-url="https://backend.com" /> Now I want a policy or a piece of code which gets cookies from the above request's response and then forwards them to the backend </inbound> <backend> <base /> </backend> <outbound> <base /> </outbound> <on-error> <base /> </on-error> </policies>
MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-05-17T12:04:49.7733333+00:00

Fawad Arshad The backend URL is https, if you don't want to set it in the header, how would you like to send the cookie value? Via Query string or request body?
Fawad Arshad 25 Reputation points

2023-05-17T12:13:17.88+00:00

In python I can do this, with same https backend and intermediate request.

How can I do the same with API management. Note that I am not setting any header in python I am getting and sending cookies.

Also in postman, I can call the authserver and get cookies which are then sent with the request to the backend.

but in API management Its not that simple to just call the apis and get the cookies and attach them to backend request like how it is with postman and python.

login_response = requests.post("https://authserver.com") status_response = requests.get("https://backend.com",cookies=login_response.cookies)

Answer 1

MuthuKumaranMurugaachari-MSFT 22,441 Moderator

Fawad Arshad Thanks for sharing the additional details. Python code you shared uses requests library (https://pypi.org/project/requests/) and reading API docs of the library you can pass cookies as parameter as described here. Further reviewing the source code of the repository in this line, it basically set Cookie header in HTTP header when sending request. Refer Cookie and Set-Cookie doc for more info.

Unfortunately, there is not simple way other than passing the headers like above in APIM and code snippet you followed to set header Cookie is correct. Please let us know if you face any issues.

Fawad Arshad 25

Thank you, with your comment I was able to figure out that I have to somehow pass the header with all the cookies values.

So what I did was create a Header named Cookie with the following format:

"Cookie": "cookieName1=cookieValue1; cookieName2=cookieValue2; and so on"

this worked.

The policy is as below:

<policies>
    <inbound>
        <base />
        <send-request mode="new" response-variable-name="response" timeout="10" ignore-error="false">
            <set-url>authserver</set-url>
            <set-method>POST</set-method>
            <set-header name="Content-Type" exists-action="override">
                <value>application/json</value>
            </set-header>
        </send-request>
        <set-backend-service base-url=backend_server />
        <rewrite-uri template="/api" />
        <choose>
            <when condition="@(((IResponse)context.Variables["response"]).StatusCode == 200)">
                <set-header name="CSRFTOKEN" exists-action="override">
                    <value>@(((IResponse)context.Variables["response"]).Headers.GetValueOrDefault("CSRFTOKEN"))</value>
                </set-header>
                <set-header name="Cookie" exists-action="override">
                    <value>@{
                    string set_cookie = ((IResponse)context.Variables["response"]).Headers.GetValueOrDefault("Set-Cookie");
                    string[] cookies = set_cookie.Split(',');
                    List<string> final_cookie = new List<string>();
                    foreach (string cookie in cookies)
                    {
                        if (cookie.Split(';')[0].Contains("="))
                     	{
                     		final_cookie.Add(cookie.Split(';')[0]);
                     	}
                    }                     
                    return string.Join(";", final_cookie);}</value>
                </set-header>
            </when>
        </choose>
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>

MuthuKumaranMurugaachari-MSFT 22,441 Reputation points Moderator

2023-05-19T13:38:54.05+00:00

Fawad Arshad Sure, you are welcome. Glad it solved your issue and appreciate that you shared with the community.

Share via

How to forward Cookies from a send-request policy's response to backend in Azure API management service?

0 additional answers

Your answer