Azure API Management - returning 200 when underlying response is 302

Andrew Connell 41 Reputation points Microsoft MVP
2022-06-11T09:54:09.943+00:00

I've got an Azure Function that accepts an HTTP POST and returns a 302 to the caller for them to go through an interactive OAuth2 login. When I access the Azure Function directly, it works as expected... the form POST is received, processed, and the user is redirected via a 302.

However, when I try to use my APIM resource, it isn't working... APIM is always returning a 200 (looking at the browser's NETWORK tab).

The policy is very basic... nothing special... here's the effective policy:

   <policies>  
   	<inbound>  
   		<!--base: Begin Api scope-->  
   		<cors allow-credentials="true">  
   			<allowed-origins>  
   				<origin>https://www.contoso.io</origin>  
   			</allowed-origins>  
   			<allowed-methods>  
   				<method>POST</method>  
   			</allowed-methods>  
   			<allowed-headers>  
   				<header>*</header>  
   			</allowed-headers>  
   			<expose-headers>  
   				<header>*</header>  
   			</expose-headers>  
   		</cors>  
   		<!--base: End Api scope-->  
   		<set-backend-service id="apim-generated-policy" backend-id="apicontosoio-anonymous" />  
   	</inbound>  
   	<backend>  
   		<!--base: Begin Global scope-->  
   		<forward-request />  
   		<!--base: End Global scope-->  
   	</backend>  
   	<outbound />  
   	<on-error />  
   </policies>  

As you can see, the base policy is very basic, and all I do is set the backend service. This same endpoint accepts both POST & GET requests. The GET returns a 302 as well... exactly as I'd expect. But the POST isn't working.

Ideas?

Azure API Management
Azure API Management
An Azure service that provides a hybrid, multi-cloud management platform for APIs.
1,083 questions
{count} votes

1 answer

Sort by: Most helpful
  1. Andrew Connell 41 Reputation points Microsoft MVP
    2022-10-03T09:38:27.763+00:00

    Yes... ended up MS created a support case to investigate this. Apparently even though it's server side, API management needed to have CORS configured. This is what we set my endpoint's policies to (I had two origins listed for my company domain names):

    <policies>  
        <inbound>  
            <base />  
            <cors allow-credentials="true">  
                <allowed-origins>  
                    <origin>https://www.contoso.com</origin>  
                </allowed-origins>  
                <allowed-methods>  
                    <method>POST</method>  
                </allowed-methods>  
                <allowed-headers>  
                    <header>*</header>  
                </allowed-headers>  
                <expose-headers>  
                    <header>*</header>  
                </expose-headers>  
            </cors>  
        </inbound>  
        <backend>  
            <base />  
        </backend>  
        <outbound>  
            <base />  
        </outbound>  
        <on-error>  
            <base />  
        </on-error>  
    </policies>