damithsj/Azure APIM OAuth2 Authentication With Cache.policy.xml Secret

## Azure APIM OAuth2 Authentication With Cache.policy.xml
<!-- The policy defined in this file provides an example of using OAuth2 for authorization between the gateway and a backend -->
<!-- It shows how to obtain an access token from IFS IAM, cache it for a configurable amount of time and forward it to the IFS backend. -->
<!-- The sample is based on the Azure github repo api-management-policy-snippets/examples/Backend OAuth2 Authentication With Cache.policy.xml -->

<!-- Send request to IFS IAM to obtain a bearer token -->
<!-- Parameters: authorizationServer - Token endpoint URL with format {{ifs_url}}/auth/realms/{{ifs_namespace}}/protocol/openid-connect/token -->
<!-- Parameters: scope - a URI encoded scope value -->
<!-- Parameters: clientId - IFS IAM client ID -->
<!-- Parameters: clientSecret - Client secret -->


<!-- Copy the following snippet into the inbound section. -->
<policies>
    <inbound>
        <base />
        <cache-lookup-value key="@("bearerToken")" variable-name="bearerToken" />
        <choose>
            <when condition="@(!context.Variables.ContainsKey("bearerToken"))">
                <send-request ignore-error="true" timeout="20" response-variable-name="accessTokenResult" mode="new">
                    <set-url>{{authorizationServer}}</set-url>
                    <set-method>POST</set-method>
                    <set-header name="Content-Type" exists-action="override">
                        <value>application/x-www-form-urlencoded</value>
                    </set-header>
                    <set-body>@{
              return "client_id={{clientId}}&scope={{scope}}&client_secret={{clientSecret}}&grant_type=client_credentials";
                    }</set-body>
                </send-request>
                <set-variable name="accessToken" value="@(((IResponse)context.Variables["accessTokenResult"]).Body.As<JObject>())" />
                <set-variable name="bearerToken" value="@((string)((JObject)context.Variables["accessToken"])["access_token"])" />
                <set-variable name="tokenDurationSeconds" value="@((int)((JObject)context.Variables["accessToken"])["expires_in"])" />
                <cache-store-value key="bearerToken" value="@((string)context.Variables["bearerToken"])" duration="@((int)context.Variables["tokenDurationSeconds"])" />
            </when>
        </choose>
        <set-header name="Authorization" exists-action="override">
            <value>@("Bearer " + (string)context.Variables["bearerToken"])</value>
        </set-header>
        <!--  Don't expose APIM subscription key to the backend. -->
        <set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
    </inbound>
    <backend>
        <base />
    </backend>
    <outbound>
        <choose>
            <when condition="@(context.Response.StatusCode == 401 || context.Response.StatusCode == 403)">
                <cache-remove-value key="bearerToken" />
            </when>
        </choose>
        <base />
    </outbound>
    <on-error>
        <base />
    </on-error>
</policies>
	<!-- The policy defined in this file provides an example of using OAuth2 for authorization between the gateway and a backend -->
	<!-- It shows how to obtain an access token from IFS IAM, cache it for a configurable amount of time and forward it to the IFS backend. -->
	<!-- The sample is based on the Azure github repo api-management-policy-snippets/examples/Backend OAuth2 Authentication With Cache.policy.xml -->

	<!-- Send request to IFS IAM to obtain a bearer token -->
	<!-- Parameters: authorizationServer - Token endpoint URL with format {{ifs_url}}/auth/realms/{{ifs_namespace}}/protocol/openid-connect/token -->
	<!-- Parameters: scope - a URI encoded scope value -->
	<!-- Parameters: clientId - IFS IAM client ID -->
	<!-- Parameters: clientSecret - Client secret -->


	<!-- Copy the following snippet into the inbound section. -->
	<policies>
	<inbound>
	<base />
	<cache-lookup-value key="@("bearerToken")" variable-name="bearerToken" />
	<choose>
	<when condition="@(!context.Variables.ContainsKey("bearerToken"))">
	<send-request ignore-error="true" timeout="20" response-variable-name="accessTokenResult" mode="new">
	<set-url>{{authorizationServer}}</set-url>
	<set-method>POST</set-method>
	<set-header name="Content-Type" exists-action="override">
	<value>application/x-www-form-urlencoded</value>
	</set-header>
	<set-body>@{
	return "client_id={{clientId}}&scope={{scope}}&client_secret={{clientSecret}}&grant_type=client_credentials";
	}</set-body>
	</send-request>
	<set-variable name="accessToken" value="@(((IResponse)context.Variables["accessTokenResult"]).Body.As<JObject>())" />
	<set-variable name="bearerToken" value="@((string)((JObject)context.Variables["accessToken"])["access_token"])" />
	<set-variable name="tokenDurationSeconds" value="@((int)((JObject)context.Variables["accessToken"])["expires_in"])" />
	<cache-store-value key="bearerToken" value="@((string)context.Variables["bearerToken"])" duration="@((int)context.Variables["tokenDurationSeconds"])" />
	</when>
	</choose>
	<set-header name="Authorization" exists-action="override">
	<value>@("Bearer " + (string)context.Variables["bearerToken"])</value>
	</set-header>
	<!-- Don't expose APIM subscription key to the backend. -->
	<set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
	</inbound>
	<backend>
	<base />
	</backend>
	<outbound>
	<choose>
	<when condition="@(context.Response.StatusCode == 401 \|\| context.Response.StatusCode == 403)">
	<cache-remove-value key="bearerToken" />
	</when>
	</choose>
	<base />
	</outbound>
	<on-error>
	<base />
	</on-error>
	</policies>