Merge pull request #96 from MartinPankraz/power-query-policy-add

adrianhall · web-flow · commit 8fb8d2aabf9c · 2022-09-01T09:20:16.000-07:00
power query access policy added
diff --git a/examples/Handle Power Query access request to custom API.policy.xml b/examples/Handle Power Query access request to custom API.policy.xml
@@ -0,0 +1,62 @@
+<!--
+    This policy sample demonstrates how to respond to Power Query request to support the "Organizational Account" login flow for a downstream API.
+
+    References:
+        Expected response from Power Query docuementation:
+            https://docs.microsoft.com/power-query/connectorauthentication#supported-workflow
+        
+        How to map jwt token from AAD obtained via Power Query for SAP OData request and SAP OAuth Server
+            https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Request%20OAuth2%20access%20token%20from%20SAP%20using%20AAD%20JWT%20token.xml
+
+    IMPORTANT:
+        - Power Query requires a verifiable resource for the login process. Hence a custom domain for APIM needs to be configured.
+        - {{AADTenantID}} needs to be maintained via an APIM Named Value configuration.
+        - a672d62c-fc7b-4e81-a576-e60dc46e951d is the default client id for Power Query. It should be verified from the documentation: https://docs.microsoft.com/power-query/connectorauthentication#supported-workflow
+-->
+<policies>
+    <inbound>
+        <base />
+        <choose>
+            <!-- if empty Bearer assume Power Query signin request as described here: https://docs.microsoft.com/power-query/connectorauthentication#supported-workflow -->
+            <when condition="@(context.Request.Headers.GetValueOrDefault("Authorization","").Trim().Equals("Bearer"))">
+                <return-response>
+                    <set-status code="401" reason="Unauthorized" />
+                    <set-header name="WWW-Authenticate" exists-action="override">
+                        <value>Bearer authorization_uri=https://login.microsoftonline.com/{{AADTenantId}}/oauth2/authorize?response_type=code%26client_id=a672d62c-fc7b-4e81-a576-e60dc46e951d</value>
+                    </set-header>
+                </return-response>
+            </when>
+            <otherwise>
+                <validate-jwt header-name="Authorization" failed-validation-httpcode="401" require-scheme="Bearer">
+                    <openid-config url="https://login.microsoftonline.com/{{AADTenantId}}/.well-known/openid-configuration" />
+                    <audiences>
+                        <audience>https://your-custom-apim-domain</audience>
+                    </audiences>
+                    <issuers>
+                        <issuer>https://sts.windows.net/{{AADTenantId}}/</issuer>
+                    </issuers>
+                    <required-claims>
+                        <claim name="scp" match="all" separator=" ">
+                            <value>user_impersonation</value>
+                        </claim>
+                    </required-claims>
+                </validate-jwt>
+            </otherwise>
+        </choose>
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+        <choose>
+            <!-- URL rewrite in body only required for GET -->
+            <when condition="@(context.Request.Method == "GET")">
+                <!-- ensure downstream api metadata matches apim caller domain in Power Query -->
+                <find-and-replace from="@(context.Api.ServiceUrl.Host +":"+ context.Api.ServiceUrl.Port + context.Api.ServiceUrl.Path)" to="@(context.Request.OriginalUrl.Host + ":" + context.Request.OriginalUrl.Port + context.Api.Path)" />
+            </when>
+        </choose>
+    </outbound>
+    <on-error>
+    </on-error>
+</policies>
diff --git a/examples/README.md b/examples/README.md
@@ -24,6 +24,7 @@ Overview
 | <a href="Get OAuth2 access token from AAD and forward it to the backend.policy.xml">Get OAuth2 access token from AAD and forward it to the backend</a>                             | OAuth2 for authorization between the gateway and a backend                                                                                                                                                                            |
 | <a href="Get OAuth2 access token from AAD using client id and certificate using key vault manage identity.xml">Get OAuth2 token using Certificate</a>                              | Get Certificat from KeyVault using managed identity to generate OAuth 2 token using certificate                                                                                                                                       |
 | <a href="Get X-CSRF token from SAP gateway using send request.policy.xml">Get X-CSRF token from SAP gateway using send request</a>                                                 | X-CSRF token handling impemented in [SAP Principal Propagation policy](Request%20OAuth2%20access%20token%20from%20SAP%20using%20AAD%20JWT%20token.xml).                                                                                                    |
+| <a href="Handle Power Query access request to custom API.policy.xml">Handle Power Query access request to custom API.policy</a>                                                 | Enable [Organizational Account login flow for Power Query](https://docs.microsoft.com/power-query/connectorauthentication#supported-workflow) for downstream APIs like SAP OData.                                                                                                    |
 | <a href="List all inbound headers.policy.xml">List all inbound headers</a>                                                                                                         | Lists all inbound headers and their values.                                                                                                                                                                                           |
 | <a href="Log errors to Stackify.policy.xml">Log errors to Stackify</a>                                                                                                             | Error logging policy to send errors to Stackify                                                                                                                                                                                       |
 | <a href="Look up Key Vault certificate using Managed Service Identity and call backend.policy.xml">Look up Key Vault certificate using Managed Service Identity</a>                | Look up and use a Key Vault certificate using Managed Service Identity and call the backend using it as a client certificate                                                                                                          |
