Add option 5 for named value by API (#189)

simonkurtz-MSFT · web-flow · commit a70bda5d4c87 · 2026-04-09T16:21:21.000-04:00
diff --git a/.github/copilot-instructions.md b/.github/copilot-instructions.md
@@ -496,7 +496,7 @@ Samples that require administrative or operational endpoints (cache loading, con
 - **Production security**: Subscription keys are a baseline gate but are shared secrets, not identity-based auth. Production deployments should layer JWT validation (`validate-azure-ad-token` or `validate-jwt`) on top of subscription keys. See the `authX` and `authX-pro` samples for implementation patterns.
 - **Naming**: Use kebab-case operation paths that describe the action (e.g. `/load-cache`, `/clear-cache`, `/refresh-config`).
 - **Tags**: Include the sample's tags so the admin API is grouped with its sibling APIs in the APIM portal.
-- **Documentation**: The admin API's display name should start with the phase or sample context (e.g. `Phase 3 Admin`) so its purpose is clear in the APIM portal.
+- **Documentation**: The admin API's display name should start with the option or sample context (e.g. `Option 3 Admin`) so its purpose is clear in the APIM portal.
 
 ### API Management Policy XML Instructions
 
diff --git a/samples/dynamic-cors/README.md b/samples/dynamic-cors/README.md
diff --git a/samples/dynamic-cors/cors-api-policy-named-values.xml b/samples/dynamic-cors/cors-api-policy-named-values.xml
@@ -0,0 +1,30 @@
+<!--
+    API-level policy for Dynamic CORS with per-API Named Value.
+
+    Sets the 'allowedOriginsJson' context variable from a per-API Named Value,
+    then includes the specified CORS policy fragment. The outbound section includes
+    the DynamicCorsOutbound fragment to add the Access-Control-Allow-Origin header
+    to actual (non-preflight) responses. This pattern allows the same fragments to
+    serve every API and environment - only the Named Value content differs per
+    deployment.
+
+    Placeholders (replaced at deployment time):
+        {allowed_origins_nv} - The Named Value reference (e.g. {{CorsOrigins-my-api-id}})
+-->
+<policies>
+    <inbound>
+        <base />
+        <set-variable name="allowedOriginsJson" value="{allowed_origins_nv}" />
+        <include-fragment fragment-id="DynamicCorsNvPerApi" />
+    </inbound>
+    <backend>
+        <base />
+    </backend>
+    <outbound>
+        <base />
+        <include-fragment fragment-id="DynamicCorsOutbound" />
+    </outbound>
+    <on-error>
+        <base />
+    </on-error>
+</policies>
diff --git a/samples/dynamic-cors/cors-api-policy.xml b/samples/dynamic-cors/cors-api-policy.xml
@@ -6,10 +6,10 @@
     - For OPTIONS preflight requests, returns an immediate CORS response.
     - For all other methods, sets the 'corsOrigin' context variable.
 
-    The outbound section demonstrates how to add the Access-Control-Allow-Origin header
-    for APIs with real backends. In this sample, the mock APIs use return-response in the
-    operation policy (which bypasses outbound), so the CORS header is included directly
-    in the operation's return-response instead.
+    The outbound section includes the DynamicCorsOutbound fragment to add the
+    Access-Control-Allow-Origin header to actual (non-preflight) responses. For mock
+    APIs that use return-response in the operation policy, outbound is bypassed, so
+    the fragment has no effect.
 -->
 <policies>
     <inbound>
@@ -21,19 +21,7 @@
     </backend>
     <outbound>
         <base />
-        <!--
-            For APIs with real backends, uncomment the block below to add CORS headers to actual responses.
-            The 'corsOrigin' context variable is set by the included policy fragment.
-        -->
-        <!--
-        <choose>
-            <when condition="@(!string.IsNullOrEmpty(context.Variables.GetValueOrDefault<string>("corsOrigin", "")))">
-                <set-header name="Access-Control-Allow-Origin" exists-action="override">
-                    <value>@((string)context.Variables["corsOrigin"])</value>
-                </set-header>
-            </when>
-        </choose>
-        -->
+        <include-fragment fragment-id="DynamicCorsOutbound" />
     </outbound>
     <on-error>
         <base />
diff --git a/samples/dynamic-cors/cors-baseline-native.xml b/samples/dynamic-cors/cors-baseline-native.xml
@@ -6,7 +6,7 @@
     fails for Analytics (dashboard origin is missing) and Public Data (no wildcard support
     without adding '*' which would open all APIs).
 
-    This is the "before" state that motivates the dynamic CORS approach in Phases 1 and 2.
+    This is the "before" state that motivates the dynamic CORS approach in Options 1 and 2.
 -->
 <policies>
     <inbound>
diff --git a/samples/dynamic-cors/create.ipynb b/samples/dynamic-cors/create.ipynb
diff --git a/samples/dynamic-cors/pf-dynamic-cors-named-values-per-api.xml b/samples/dynamic-cors/pf-dynamic-cors-named-values-per-api.xml
@@ -0,0 +1,77 @@
+<!--
+    Policy fragment: Dynamic CORS (Named Value, per-API)
+
+    Evaluates the Origin header against a JSON array passed in via a context variable.
+    The calling API policy must set 'allowedOriginsJson' before including this fragment,
+    typically by referencing a per-API Named Value:
+
+        <set-variable name="allowedOriginsJson" value="{{CorsOrigins-my-api-id}}" />
+        <include-fragment fragment-id="DynamicCorsNvPerApi" />
+
+    Expected context variable format:
+        allowedOriginsJson = '["https://origin-a.com","https://origin-b.com"]'
+
+    This pattern makes the fragment completely environment-agnostic. The same fragment
+    works across all environments; only the Named Value content differs per deployment.
+    Each API controls its own origins independently, with no character-limit concerns
+    from a shared mapping object.
+
+    Context variables expected:
+        allowedOriginsJson - JSON array of allowed origins (set by the calling API policy).
+
+    Context variables set:
+        corsOrigin - The validated origin if allowed, or empty string if not.
+-->
+<fragment>
+    <!-- Evaluate the Origin header against the per-API origin array from the Named Value -->
+    <set-variable name="corsOrigin" value="@{
+        var origin = context.Request.Headers.GetValueOrDefault("Origin", "");
+        if (string.IsNullOrEmpty(origin)) { return ""; }
+
+        var allowedOriginsJson = context.Variables.GetValueOrDefault<string>("allowedOriginsJson", "[]");
+        var allowedOrigins = JArray.Parse(allowedOriginsJson);
+
+        if (allowedOrigins.Any(o => o.ToString() == "*")) { return origin; }
+        if (allowedOrigins.Any(o => o.ToString() == origin)) { return origin; }
+
+        return "";
+    }" />
+    <choose>
+        <when condition="@(context.Request.Method == "OPTIONS")">
+            <choose>
+                <when condition="@(!string.IsNullOrEmpty(context.Variables.GetValueOrDefault<string>("corsOrigin", "")))">
+                    <return-response>
+                        <set-status code="200" reason="OK" />
+                        <set-header name="Access-Control-Allow-Origin" exists-action="override">
+                            <value>@((string)context.Variables["corsOrigin"])</value>
+                        </set-header>
+                        <set-header name="Access-Control-Allow-Methods" exists-action="override">
+                            <value>GET, POST, OPTIONS</value>
+                        </set-header>
+                        <set-header name="Access-Control-Allow-Headers" exists-action="override">
+                            <value>Content-Type, Authorization, X-Requested-With</value>
+                        </set-header>
+                        <set-header name="Access-Control-Max-Age" exists-action="override">
+                            <value>86400</value>
+                        </set-header>
+                    </return-response>
+                </when>
+                <otherwise>
+                    <trace source="DynamicCorsNvPerApi" severity="information">
+                        <message>CORS origin rejected by per-API Named Value mapping.</message>
+                        <metadata name="apiId" value="@(context.Api.Id)" />
+                        <metadata name="operationId" value="@(context.Operation.Id)" />
+                        <metadata name="origin" value="@(context.Request.Headers.GetValueOrDefault("Origin", ""))" />
+                    </trace>
+                    <return-response>
+                        <set-status code="403" reason="CORS Origin Not Allowed" />
+                        <set-header name="Content-Type" exists-action="override">
+                            <value>application/json</value>
+                        </set-header>
+                        <set-body>{"error": "CORS origin not allowed for this API"}</set-body>
+                    </return-response>
+                </otherwise>
+            </choose>
+        </when>
+    </choose>
+</fragment>
diff --git a/samples/dynamic-cors/pf-dynamic-cors-outbound.xml b/samples/dynamic-cors/pf-dynamic-cors-outbound.xml
@@ -0,0 +1,22 @@
+<!--
+    Policy fragment: Dynamic CORS Outbound
+
+    Adds the Access-Control-Allow-Origin header to actual (non-preflight) responses
+    when 'corsOrigin' has been set by one of the inbound CORS fragments.
+
+    This fragment is intended for APIs with real backends. Mock APIs that use
+    return-response in the operation policy bypass the outbound section entirely,
+    so including this fragment is harmless but has no effect for mock responses.
+
+    Context variables expected:
+        corsOrigin - The validated origin (set by the inbound CORS fragment).
+-->
+<fragment>
+    <choose>
+        <when condition="@(!string.IsNullOrEmpty(context.Variables.GetValueOrDefault<string>("corsOrigin", "")))">
+            <set-header name="Access-Control-Allow-Origin" exists-action="override">
+                <value>@((string)context.Variables["corsOrigin"])</value>
+            </set-header>
+        </when>
+    </choose>
+</fragment>
