Azure API Management Rate Limiting Policy - Read Cookie Property

Question

We have been using Azure API Management's Rate Limiting by JWT following these instructions:

https://learn.microsoft.com/en-us/azure/api-management/api-management-sample-flexible-throttling#user-identity-throttling

But now we are moving the JWT from the "Authorization" header to a Cookie, for a few business reasons.

Is there a way to read Cookies from the Request and then read a particular property from the cookie (the jwt), so we can continue doing the same?

I am able to read the whole Cookie using this code within the APIM policy:

var cookie = context.Request.Headers.GetValueOrDefault("Cookie","");

But this reads the whole cookie string as shown below:

SSID=143443; Version=C5.4.0; Subject=Xyz; Token=<jwt>;

I need to be able to extract just the token part from this string within the APIM Policy

Answer 1

You can extract the token and store it in a variable.
For extracting only the Token value, you can use a Regex: Token=([\\S]*);

Please find the complete inbound policy with reading and returning the Token value:

<inbound>
    <base />
    <set-variable name="jwt" value="@{
        var cookie = context.Request.Headers.GetValueOrDefault("Cookie","");
        var pattern = "Token=([\\S]*);";

        var regex = new Regex(pattern, RegexOptions.IgnoreCase);
        Match match = regex.Match(cookie);
        if(match.Success && match.Groups.Count == 2)
        {
            return match.Groups[1].Value;
        }

        return "";
    }" />
    <return-response>
        <set-status code="200" reason="OK" />
        <set-body>@(context.Variables.GetValueOrDefault<string>("jwt"))</set-body>
    </return-response>
</inbound>

Test in API Management: