Skip to content


Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

Latest commit

* Policies and readme for a full front-channel OIDC flow similar to App Service Authentication

* Replaced apim with Azure API Management

* Fixed some hardcoded hosts and replaced with the correct context OriginalUrl host

* Added to main readme

* Added PKCE flow

* Removed aad error from callback

* Added token encryption (using a combo of a named-value, and the unique session key) to the tokens at rest in Redis

* Doco

* Broken out access tokens and cached individually. Added a user-defined expiry on the refresh tokens

* Looks good

* Renames and doco

* Better doco

* Update

* Update

* Update

* Added 2 additional headers for name and preferred user-name

* Documented claims

* Fixed a bug which arose with multiple cookies (I didn't handle them correctly). Also ensured the cookies all have timeout / marked as secure / and have explicit samesite policy

* Made the IV a separate secret which is not stored on server-side. Means that admins with access to Redis cannot decrypt the tokens

* UPdated doco to reflect new IV

* Moved to encrypting the cookie now, passing an IV along with it

* Removed optional scope property which was not set correctly

* Wrapped preferred_username in a choose block as it wasn't in an Auth0 token

* Added 2 keys for each encryption key... supports a slicker ops process of rotating keys

* Couple of small bug fixes

* More defensive when removing cache keys in callback. I had an error when trying to remove a non-existant key

* Fixed a bug on an assumption how the Headers dictionary worked

* Allow custom cookie prefix. Also standardising fragment names, and sorting out doco

* Improving documentation

* Better doco

* Better doco

* More doco work

* Removed debug info

* Made cookies secure and httponly

* Add support for x-forwarded-host headers

* More doco

* Added correct redirect into code exchange

* Fixed a bug where sliding the session cookien blatted any cookies coming back from downstream

* Fixed to look for set-cookies. not cookie

* Update oauth-proxy-slide-session-fragment.xml

* Fix fragment name in doco

* Some fixes around the sliding session cookie to stop it overwriting your own cookies

* Check for invalid cookie

* Better error handling if a dodgy cookie is sent in

Git stats


Failed to load latest commit information.

Azure API Management Policy Snippets


The examples/ folder contains policy examples contributed by the product team and the user community. The samples are meant to be re-used verbatim, provide inspiration or serve as learning aids. Some of them are parameterized using Named Values (formerly known as Properties), which look like this: {{some-value}}. When using parametrized samples, you will have to either define relevant Named Values or replace them with values in place.

Policy expressions cheat-sheet

The policy-expressions folder contains a cheat-sheet with common policy expressions that are often used when authoring Azure API Management policies.

Visual Studio Code snippets

The vscode-snippets/ folder contains user snippets for Visual Studio Code. User snippets are helpful for streamlining workflow and simplifying document editing with autocomplete and easy navigation. Please, refer to the Visual Studio Code documentation on how to use them.

Azure API Management VS Code User Snippet 1

Azure API Management VS Code User Snippet 2

Azure API Management VS Code User Snippet 3

Helpful Links

To learn about Azure API Management go here.


This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact with any additional questions or comments.


Re-usable examples of Azure API Management policies



Code of conduct

Security policy





No releases published


No packages published