From 65d77ed4bb13ef94f09fe1a0f638d1a4da25fb5d Mon Sep 17 00:00:00 2001
From: Gregor Wolf <gregor.wolf@gmail.com>
Date: Sat, 16 Mar 2024 22:10:30 +0100
Subject: [PATCH] Azure API Management Policies

---
 .../oauth-client-credentials-policy.xml       |  61 ++++
 .../oauth-saml-bearer-assertion-policy.xml    | 322 ++++++++++++++++++
 2 files changed, 383 insertions(+)
 create mode 100644 azure-api-management/oauth-client-credentials-policy.xml
 create mode 100644 azure-api-management/oauth-saml-bearer-assertion-policy.xml

diff --git a/azure-api-management/oauth-client-credentials-policy.xml b/azure-api-management/oauth-client-credentials-policy.xml
new file mode 100644
index 0000000..4ca1290
--- /dev/null
+++ b/azure-api-management/oauth-client-credentials-policy.xml
@@ -0,0 +1,61 @@
+<!-- Based on https://github.com/Azure/api-management-policy-snippets/blob/master/examples/Backend%20OAuth2%20Authentication%20With%20Cache.policy.xml  -->
+<!-- The policy defined in this file provides an example of using OAuth2 for authorization between
+the gateway and a backend -->
+<!-- It shows how to obtain an access token from AAD, cache it for a configurable amount of time and
+forward it to the backend. -->
+<!-- The sample is based on the original OAuth2 example provided previously -->
+
+<!-- Send request to AAD to obtain a bearer token -->
+<!-- Parameters: authorizationServer - format https://login.windows.net/TENANT-GUID/oauth2/token -->
+<!-- Parameters: scope - a URI encoded scope value -->
+<!-- Parameters: clientId - an id obtained during app registration -->
+<!-- Parameters: clientSecret - a URL encoded secret, obtained during app registration -->
+
+
+<!-- Copy the following snippet into the inbound section. -->
+<policies>
+  <inbound>
+    <base />
+    <cache-lookup-value key="@(" bearerToken")" variable-name="bearerToken" />
+    <choose>
+      <when condition="@(!context.Variables.ContainsKey(" bearerToken"))">
+        <send-request ignore-error="true" timeout="20" response-variable-name="accessTokenResult"
+          mode="new">
+          <set-url>{{authorizationServer}}</set-url>
+          <set-method>POST</set-method>
+          <set-header name="Content-Type" exists-action="override">
+            <value>application/x-www-form-urlencoded</value>
+          </set-header>
+          <set-body>@{
+            return
+            "client_id={{clientId}}&client_secret={{clientSecret}}&grant_type=client_credentials";
+            }</set-body>
+        </send-request>
+        <set-variable name="accessToken" value="@(((IResponse)context.Variables[" accessTokenResult"]).Body.As<JObject>())" />
+        <set-variable name="bearerToken" value="@((string)((JObject)context.Variables[" accessToken"])[" access_token"])" />
+        <set-variable name="tokenDurationSeconds" value="@((int)((JObject)context.Variables[" accessToken"])[" expires_in"])" />
+        <cache-store-value key="bearerToken" value="@((string)context.Variables[" bearerToken"])"
+          duration="@((int)context.Variables[" tokenDurationSeconds"])" />
+      </when>
+    </choose>
+    <set-header name="Authorization" exists-action="override">
+      <value>@("Bearer " + (string)context.Variables["bearerToken"])</value>
+    </set-header>
+    <!--  Don't expose APIM subscription key to the backend. -->
+    <set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
+  </inbound>
+  <backend>
+    <base />
+  </backend>
+  <outbound>
+    <choose>
+      <when condition="@(context.Response.StatusCode == 401 || context.Response.StatusCode == 403)">
+        <cache-remove-value key="bearerToken" />
+      </when>
+    </choose>
+    <base />
+  </outbound>
+  <on-error>
+    <base />
+  </on-error>
+</policies>
diff --git a/azure-api-management/oauth-saml-bearer-assertion-policy.xml b/azure-api-management/oauth-saml-bearer-assertion-policy.xml
new file mode 100644
index 0000000..32a7e9a
--- /dev/null
+++ b/azure-api-management/oauth-saml-bearer-assertion-policy.xml
@@ -0,0 +1,322 @@
+<!-- The policy defined in this file provides an best-practice implementation of
+OAuth2SAMLBearerAssertion for SAP OData services.
+     The mechanism to map an IdP associated user (in this case Azure Active Directory - AAD) to a SAP
+backend user
+     is often referred to as SAP Principal Propagation.
+-->
+<!-- The policy shows how to exchange an AAD issued access token for an SAP issued Bearer token and
+forward it to the backend.
+     In addition to that it caches the tokens, so that clients can focus on app logic rather than SAP
+Principal Propagation and to scale the approach.
+     Furthermore, it handles the X-CSRF-Token handling for update requests. -->
+<!-- Find further details in our blog series on the SAP community:
+https://blogs.sap.com/2021/08/12/.net-speaks-odata-too-how-to-implement-azure-app-service-with-sap-odata-gateway/
+     Find a Postman collection to test the policy flow here:
+https://github.com/MartinPankraz/AzureSAPODataReader/blob/master/Templates/AAD_APIM_SAP_Principal_Propagation.postman_collection.json
+     Find a video guide for the setup of SAP Principal Propagation here:
+https://github.com/MartinPankraz/SAP-MSTeams-Hero/blob/main/Towel-Bearer/103a-sap-principal-propagation-basics.md   -->
+<!-- Parameters: AADTenantId - format TENANT-GUID, can be optained from Azure portal view for Azure
+AD for instance -->
+<!-- Parameters: AADRegisteredAppClientId - format APP-GUID, obtained during app registration -->
+<!-- Parameters: AADRegisteredAppClientSecret - a URL encoded secret, obtained during app
+registration -->
+<!-- Parameters: AADSAPResource - an id obtained during app registration. Our guide leverages the
+SAP SID for this (e.g. FS1) -->
+<!-- Parameters: SAPOAuthClientID - an id obtained during OAuth setup on the SAP backend. Check SAP
+Transaction code SOAUTH2. -->
+<!-- Parameters: SAPOAuthClientSecret - a URL encoded secret, obtained during OAuth setup on the SAP
+backend -->
+<!-- Parameters: SAPOAuthScope - a text, obtained during OAuth setup on the SAP backend. Likely
+class name of the target OData service (e.g. ZEPM_REF_APPS_PROD_MAN_SRV_0001) -->
+<!-- Parameters: SAPOAuthServerAdressForTokenEndpoint - format
+https://{{SAPOAuthServerAdressForTokenEndpoint}}/sap/bc/sec/oauth2/token -->
+<!-- Parameters: SAPOAuthRefreshExpiry - a value in ms resembling the OAuth token refresh expiry
+time from SAP backend. Check SAP transaction SOAUTH2 for the value. -->
+<!-- To create the parameters (APIM named values) used in this policy, we provided a Azure Cloud
+shell script here:
+https://github.com/MartinPankraz/AzureSAPODataReader/blob/master/Templates/UpdateAPIMwithVariablesForSAPPolicy.sh -->
+<policies>
+  <inbound>
+    <base />
+    <validate-jwt header-name="Authorization" failed-validation-httpcode="401"
+      require-scheme="Bearer">
+      <openid-config
+        url="https://login.microsoftonline.com/{{AADTenantId}}/.well-known/openid-configuration" />
+      <audiences>
+        <audience>api://{{APIMAADRegisteredAppClientId}}</audience>
+      </audiences>
+      <issuers>
+        <issuer>https://sts.windows.net/{{AADTenantId}}/</issuer>
+      </issuers>
+      <required-claims>
+        <claim name="scp" match="all" separator=" ">
+          <value>SAPGraph.access</value>
+        </claim>
+      </required-claims>
+    </validate-jwt>
+    <set-variable name="APIMAADRegisteredAppClientId" value="{{APIMAADRegisteredAppClientId}}" />
+    <set-variable name="APIMAADRegisteredAppClientSecret"
+      value="{{APIMAADRegisteredAppClientSecret}}" />
+    <set-variable name="AADSAPResource" value="{{AADSAPResource}}" />
+    <set-variable name="SAPOAuthClientID" value="{{SAPOAuthClientID}}" />
+    <set-variable name="SAPOAuthClientSecret" value="{{SAPOAuthClientSecret}}" />
+    <set-variable name="SAPOAuthScope" value="{{SAPOAuthScope}}" />
+    <set-variable name="SAPOAuthRefreshExpiry" value="{{SAPOAuthRefreshExpiry}}" />
+    <!-- check APIM cache for existing user SAP and refresh token for OData service -->
+    <cache-lookup-value key="@(" SAPPrincipal" + context.Request.Headers.GetValueOrDefault(" Authorization","").AsJwt()?.Subject)" variable-name="SAPBearerToken" />
+    <cache-lookup-value key="@(" SAPPrincipalRefresh" + context.Request.Headers.GetValueOrDefault(" Authorization","").AsJwt()?.Subject)" variable-name="SAPRefreshToken" />
+    <choose>
+      <!-- if SAP token is not in cache and also no refresh token available, get it from AAD and
+      store both in cache -->
+      <when condition="@(!context.Variables.ContainsKey(" SAPBearerToken") && !context.Variables.ContainsKey(" SAPRefreshToken"))">
+        <!-- Exchange AAD Bearer token for AAD issued SAML token on behalf of logged in user -->
+        <send-request mode="new" response-variable-name="fetchSAMLAssertion" timeout="10"
+          ignore-error="false">
+          <set-url>https://login.microsoftonline.com/{{AADTenantId}}/oauth2/v2.0/token</set-url>
+          <set-method>POST</set-method>
+          <set-header name="Content-Type" exists-action="override">
+            <value>application/x-www-form-urlencoded</value>
+          </set-header>
+          <set-body>@{
+            var _AADRegisteredAppClientId = context.Variables["APIMAADRegisteredAppClientId"];
+            var _AADRegisteredAppClientSecret =
+            context.Variables["APIMAADRegisteredAppClientSecret"];
+            var _AADSAPResource = context.Variables["AADSAPResource"];
+            var assertion =
+            context.Request.Headers.GetValueOrDefault("Authorization","").Replace("Bearer ","");
+            return
+            $"grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion={assertion}&client_id={_AADRegisteredAppClientId}&client_secret={_AADRegisteredAppClientSecret}&scope={_AADSAPResource}/.default&requested_token_use=on_behalf_of&requested_token_type=urn:ietf:params:oauth:token-type:saml2";
+            }</set-body>
+        </send-request>
+        <set-variable name="accessToken" value="@((string)((IResponse)context.Variables[" fetchSAMLAssertion"]).Body.As<JObject>()[" access_token"])" />
+        <!-- Get SAP backend issued Bearer token for presented AAD issued SAML token using
+        OAuth2SAMLBearerAssertion flow. -->
+        <send-request mode="new" response-variable-name="fetchSAPBearer" timeout="10"
+          ignore-error="false">
+          <set-url>
+            https://{{SAPOAuthServerAdressForTokenEndpoint}}/oauth/token/alias/csw-dev.aws-live-eu10</set-url>
+          <set-method>POST</set-method>
+          <set-header name="Content-Type" exists-action="override">
+            <value>application/x-www-form-urlencoded</value>
+          </set-header>
+          <!-- Provide Authentication to SAP OAuth server. Check SAP transaction code SOAUTH2 for
+          your individual configuration -->
+          <set-header name="Authorization" exists-action="override">
+            <value>@{
+              var _SAPOAuthClientID = context.Variables["SAPOAuthClientID"];
+              var _SAPOAuthClientSecret = context.Variables["SAPOAuthClientSecret"];
+              return "Basic " +
+              Convert.ToBase64String(Encoding.UTF8.GetBytes($"{_SAPOAuthClientID}:{_SAPOAuthClientSecret}"));
+              }</value>
+          </set-header>
+          <!--  Don't expose APIM subscription key to the backend. -->
+          <set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
+          <set-body>@{
+            var assertion2 = context.Variables["accessToken"];
+            return
+            $"grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion={assertion2}";
+            }</set-body>
+        </send-request>
+        <!-- Remember SAP Bearer tokens, deal with dictionary of objects -->
+        <set-variable name="SAPResponseObject" value="@(((IResponse)context.Variables[" fetchSAPBearer"]).Body.As<JObject>())" />
+        <set-variable name="SAPBearerTokenExpiry" value="@(((JObject)context.Variables[" SAPResponseObject"])[" expires_in"].ToString())" />
+        <set-variable name="iSAPBearerTokenExpiry" value="@(int.Parse((string)context.Variables[" SAPBearerTokenExpiry"]))" />
+        <set-variable name="SAPBearerToken" value="@(((JObject)context.Variables[" SAPResponseObject"])[" access_token"].ToString())" />
+        <set-variable name="SAPRefreshToken" value="@(((JObject)context.Variables[" SAPResponseObject"])[" refresh_token"].ToString())" />
+        <!-- take random time off the actual expiry to avoid login bursts (clustered expired
+        tokens). Assuming a third of the total expiry as lower boundary -->
+        <set-variable name="RandomBackOffDelay"
+          value="@(new Random().Next(0,(int)context.Variables[" iSAPBearerTokenExpiry"]/3))" />
+        <!--cache
+        Bearer and refresh token till expiry. We recommend 36 hours to mitigate "morning" login
+        bursts efficiently. -->
+        <cache-store-value key="@(" SAPPrincipal" + context.Request.Headers.GetValueOrDefault(" Authorization","").AsJwt()?.Subject)" value="@((string)context.Variables[" SAPBearerToken"])"
+          duration="@((int)context.Variables[" iSAPBearerTokenExpiry"]  - (int)context.Variables[" RandomBackOffDelay"])" />
+        <!-- optionally store duration for diagnostics endpoint
+                <cache-store-value key="@("SAPBearerDuration" +
+        context.Request.Headers.GetValueOrDefault("Authorization","").AsJwt()?.Subject)"
+        value="@((int)context.Variables["iSAPBearerTokenExpiry"] -
+        (int)context.Variables["RandomBackOffDelay"])" duration="3600" />-->
+        <!-- verify refresh token expiry on SOAUTH2 transaction at SAP backend. We assume long
+        lifetime and assign 10 times more by default. -->
+        <cache-store-value key="@(" SAPPrincipalRefresh" + context.Request.Headers.GetValueOrDefault(" Authorization","").AsJwt()?.Subject)" value="@((string)context.Variables[" SAPRefreshToken"])"
+          duration="@(int.Parse((string)context.Variables[" SAPOAuthRefreshExpiry"]) - (int)context.Variables[" RandomBackOffDelay"])" />
+        <!-- optionally store duration for diagnostics endpoint
+                <cache-store-value key="@("SAPRefreshDuration" +
+        context.Request.Headers.GetValueOrDefault("Authorization","").AsJwt()?.Subject)"
+        value="@(int.Parse((string)context.Variables["SAPOAuthRefreshExpiry"]) -
+        (int)context.Variables["RandomBackOffDelay"])" duration="3600" />-->
+      </when>
+      <!-- if no SAP bearer token is available but a valid refresh token is present, use it to get a
+      new bearer token -->
+      <when condition="@(!context.Variables.ContainsKey(" SAPBearerToken") && context.Variables.ContainsKey(" SAPRefreshToken"))">
+        <send-request mode="new" response-variable-name="fetchrefreshedSAPBearer" timeout="10"
+          ignore-error="false">
+          <set-url>
+            https://{{SAPOAuthServerAdressForTokenEndpoint}}/oauth/token/alias/csw-dev.aws-live-eu10</set-url>
+          <set-method>POST</set-method>
+          <set-header name="Content-Type" exists-action="override">
+            <value>application/x-www-form-urlencoded</value>
+          </set-header>
+          <!-- Provide Authentication to SAP OAuth server. Check SAP transaction code SOAUTH2 for
+          your individual configuration -->
+          <set-header name="Authorization" exists-action="override">
+            <value>@{
+              var _SAPOAuthClientID = context.Variables["SAPOAuthClientID"];
+              var _SAPOAuthClientSecret = context.Variables["SAPOAuthClientSecret"];
+              return "Basic " +
+              Convert.ToBase64String(Encoding.UTF8.GetBytes($"{_SAPOAuthClientID}:{_SAPOAuthClientSecret}"));
+              }</value>
+          </set-header>
+          <set-body>@{
+            var _SAPOAuthClientID = context.Variables["SAPOAuthClientID"];
+            var _SAPOAuthScope = context.Variables["SAPOAuthScope"];
+            var _refreshToken = context.Variables["SAPRefreshToken"];
+            return $"grant_type=refresh_token&refresh_token={_refreshToken}";
+            }</set-body>
+        </send-request>
+        <!-- Remember SAP Bearer tokens. Consider handling http 400 Bad Request for invalid Refresh
+        tokens -->
+        <set-variable name="SAPRefreshedResponseObject" value="@(((IResponse)context.Variables[" fetchrefreshedSAPBearer"]).Body.As<JObject>())" />
+        <set-variable name="SAPBearerTokenExpiry" value="@(((JObject)context.Variables[" SAPRefreshedResponseObject"])[" expires_in"].ToString())" />
+        <set-variable name="iSAPBearerTokenExpiry" value="@(int.Parse((string)context.Variables[" SAPBearerTokenExpiry"]))" />
+        <set-variable name="SAPBearerToken" value="@(((JObject)context.Variables[" SAPRefreshedResponseObject"])[" access_token"].ToString())" />
+        <set-variable name="SAPRefreshToken" value="@(((JObject)context.Variables[" SAPRefreshedResponseObject"])[" refresh_token"].ToString())" />
+        <!-- take random time off the actual expiry to avoid login bursts (clustered expired
+        tokens). Assuming a third of the total expiry as lower boundary -->
+        <set-variable name="RandomBackOffDelay"
+          value="@(new Random().Next(0,(int)context.Variables[" iSAPBearerTokenExpiry"]/3))" />
+        <!--cache
+        Bearer and refresh token till expiry. We recommend 36 hours to mitigate "morning" login
+        bursts efficiently. -->
+        <cache-store-value key="@(" SAPPrincipal" + context.Request.Headers.GetValueOrDefault(" Authorization","").AsJwt()?.Subject)" value="@((string)context.Variables[" SAPBearerToken"])"
+          duration="@((int)context.Variables[" iSAPBearerTokenExpiry"] - (int)context.Variables[" RandomBackOffDelay"])" />
+        <!-- optionally store duration for diagnostics endpoint
+                <cache-store-value key="@("SAPBearerDuration" +
+        context.Request.Headers.GetValueOrDefault("Authorization","").AsJwt()?.Subject)"
+        value="@((int)context.Variables["iSAPBearerTokenExpiry"] -
+        (int)context.Variables["RandomBackOffDelay"])" duration="3600" />-->
+        <!-- verify refresh token expiry on SOAUTH2 transaction at SAP backend. We assume long
+        lifetime and assign 10 times more by default. -->
+        <cache-store-value key="@(" SAPPrincipalRefresh" + context.Request.Headers.GetValueOrDefault(" Authorization","").AsJwt()?.Subject)" value="@((string)context.Variables[" SAPRefreshToken"])"
+          duration="@(int.Parse((string)context.Variables[" SAPOAuthRefreshExpiry"]) - (int)context.Variables[" RandomBackOffDelay"])" />
+        <!-- optionally store duration for diagnostics endpoint 
+                <cache-store-value key="@("SAPRefreshDuration" +
+        context.Request.Headers.GetValueOrDefault("Authorization","").AsJwt()?.Subject)"
+        value="@(int.Parse((string)context.Variables["SAPOAuthRefreshExpiry"]) -
+        (int)context.Variables["RandomBackOffDelay"])" duration="3600" />-->
+      </when>
+    </choose>
+    <!-- check CSRF -->
+    <choose>
+      <!-- CSRF-token only required for every operation other than GET or HEAD -->
+      <when condition="@(context.Request.Method != " GET" && context.Request.Method != " HEAD")">
+        <!-- Creating a HEAD subrequest to save request overhead and get the SAP CSRF token and
+        cookie.-->
+        <send-request mode="new" response-variable-name="SAPCSRFToken" timeout="10"
+          ignore-error="false">
+          <set-url>@(context.Request.Url.ToString())</set-url>
+          <set-method>HEAD</set-method>
+          <set-header name="X-CSRF-Token" exists-action="override">
+            <value>Fetch</value>
+          </set-header>
+          <set-header name="Authorization" exists-action="override">
+            <value>@("Bearer " + (string)context.Variables["SAPBearerToken"])</value>
+          </set-header>
+        </send-request>
+        <!-- Extract the token and cookie from the "SAPCSRFToken" and set as header in the POST
+        request. -->
+        <choose>
+          <when condition="@(((IResponse)context.Variables[" SAPCSRFToken"]).StatusCode == 200)">
+            <set-header name="X-CSRF-Token" exists-action="override">
+              <value>
+                @(((IResponse)context.Variables["SAPCSRFToken"]).Headers.GetValueOrDefault("x-csrf-token"))</value>
+            </set-header>
+            <set-header name="Cookie" exists-action="override">
+              <value>@{
+                string rawcookie =
+                ((IResponse)context.Variables["SAPCSRFToken"]).Headers.GetValueOrDefault("Set-Cookie");
+                string[] cookies = rawcookie.Split(';');
+                /* new session sends a XSRF cookie */
+                string xsrftoken = cookies.FirstOrDefault( ss => ss.Contains("sap-XSRF"));
+                /* existing sessions sends a SessionID. No other cases anticipated at this point.
+                Please create a GitHub Pull-Request if you encounter uncovered settings. */
+                if(xsrftoken == null){
+                xsrftoken = cookies.FirstOrDefault( ss => ss.Contains("SAP_SESSIONID"));
+                }
+
+                return xsrftoken.Split(',')[1];}</value>
+            </set-header>
+          </when>
+        </choose>
+      </when>
+    </choose>
+    <set-header name="Authorization" exists-action="override">
+      <value>@("Bearer " + (string)context.Variables["SAPBearerToken"])</value>
+    </set-header>
+    <!--  Don't expose APIM subscription key to the backend. -->
+    <set-header name="Ocp-Apim-Subscription-Key" exists-action="delete" />
+    <choose>
+      <!--introduce
+      json format conversion only for non-metadata calls and only for GET operations. Otherwise bad
+      request.-->
+      <when condition="@(!context.Request.Url.Path.Contains("/ $metadata") && context.Request.Method == " GET")">
+        <set-query-parameter name="$format" exists-action="override">
+          <value>json</value>
+        </set-query-parameter>
+      </when>
+    </choose>
+  </inbound>
+  <backend>
+    <base />
+  </backend>
+  <outbound>
+    <base />
+    <!-- OPTIONAL: Ensure that APIM domain, port and path are reflected on the OData response from
+    SAP
+             Otherwise deferred items like /toSalesOrders are represented by SAP known host and port. Example:
+    https://10.10.10.10:44300/sap/opu/odata/iwbep/gwsample_basic/BusinessPartnerSet('0100000000')/ToSalesOrders
+    vs.
+    https://demo-sap-apim.azure-api.net:443/my-prefix/sap/opu/odata/iwbep/gwsample_basic/BusinessPartnerSet('0100000000')/ToSalesOrders
+
+             URL rewrite in body required for returned OData paths.
+
+             - Consider adding "/" + "context.Api.Version" to reflect your versioning scheme:
+    https://learn.microsoft.com/azure/api-management/api-management-versions
+             - Consider Using expression "ToString().ToUpper()" to cater for upper case SAP host names. See SAP
+    Note 129997 and 611361 that discuss the SAP ABAP settings for case sensive host names for
+    reference.
+
+               context.Api.ServiceUrl.Host.ToString().ToUpper()
+        -->
+    <find-and-replace from="@(context.Api.ServiceUrl.Host +" :"+ context.Api.ServiceUrl.Port)"
+      to="@(context.Request.OriginalUrl.Host + " :" + context.Request.OriginalUrl.Port + context.Api.Path)" />
+  </outbound>
+  <on-error>
+    <base />
+    <set-header name="ErrorSource" exists-action="override">
+      <value>@(context.LastError.Source)</value>
+    </set-header>
+    <set-header name="ErrorReason" exists-action="override">
+      <value>@(context.LastError.Reason)</value>
+    </set-header>
+    <set-header name="ErrorMessage" exists-action="override">
+      <value>@(context.LastError.Message)</value>
+    </set-header>
+    <set-header name="ErrorScope" exists-action="override">
+      <value>@(context.LastError.Scope)</value>
+    </set-header>
+    <set-header name="ErrorSection" exists-action="override">
+      <value>@(context.LastError.Section)</value>
+    </set-header>
+    <set-header name="ErrorPath" exists-action="override">
+      <value>@(context.LastError.Path)</value>
+    </set-header>
+    <set-header name="ErrorPolicyId" exists-action="override">
+      <value>@(context.LastError.PolicyId)</value>
+    </set-header>
+    <set-header name="ErrorStatusCode" exists-action="override">
+      <value>@(context.Response.StatusCode.ToString())</value>
+    </set-header>
+  </on-error>
+</policies>