Azure APIM - Policy - Cannot get valid context - Error 500 - Object Not Set to Instance of Object

Referring to this page: https://docs.microsoft.com/en-us/azure/api-management/policies/send-request-context-info-to-backend-service

I am trying to get the User.Group using a policy such that I can restrict access to CRUD operations based on membership of 'read-only' or 'full-access' group.

All of the Microsoft Docs state that you can get user context by accessing @(context.User) and then whatever property you want. My proposed policy was this:

<policies>      <inbound>          <rewrite-uri template="/views/foo" />          <base />      </inbound>      <backend>          <base />      </backend>      <outbound>          <choose>              <when condition="@(context.User.Groups.Select(g => g.Name).Contains("Read-Only-Group"))">                  <return-response>                      <set-status code="403" reason="Unauthorized" />                      <set-body>You do not have write access - this operation is not available</set-body>                  </return-response>              </when>          </choose>          <base />      </outbound>      <on-error>          <base />      </on-error>  </policies>  

The problem I am having is that whichever basic examples I try and implement in policy, I am getting "Error 500 - Object not set to an instance of object" whenever I try and get anything to do with the User. I understand this means my User object is not populated, but I don't get why.

Even if I refer to the basic examples on the Microsoft page to set some headers containing the Product name and User ID, they fail with the same error. Those pages don't contain any info on additional steps needed to access the User object.

How can I access these items?

https://stackoverflow.com/questions/67388767/azure-apim-policy-cannot-get-valid-context-error-500-object-not-set-to-i May 05, 2021 at 12:40AM