Skip to content

Latest commit

 

History

History
148 lines (116 loc) · 6.18 KB

get-authorization-context-policy.md

File metadata and controls

148 lines (116 loc) · 6.18 KB
title description services author ms.service ms.topic ms.date ms.author
Azure API Management policy reference - get-authorization-context | Microsoft Docs
Reference for the get-authorization-context policy available for use in Azure API Management. Provides policy usage, settings, and examples.
api-management
dlepow
azure-api-management
reference
07/23/2024
danlep

Get authorization context

[!INCLUDE api-management-availability-all-tiers]

Use the get-authorization-context policy to get the authorization context of a specified connection (formerly called an authorization) to a credential provider that is configured in the API Management instance.

The policy fetches and stores authorization and refresh tokens from the configured credential provider using the connection.

[!INCLUDE api-management-policy-generic-alert]

Policy statement

<get-authorization-context
    provider-id="credential provider id" 
    authorization-id="connection id" 
    context-variable-name="variable name" 
    identity-type="managed | jwt"
    identity="JWT bearer token"
    ignore-error="true | false" />

Attributes

Attribute Description Required Default
provider-id The credential provider resource identifier. Policy expressions are allowed. Yes N/A
authorization-id The connection resource identifier. Policy expressions are allowed. Yes N/A
context-variable-name The name of the context variable to receive the Authorization object. Policy expressions are allowed. Yes N/A
identity-type Type of identity to check against the connection's access policy.
- managed: system-assigned managed identity of the API Management instance.
- jwt: JWT bearer token specified in the identity attribute.

Policy expressions are allowed.		 No managed
identity A Microsoft Entra JWT bearer token to check against the connection permissions. Ignored for identity-type other than jwt.

Expected claims:
- audience: https://azure-api.net/authorization-manager
- oid: Permission object ID
- tid: Permission tenant ID

Policy expressions are allowed.		 No N/A
ignore-error Boolean. If acquiring the authorization context results in an error (for example, the connection resource isn't found or is in an error state):
- true: the context variable is assigned a value of null.
- false: return 500

If you set the value to false, and the policy configuration includes an on-error section, the error is available in the context.LastError property.

Policy expressions are allowed.		 No false

Authorization object

The Authorization context variable receives an object of type Authorization.

class Authorization
{
    public string AccessToken { get; }
    public IReadOnlyDictionary<string, object> Claims { get; }
}
Property Name Description
AccessToken Bearer access token to authorize a backend HTTP request.
Claims Claims returned from the authorization server's token response API (see RFC6749#section-5.1).

Usage

Usage notes

  • Configure identity-type=jwt when the access policy for the connection is assigned to a service principal. Only /.default app-only scopes are supported for the JWT.

Examples

Get token back

<!-- Add to inbound policy. -->
<get-authorization-context 
    provider-id="github-01" 
    authorization-id="auth-01" 
    context-variable-name="auth-context" 
    identity-type="managed" 
    ignore-error="false" />
<!-- Return the token -->
<return-response>
    <set-status code="200" />
    <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>

Get token back with dynamically set attributes

<!-- Add to inbound policy. -->
<get-authorization-context 
  provider-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationProviderId"))" 
  authorization-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationId"))" context-variable-name="auth-context" 
  ignore-error="false" 
  identity-type="managed" />
<!-- Return the token -->
<return-response>
    <set-status code="200" />
    <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>

Attach the token to the backend call

<!-- Add to inbound policy. -->
<get-authorization-context
    provider-id="github-01" 
    authorization-id="auth-01" 
    context-variable-name="auth-context" 
    identity-type="managed" 
    ignore-error="false" />
<!-- Attach the token to the backend call -->
<set-header name="Authorization" exists-action="override">
    <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
</set-header>

Get token from incoming request and return token

<!-- Add to inbound policy. -->
<get-authorization-context 
    provider-id="github-01" 
    authorization-id="auth-01" 
    context-variable-name="auth-context" 
    identity-type="jwt" 
    identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"
    ignore-error="false" />
<!-- Return the token -->
<return-response>
    <set-status code="200" />
    <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>

Related policies

[!INCLUDE api-management-policy-ref-next-steps]