Get authorization context
Use the get-authorization-context
policy to get the authorization context of a specified authorization (preview) configured in the API Management instance.
The policy fetches and stores authorization and refresh tokens from the configured authorization provider.
If identity-type=jwt
is configured, a JWT token is required to be validated. The audience of this token must be https://azure-api.net/authorization-manager
.
Note
Set the policy's elements and child elements in the order provided in the policy statement. Learn more about how to set or edit API Management policies.
Policy statement
<get-authorization-context
provider-id="authorization provider id"
authorization-id="authorization id"
context-variable-name="variable name"
identity-type="managed | jwt"
identity="JWT bearer token"
ignore-error="true | false" />
Attributes
Attribute | Description | Required | Default |
---|---|---|---|
provider-id | The authorization provider resource identifier. | Yes | N/A |
authorization-id | The authorization resource identifier. | Yes | N/A |
context-variable-name | The name of the context variable to receive the Authorization object. |
Yes | N/A |
identity-type | Type of identity to be checked against the authorization access policy. - managed : managed identity of the API Management service. - jwt : JWT bearer token specified in the identity attribute. |
No | managed |
identity | An Azure AD JWT bearer token to be checked against the authorization permissions. Ignored for identity-type other than jwt . Expected claims: - audience: https://azure-api.net/authorization-manager - oid : Permission object ID - tid : Permission tenant ID |
No | N/A |
ignore-error | Boolean. If acquiring the authorization context results in an error (for example, the authorization resource is not found or is in an error state): - true : the context variable is assigned a value of null. - false : return 500 |
No | false |
Authorization object
The Authorization context variable receives an object of type Authorization
.
class Authorization
{
public string AccessToken { get; }
public IReadOnlyDictionary<string, object> Claims { get; }
}
Property Name | Description |
---|---|
AccessToken | Bearer access token to authorize a backend HTTP request. |
Claims | Claims returned from the authorization server’s token response API (see RFC6749#section-5.1). |
Usage
- Policy sections: inbound
- Policy scopes: global, product, API, operation
- Gateways: dedicated
Examples
Get token back
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="github-01"
authorization-id="auth-01"
context-variable-name="auth-context"
identity-type="managed"
identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"
ignore-error="false" />
<!-- Return the token -->
<return-response>
<set-status code="200" />
<set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>
Get token back with dynamically set attributes
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationProviderId"))"
authorization-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationId"))" context-variable-name="auth-context"
ignore-error="false"
identity-type="managed" />
<!-- Return the token -->
<return-response>
<set-status code="200" />
<set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>
Attach the token to the backend call
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="github-01"
authorization-id="auth-01"
context-variable-name="auth-context"
identity-type="managed"
ignore-error="false" />
<!-- Attach the token to the backend call -->
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
</set-header>
Get token from incoming request and return token
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="github-01"
authorization-id="auth-01"
context-variable-name="auth-context"
identity-type="jwt"
identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"
ignore-error="false" />
<!-- Return the token -->
<return-response>
<set-status code="200" />
<set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>
Related policies
Next steps
For more information about working with policies, see:
- Tutorial: Transform and protect your API
- Policy reference for a full list of policy statements and their settings
- Policy expressions
- Set or edit policies
- Reuse policy configurations
- Policy samples
Feedback
Submit and view feedback for