Get authorization context
Use the get-authorization-context policy to get the authorization context of a specified authorization configured in the API Management instance.
The policy fetches and stores authorization and refresh tokens from the configured authorization provider.
Note
Set the policy's elements and child elements in the order provided in the policy statement. Learn more about how to set or edit API Management policies.
Policy statement
<get-authorization-context
provider-id="authorization provider id"
authorization-id="authorization id"
context-variable-name="variable name"
identity-type="managed | jwt"
identity="JWT bearer token"
ignore-error="true | false" />
Attributes
| Attribute | Description | Required | Default |
|---|---|---|---|
| provider-id | The authorization provider resource identifier. Policy expressions are allowed. | Yes | N/A |
| authorization-id | The authorization resource identifier. Policy expressions are allowed. | Yes | N/A |
| context-variable-name | The name of the context variable to receive the Authorization object. Policy expressions are allowed. |
Yes | N/A |
| identity-type | Type of identity to check against the authorization access policy. - managed: managed identity of the API Management service. - jwt: JWT bearer token specified in the identity attribute.Policy expressions are allowed. |
No | managed |
| identity | An Azure AD JWT bearer token to check against the authorization permissions. Ignored for identity-type other than jwt. Expected claims: - audience: https://azure-api.net/authorization-manager - oid: Permission object ID - tid: Permission tenant IDPolicy expressions are allowed. |
No | N/A |
| ignore-error | Boolean. If acquiring the authorization context results in an error (for example, the authorization resource isn't found or is in an error state): - true: the context variable is assigned a value of null. - false: return 500If you set the value to false, and the policy configuration includes an on-error section, the error is available in the context.LastError property.Policy expressions are allowed. |
No | false |
Authorization object
The Authorization context variable receives an object of type Authorization.
class Authorization
{
public string AccessToken { get; }
public IReadOnlyDictionary<string, object> Claims { get; }
}
| Property Name | Description |
|---|---|
| AccessToken | Bearer access token to authorize a backend HTTP request. |
| Claims | Claims returned from the authorization server's token response API (see RFC6749#section-5.1). |
Usage
- Policy sections: inbound
- Policy scopes: global, workspace, product, API, operation
- Gateways: dedicated, consumption
Usage notes
- Configure
identity-type=jwtwhen the access policy for the authorization is assigned to a service principal. Only/.defaultapp-only scopes are supported for the JWT.
Examples
Get token back
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="github-01"
authorization-id="auth-01"
context-variable-name="auth-context"
identity-type="managed"
ignore-error="false" />
<!-- Return the token -->
<return-response>
<set-status code="200" />
<set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>
Get token back with dynamically set attributes
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationProviderId"))"
authorization-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationId"))" context-variable-name="auth-context"
ignore-error="false"
identity-type="managed" />
<!-- Return the token -->
<return-response>
<set-status code="200" />
<set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>
Attach the token to the backend call
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="github-01"
authorization-id="auth-01"
context-variable-name="auth-context"
identity-type="managed"
ignore-error="false" />
<!-- Attach the token to the backend call -->
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
</set-header>
Get token from incoming request and return token
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="github-01"
authorization-id="auth-01"
context-variable-name="auth-context"
identity-type="jwt"
identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"
ignore-error="false" />
<!-- Return the token -->
<return-response>
<set-status code="200" />
<set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>
Related policies
Next steps
For more information about working with policies, see:
- Tutorial: Transform and protect your API
- Policy reference for a full list of policy statements and their settings
- Policy expressions
- Set or edit policies
- Reuse policy configurations
- Policy snippets repo
Feedback
Submit and view feedback for