Get authorization context

Use the get-authorization-context policy to get the authorization context of a specified authorization configured in the API Management instance.

The policy fetches and stores authorization and refresh tokens from the configured authorization provider.

Note

Set the policy's elements and child elements in the order provided in the policy statement. Learn more about how to set or edit API Management policies.

Policy statement

<get-authorization-context
    provider-id="authorization provider id" 
    authorization-id="authorization id" 
    context-variable-name="variable name" 
    identity-type="managed | jwt"
    identity="JWT bearer token"
    ignore-error="true | false" />

Attributes

Attribute Description Required Default
provider-id The authorization provider resource identifier. Policy expressions are allowed. Yes N/A
authorization-id The authorization resource identifier. Policy expressions are allowed. Yes N/A
context-variable-name The name of the context variable to receive the Authorization object. Policy expressions are allowed. Yes N/A
identity-type Type of identity to check against the authorization access policy.
- managed: managed identity of the API Management service.
- jwt: JWT bearer token specified in the identity attribute.

Policy expressions are allowed.
No managed
identity An Azure AD JWT bearer token to check against the authorization permissions. Ignored for identity-type other than jwt.

Expected claims:
- audience: https://azure-api.net/authorization-manager
- oid: Permission object ID
- tid: Permission tenant ID

Policy expressions are allowed.
No N/A
ignore-error Boolean. If acquiring the authorization context results in an error (for example, the authorization resource isn't found or is in an error state):
- true: the context variable is assigned a value of null.
- false: return 500

If you set the value to false, and the policy configuration includes an on-error section, the error is available in the context.LastError property.

Policy expressions are allowed.
No false

Authorization object

The Authorization context variable receives an object of type Authorization.

class Authorization
{
    public string AccessToken { get; }
    public IReadOnlyDictionary<string, object> Claims { get; }
}
Property Name Description
AccessToken Bearer access token to authorize a backend HTTP request.
Claims Claims returned from the authorization server's token response API (see RFC6749#section-5.1).

Usage

Usage notes

  • Configure identity-type=jwt when the access policy for the authorization is assigned to a service principal. Only /.default app-only scopes are supported for the JWT.

Examples

Get token back

<!-- Add to inbound policy. -->
<get-authorization-context 
    provider-id="github-01" 
    authorization-id="auth-01" 
    context-variable-name="auth-context" 
    identity-type="managed" 
    ignore-error="false" />
<!-- Return the token -->
<return-response>
    <set-status code="200" />
    <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>

Get token back with dynamically set attributes

<!-- Add to inbound policy. -->
<get-authorization-context 
  provider-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationProviderId"))" 
  authorization-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationId"))" context-variable-name="auth-context" 
  ignore-error="false" 
  identity-type="managed" />
<!-- Return the token -->
<return-response>
    <set-status code="200" />
    <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>

Attach the token to the backend call

<!-- Add to inbound policy. -->
<get-authorization-context
    provider-id="github-01" 
    authorization-id="auth-01" 
    context-variable-name="auth-context" 
    identity-type="managed" 
    ignore-error="false" />
<!-- Attach the token to the backend call -->
<set-header name="Authorization" exists-action="override">
    <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
</set-header>

Get token from incoming request and return token

<!-- Add to inbound policy. -->
<get-authorization-context 
    provider-id="github-01" 
    authorization-id="auth-01" 
    context-variable-name="auth-context" 
    identity-type="jwt" 
    identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"
    ignore-error="false" />
<!-- Return the token -->
<return-response>
    <set-status code="200" />
    <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>

Next steps

For more information about working with policies, see: