Get authorization context
APPLIES TO: All API Management tiers
Use the get-authorization-context policy to get the authorization context of a specified connection (formerly called an authorization) to a credential provider that is configured in the API Management instance.
The policy fetches and stores authorization and refresh tokens from the configured credential provider using the connection.
Note
Set the policy's elements and child elements in the order provided in the policy statement. Learn more about how to set or edit API Management policies.
Policy statement
<get-authorization-context
provider-id="credential provider id"
authorization-id="connection id"
context-variable-name="variable name"
identity-type="managed | jwt"
identity="JWT bearer token"
ignore-error="true | false" />
Attributes
| Attribute | Description | Required | Default |
|---|---|---|---|
| provider-id | The credential provider resource identifier. Policy expressions are allowed. | Yes | N/A |
| authorization-id | The connection resource identifier. Policy expressions are allowed. | Yes | N/A |
| context-variable-name | The name of the context variable to receive the Authorization object. Policy expressions are allowed. |
Yes | N/A |
| identity-type | Type of identity to check against the connection's access policy. - managed: system-assigned managed identity of the API Management instance. - jwt: JWT bearer token specified in the identity attribute.Policy expressions are allowed. |
No | managed |
| identity | A Microsoft Entra JWT bearer token to check against the connection permissions. Ignored for identity-type other than jwt. Expected claims: - audience: https://azure-api.net/authorization-manager - oid: Permission object ID - tid: Permission tenant IDPolicy expressions are allowed. |
No | N/A |
| ignore-error | Boolean. If acquiring the authorization context results in an error (for example, the connection resource isn't found or is in an error state): - true: the context variable is assigned a value of null. - false: return 500If you set the value to false, and the policy configuration includes an on-error section, the error is available in the context.LastError property.Policy expressions are allowed. |
No | false |
Authorization object
The Authorization context variable receives an object of type Authorization.
class Authorization
{
public string AccessToken { get; }
public IReadOnlyDictionary<string, object> Claims { get; }
}
| Property Name | Description |
|---|---|
| AccessToken | Bearer access token to authorize a backend HTTP request. |
| Claims | Claims returned from the authorization server's token response API (see RFC6749#section-5.1). |
Usage
- Policy sections: inbound
- Policy scopes: global, product, API, operation
- Gateways: classic, v2, consumption
Usage notes
- Configure
identity-type=jwtwhen the access policy for the connection is assigned to a service principal. Only/.defaultapp-only scopes are supported for the JWT.
Examples
Get token back
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="github-01"
authorization-id="auth-01"
context-variable-name="auth-context"
identity-type="managed"
ignore-error="false" />
<!-- Return the token -->
<return-response>
<set-status code="200" />
<set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>
Get token back with dynamically set attributes
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationProviderId"))"
authorization-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationId"))" context-variable-name="auth-context"
ignore-error="false"
identity-type="managed" />
<!-- Return the token -->
<return-response>
<set-status code="200" />
<set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>
Attach the token to the backend call
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="github-01"
authorization-id="auth-01"
context-variable-name="auth-context"
identity-type="managed"
ignore-error="false" />
<!-- Attach the token to the backend call -->
<set-header name="Authorization" exists-action="override">
<value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
</set-header>
Get token from incoming request and return token
<!-- Add to inbound policy. -->
<get-authorization-context
provider-id="github-01"
authorization-id="auth-01"
context-variable-name="auth-context"
identity-type="jwt"
identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"
ignore-error="false" />
<!-- Return the token -->
<return-response>
<set-status code="200" />
<set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>
Related policies
Related content
For more information about working with policies, see:
- Tutorial: Transform and protect your API
- Policy reference for a full list of policy statements and their settings
- Policy expressions
- Set or edit policies
- Reuse policy configurations
- Policy snippets repo
- Author policies using Microsoft Copilot in Azure