Extract JWT claims to variables during validation
I'd like to be able to extract specific claims from a JWT while validating it. Here's some policy that won't work today but that I'd like to be able to write:
<openid-config url="<a rel="nofollow noreferrer" href="https://login.windows.net/contoso.onmicrosoft.com/.well-known/openid-configuration"">https://login.windows.net/contoso.onmicrosoft.com/.well-known/openid-configuration"</a>; />
<claim name="appid" variable="azureAppId" exists-action="override"/>
<claim name="cloud_instance_name" variable="cloudInstanceName" exists-action="override"/>
<claim name="email" variable="emailAddress" exists-action="override"/>
With various JWT claims extracted to variables during validation, I could drive other bits of policy logic from them and pass them to the backend as required.
As suggested by Murat, this is already possible using policy expressions. That is the preferred way to access JWT data, as it allows you to simultaneously do other processing as well.
Rod Myran commented
With the addition of JWE support there is no way to do this because the jwt is encrypted.
Does anyone have any suggestions?
Murat Boduroglu commented
You can already do this via set variable action and AsJwt() function:
<set-variable name="azureAppId" value="@(context.Request.Headers["Authorization"].First().Split(' ').AsJwt()?.Claims["appid"].FirstOrDefault())" />