How can we improve Azure API Management?

Extract JWT claims to variables during validation

I'd like to be able to extract specific claims from a JWT while validating it. Here's some policy that won't work today but that I'd like to be able to write:

<validate-jwt header-name="Authorization">
<openid-config url="https://login.windows.net/contoso.onmicrosoft.com/.well-known/openid-configuration&quot; />
<extract-claims-to-variables>
<claim name="appid" variable="azureAppId" exists-action="override"/>
<claim name="cloud_instance_name" variable="cloudInstanceName" exists-action="override"/>
<claim name="email" variable="emailAddress" exists-action="override"/>
</extract-claims-to-variables>
</validate-jwt>

With various JWT claims extracted to variables during validation, I could drive other bits of policy logic from them and pass them to the backend as required.

52 votes
Vote
Sign in
Check!
(thinking…)
Reset
or sign in with
  • facebook
  • google
    Password icon
    I agree to the terms of service
    Signed in as (Sign out)
    You have left! (?) (thinking…)
    Kevin HazzardKevin Hazzard shared this idea  ·   ·  Flag idea as inappropriate…  ·  Admin →

    1 comment

    Sign in
    Check!
    (thinking…)
    Reset
    or sign in with
    • facebook
    • google
      Password icon
      I agree to the terms of service
      Signed in as (Sign out)
      Submitting...
      • Murat BodurogluMurat Boduroglu commented  ·   ·  Flag as inappropriate

        Hi Kevin,

        You can already do this via set variable action and AsJwt() function:

        <set-variable name="azureAppId" value="@(context.Request.Headers["Authorization"].First().Split(' ')[1].AsJwt()?.Claims["appid"].FirstOrDefault())" />

      Feedback and Knowledge Base