Extract JWT claims to variables during validation
I'd like to be able to extract specific claims from a JWT while validating it. Here's some policy that won't work today but that I'd like to be able to write:
<openid-config url="https://login.windows.net/contoso.onmicrosoft.com/.well-known/openid-configuration" />
<claim name="appid" variable="azureAppId" exists-action="override"/>
<claim name="cloud_instance_name" variable="cloudInstanceName" exists-action="override"/>
<claim name="email" variable="emailAddress" exists-action="override"/>
With various JWT claims extracted to variables during validation, I could drive other bits of policy logic from them and pass them to the backend as required.
As suggested by Murat, this is already possible using policy expressions. That is the preferred way to access JWT data, as it allows you to simultaneously do other processing as well.
Murat Boduroglu commented
You can already do this via set variable action and AsJwt() function:
<set-variable name="azureAppId" value="@(context.Request.Headers["Authorization"].First().Split(' ').AsJwt()?.Claims["appid"].FirstOrDefault())" />