Extract JWT claims to variables during validation
I'd like to be able to extract specific claims from a JWT while validating it. Here's some policy that won't work today but that I'd like to be able to write:
<openid-config url="<a rel="nofollow noreferrer" href="https://login.windows.net/contoso.onmicrosoft.com/.well-known/openid-configuration"">https://login.windows.net/contoso.onmicrosoft.com/.well-known/openid-configuration"</a>; />
<claim name="appid" variable="azureAppId" exists-action="override"/>
<claim name="cloud_instance_name" variable="cloudInstanceName" exists-action="override"/>
<claim name="email" variable="emailAddress" exists-action="override"/>
With various JWT claims extracted to variables during validation, I could drive other bits of policy logic from them and pass them to the backend as required.
As suggested by Murat, this is already possible using policy expressions. That is the preferred way to access JWT data, as it allows you to simultaneously do other processing as well.
Alexander Ressler commented
It seems like this might be the way to get access to the jwt output variable and then set headers. https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#authorize-access-to-operations-based-on-token-claims
Rod Myran commented
With the addition of JWE support there is no way to do this because the jwt is encrypted.
Does anyone have any suggestions?