| title | description | services | author | ms.service | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|
Azure API Management policy reference - get-authorization-context | Microsoft Docs | Reference for the get-authorization-context policy available for use in Azure API Management. Provides policy usage, settings, and examples. | api-management | dlepow | azure-api-management | reference | 07/23/2024 | danlep |
[!INCLUDE api-management-availability-all-tiers]
Use the get-authorization-context policy to get the authorization context of a specified connection (formerly called an authorization) to a credential provider that is configured in the API Management instance.
The policy fetches and stores authorization and refresh tokens from the configured credential provider using the connection.
[!INCLUDE api-management-policy-generic-alert]
<get-authorization-contextprovider-id="credential provider id"authorization-id="connection id"context-variable-name="variable name"identity-type="managed | jwt"identity="JWT bearer token"ignore-error="true | false" />| Attribute | Description | Required | Default |
|---|---|---|---|
| provider-id | The credential provider resource identifier. Policy expressions are allowed. | Yes | N/A |
| authorization-id | The connection resource identifier. Policy expressions are allowed. | Yes | N/A |
| context-variable-name | The name of the context variable to receive the Authorization object. Policy expressions are allowed. | Yes | N/A |
| identity-type | Type of identity to check against the connection's access policy. - managed: system-assigned managed identity of the API Management instance. - jwt: JWT bearer token specified in the identity attribute.Policy expressions are allowed. | No | managed |
| identity | A Microsoft Entra JWT bearer token to check against the connection permissions. Ignored for identity-type other than jwt. Expected claims: - audience: https://azure-api.net/authorization-manager- oid: Permission object ID - tid: Permission tenant IDPolicy expressions are allowed. | No | N/A |
| ignore-error | Boolean. If acquiring the authorization context results in an error (for example, the connection resource isn't found or is in an error state): - true: the context variable is assigned a value of null. - false: return 500If you set the value to false, and the policy configuration includes an on-error section, the error is available in the context.LastError property.Policy expressions are allowed. | No | false |
The Authorization context variable receives an object of type Authorization.
classAuthorization{publicstringAccessToken{get;}publicIReadOnlyDictionary<string,object>Claims{get;}}| Property Name | Description |
|---|---|
| AccessToken | Bearer access token to authorize a backend HTTP request. |
| Claims | Claims returned from the authorization server's token response API (see RFC6749#section-5.1). |
- Policy sections: inbound
- Policy scopes: global, product, API, operation
- Gateways: classic, v2, consumption
- Configure
identity-type=jwtwhen the access policy for the connection is assigned to a service principal. Only/.defaultapp-only scopes are supported for the JWT.
<!-- Add to inbound policy. --> <get-authorization-contextprovider-id="github-01"authorization-id="auth-01"context-variable-name="auth-context"identity-type="managed"ignore-error="false" /> <!-- Return the token --> <return-response> <set-statuscode="200" /> <set-bodytemplate="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body> </return-response><!-- Add to inbound policy. --> <get-authorization-contextprovider-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationProviderId"))"authorization-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationId"))"context-variable-name="auth-context"ignore-error="false"identity-type="managed" /> <!-- Return the token --> <return-response> <set-statuscode="200" /> <set-bodytemplate="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body> </return-response><!-- Add to inbound policy. --> <get-authorization-contextprovider-id="github-01"authorization-id="auth-01"context-variable-name="auth-context"identity-type="managed"ignore-error="false" /> <!-- Attach the token to the backend call --> <set-headername="Authorization"exists-action="override"> <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value> </set-header><!-- Add to inbound policy. --> <get-authorization-contextprovider-id="github-01"authorization-id="auth-01"context-variable-name="auth-context"identity-type="jwt"identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"ignore-error="false" /> <!-- Return the token --> <return-response> <set-statuscode="200" /> <set-bodytemplate="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body> </return-response>[!INCLUDE api-management-policy-ref-next-steps]
