Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

Decrypt bearer token in Azure API Management to get acr_values

Tags:

https

azure

bearer-token

azure-api-management

Is there any way to decrypt a bearer token in an API management policy in order to create a condition it's acr_values, for example a tenant.

Looking at the MS documentation it does not seem possible, I would be looking to achieve something like:

        <when condition="@(context.Request.Headers["Authorization"] --DO MAGIC HERE-- .acr_values["tenant"] == "contoso" ">
            <set-backend-service base-url="http://contoso.com/api/8.2/" />
        </when>

Alternatively something like the example here but for setting the backed service:

http://devjourney.com/blog/2017/03/23/extract-jwt-claims-in-azure-api-management-policy/

Documentation I've read: https://learn.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#example-4

https://learn.microsoft.com/en-us/azure/api-management/policies/authorize-request-based-on-jwt-claims?toc=api-management/toc.json#policy

like image 289
Chris Sewell Avatar asked Sep 20 '25 21:09

Chris Sewell

2 Answers

Did you try .AsJwt() method (https://learn.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables):

<policies>
<inbound>
    <base />
    <set-header name="tenant" exists-action="append">
        <value>@{
            var jwt = context.Request.Headers.GetValueOrDefault("Authorization").AsJwt();
            return jwt?.Claims.GetValueOrDefault("tenant") ?? "unknown";
        }</value>
    </set-header>
    <choose>
        <when condition="@(context.Request.Headers.GetValueOrDefault("tenant", "unknown") == "some-tenant" )">
            <set-backend-service base-url="http://contoso.com/api/8.2/" />
        </when>
    </choose>
</inbound>
<backend>
    <base />
</backend>
<outbound>
    <base />
</outbound>
<on-error>
    <base />
</on-error>

Also I'm not sure if you need it as a header to backend request, if not consider using set-variable policy.

like image 71
Vitaliy Kurokhtin Avatar answered Sep 22 '25 21:09

Vitaliy Kurokhtin

A few years have passed since this has been answered, but as I found a less verbose solution, without actually modifying the request headers, i thought it would be nice to share for others:

<set-variable name="tenant" value="@{
        var authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
        return authHeader.AsJwt()?.Claims.GetValueOrDefault("tenant", "");
}" />
...
<choose>
    <when condition="@(context.Variables.GetValueOrDefault("tenant", "") == "your-tenant-id")">
like image 36
Tobi Avatar answered Sep 22 '25 19:09

Tobi

Sign in to Comment

Related questions

How do I get ASPNET WebAPI working with Microsoft.Owin.Host.HttpListener on an Azure worker role using an IoC container?
How to create and save a temporary file on Microsoft Azure virtual server
Azure API Management - How to send body along with my request
How do you restrict access to Azure Web App by incoming header value?
How to mount a shared volume onto an Azure Container App instance using terraform
How to set selected networks in StorageAccount via ARM Template
Can you rate limit an Azure Function or output of a Storage Queue?
Do we need multiple Azure API management instances? for DEV, UAT, PROD environment? [yes we do. contains solution]
Invalid Audience when protecting Azure Function with App Service Authentication (EasyAuth) and a Custom OpenID Provider
How to compare azure resources configuration
Cannot register Azure Integration Runtime
Does ARM template overwrite existing resource created by script?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!