Get authorization context

Article
08/19/2024

APPLIES TO: All API Management tiers

Use the get-authorization-context policy to get the authorization context of a specified connection (preview) (formerly called an authorization) to a credential provider that is configured in the API Management instance.

The policy fetches and stores authorization and refresh tokens from the configured credential provider using the connection.

Note

Set a policy's elements and child elements in the order provided in the policy statement. Learn more about how to set or edit API Management policies.

Policy statement

<get-authorization-context
    provider-id="credential provider id" 
    authorization-id="connection id" 
    context-variable-name="variable name" 
    identity-type="managed | jwt"
    identity="JWT bearer token"
    ignore-error="true | false" />

Attributes

Attribute	Description	Required	Default
provider-id	The credential provider resource identifier. Policy expressions are allowed.	Yes	N/A
authorization-id	The connection resource identifier. Policy expressions are allowed.	Yes	N/A
context-variable-name	The name of the context variable to receive the `Authorization` object. Policy expressions are allowed.	Yes	N/A
identity-type	Type of identity to check against the connection's access policy. - `managed`: system-assigned managed identity of the API Management instance. - `jwt`: JWT bearer token specified in the `identity` attribute. Policy expressions are allowed.	No	`managed`
identity	A Microsoft Entra JWT bearer token to check against the connection permissions. Ignored for `identity-type` other than `jwt`. Expected claims: - audience: `https://azure-api.cn/authorization-manager` - `oid`: Permission object ID - `tid`: Permission tenant ID Policy expressions are allowed.	No	N/A
ignore-error	Boolean. If acquiring the authorization context results in an error (for example, the connection resource isn't found or is in an error state): - `true`: the context variable is assigned a value of null. - `false`: return `500` If you set the value to `false`, and the policy configuration includes an `on-error` section, the error is available in the `context.LastError` property. Policy expressions are allowed.	No	`false`

Authorization object

The Authorization context variable receives an object of type Authorization.

class Authorization
{
    public string AccessToken { get; }
    public IReadOnlyDictionary<string, object> Claims { get; }
}

Property Name	Description
AccessToken	Bearer access token to authorize a backend HTTP request.
Claims	Claims returned from the authorization server's token response API (see RFC6749#section-5.1).

Usage

Policy sections: inbound
Policy scopes: global, product, API, operation
Gateways: classic, consumption

Usage notes

Configure identity-type=jwt when the access policy for the connection is assigned to a service principal. Only /.default app-only scopes are supported for the JWT.

Examples

Get token back

<!-- Add to inbound policy. -->
<get-authorization-context 
    provider-id="github-01" 
    authorization-id="auth-01" 
    context-variable-name="auth-context" 
    identity-type="managed" 
    ignore-error="false" />
<!-- Return the token -->
<return-response>
    <set-status code="200" />
    <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>

Get token back with dynamically set attributes

<!-- Add to inbound policy. -->
<get-authorization-context 
  provider-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationProviderId"))" 
  authorization-id="@(context.Request.Url.Query.GetValueOrDefault("authorizationId"))" context-variable-name="auth-context" 
  ignore-error="false" 
  identity-type="managed" />
<!-- Return the token -->
<return-response>
    <set-status code="200" />
    <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>

Attach the token to the backend call

<!-- Add to inbound policy. -->
<get-authorization-context
    provider-id="github-01" 
    authorization-id="auth-01" 
    context-variable-name="auth-context" 
    identity-type="managed" 
    ignore-error="false" />
<!-- Attach the token to the backend call -->
<set-header name="Authorization" exists-action="override">
    <value>@("Bearer " + ((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</value>
</set-header>

Get token from incoming request and return token

<!-- Add to inbound policy. -->
<get-authorization-context 
    provider-id="github-01" 
    authorization-id="auth-01" 
    context-variable-name="auth-context" 
    identity-type="jwt" 
    identity="@(context.Request.Headers["Authorization"][0].Replace("Bearer ", ""))"
    ignore-error="false" />
<!-- Return the token -->
<return-response>
    <set-status code="200" />
    <set-body template="none">@(((Authorization)context.Variables.GetValueOrDefault("auth-context"))?.AccessToken)</set-body>
</return-response>

Authentication and authorization

Next steps

For more information about working with policies, see:

Tutorial: Transform and protect your API
Policy reference for a full list of policy statements and their settings
Policy expressions
Set or edit policies
Policy samples