I am attempting to validate that a passed in JWT token has the scopes "labresults.read" and "user_impersonation". I did the following policy snippet
<validate-jwt header-name="Authorization" failed-validation-httpcode="401" failed-validation-error-message="Invalid JWT Token" require-signed-tokens="true">
<openid-config url="(snip)" />
<audiences>
<audience>(snip)</audience>
</audiences>
<required-claims>
<claim name="scp" match="all">
<value>labresults.read</value>
<value>user_impersonation</value>
</claim>
</required-claims>
</validate-jwt>
I pass in a token that looks like
{
"iss": "(snip)",
"exp": 1522334650,
"nbf": 1522331050,
"aud": "(snip)",
"sub": "(snip)",
"email": "(snip)",
"name": "Scott Chamberlain",
"scp": "labresults.read user_impersonation",
"azp": "(snip)",
"ver": "1.0",
"iat": 1522331050
}
When I do a "Try It" from the developer portal looking at the tracing the on-error reports
validate-jwt (648 ms){
"message": "JWT Validation Failed: Claim value mismatch: scp=labresults.read.."
}
Am I forced to use a single claim of
<claim name="scp">
<value>labresults.read user_impersonation</value>
</claim>
I really would not like to as I do not want to force on the consumers of this api that those two scopes will be the only things passed in and in that specific order.
What do I need to do to validate the scope the propper way?
