Decrypt bearer token in Azure API Management to get acr_values

2
votes

Is there any way to decrypt a bearer token in an API management policy in order to create a condition it's acr_values, for example a tenant.

Looking at the MS documentation it does not seem possible, I would be looking to achieve something like:

        <when condition="@(context.Request.Headers["Authorization"] --DO MAGIC HERE-- .acr_values["tenant"] == "contoso" ">
            <set-backend-service base-url="http://contoso.com/api/8.2/" />
        </when>

Alternatively something like the example here but for setting the backed service:

http://devjourney.com/blog/2017/03/23/extract-jwt-claims-in-azure-api-management-policy/

Documentation I've read: https://docs.microsoft.com/en-us/azure/api-management/api-management-transformation-policies#example-4

https://docs.microsoft.com/en-us/azure/api-management/policies/authorize-request-based-on-jwt-claims?toc=api-management/toc.json#policy

3
azurehttpsazure-api-managementbearer-token

3 Answers

3
votes

Ok so I got it working in a very hacky way, you can set vales of the decrypted token in the header and then set conditions on that header.

<policies>
<inbound>
    <base />
    <set-header name="tenant" exists-action="append">
        <value>@{
            string tenant = "unknown";
            string authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
            if (authHeader?.Length > 0)
            {
                string[] authHeaderParts = authHeader.Split(' ');
                if (authHeaderParts?.Length == 2 && authHeaderParts[0].Equals("Bearer", StringComparison.InvariantCultureIgnoreCase))
                {
                    Jwt jwt;
                    if (authHeaderParts[1].TryParseJwt(out jwt))
                    {
                        tenant = (jwt.Claims.GetValueOrDefault("tenant", "unknown"));
                    }
                }
            }
            return tenant;
            }</value>
    </set-header>
    <choose>
        <when condition="@(context.Request.Headers.GetValueOrDefault("tenant", "unknown") == "some-tenant" )">
            <set-backend-service base-url="http://contoso.com/api/8.2/" />
        </when>
    </choose>
</inbound>
<backend>
    <base />
</backend>
<outbound>
    <base />
</outbound>
<on-error>
    <base />
</on-error>

3
votes

Did you try .AsJwt() method (https://docs.microsoft.com/en-us/azure/api-management/api-management-policy-expressions#ContextVariables):

<policies>
<inbound>
    <base />
    <set-header name="tenant" exists-action="append">
        <value>@{
            var jwt = context.Request.Headers.GetValueOrDefault("Authorization").AsJwt();
            return jwt?.Claims.GetValueOrDefault("tenant") ?? "unknown";
        }</value>
    </set-header>
    <choose>
        <when condition="@(context.Request.Headers.GetValueOrDefault("tenant", "unknown") == "some-tenant" )">
            <set-backend-service base-url="http://contoso.com/api/8.2/" />
        </when>
    </choose>
</inbound>
<backend>
    <base />
</backend>
<outbound>
    <base />
</outbound>
<on-error>
    <base />
</on-error>

Also I'm not sure if you need it as a header to backend request, if not consider using set-variable policy.

0
votes

A few years have passed since this has been answered, but as I found a less verbose solution, without actually modifying the request headers, i thought it would be nice to share for others:

<set-variable name="tenant" value="@{
        var authHeader = context.Request.Headers.GetValueOrDefault("Authorization", "");
        return authHeader.AsJwt()?.Claims.GetValueOrDefault("tenant", "");
}" />
...
<choose>
    <when condition="@(context.Variables.GetValueOrDefault("tenant", "") == "your-tenant-id")">