locked
Validation JWT token in header AND in query string RRS feed

  • Question

  • I am currently using the validate-jwt policy for validation. However the need has come up for some calls to be able to pass the access token via the Url  (serving up secure images).

    I see the validate-jwt policy can be setup with an attribute for header OR query string. But how do I do both without creating a bunch of different policies for these specific calls.  I start looking at how to extract the token from the query string, and if present override the Auth header with the value. But that might get messy.

    Is there a better/simple way to allow for this? Anyone had to do this, any example code can share??

    https://docs.microsoft.com/en-us/azure/api-management/api-management-access-restriction-policies#ValidateJWT

    Thursday, August 10, 2017 10:21 PM

Answers

  • I think I got it working. doesn't seem pretty to me, but seem like its grabbing the query string when present, and overideing the header. Can you look at this and see if this makes sense.

    <set-variable name="authToken" value="@(context.Request.Url.Query.GetValueOrDefault("access_token"))" />
    <choose>
    <when condition="@(context.Request.Url.Query.GetValueOrDefault("access_token") != null)">
    <set-header name="Authorization" exists-action="override">
    <value>@{ return "Bearer " + context.Variables.GetValueOrDefault("authToken"); }</value>
    </set-header>
    </when>
    </choose>

    • Marked as answer by johhnygoode Saturday, August 12, 2017 11:43 AM
    Friday, August 11, 2017 2:00 PM

All replies

  • Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Disclaimer: This response contains a reference to a third-party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet.

    • Proposed as answer by Swikruti Bose Friday, August 11, 2017 5:25 AM
    Friday, August 11, 2017 5:25 AM
  • Yes its the built in method, but it only seems to allow one method or the other... passing the token in the header, or the query string.

    I'm looking for a way to support both at the same time. Are you saying my theory of grabbing the the query string first and overriding the header is the best bet?  Can you point me to any example of extracting a query string element and setting to a header. I can't find enough examples in the documentation to make the connection.

    Friday, August 11, 2017 1:30 PM
  • I think I got it working. doesn't seem pretty to me, but seem like its grabbing the query string when present, and overideing the header. Can you look at this and see if this makes sense.

    <set-variable name="authToken" value="@(context.Request.Url.Query.GetValueOrDefault("access_token"))" />
    <choose>
    <when condition="@(context.Request.Url.Query.GetValueOrDefault("access_token") != null)">
    <set-header name="Authorization" exists-action="override">
    <value>@{ return "Bearer " + context.Variables.GetValueOrDefault("authToken"); }</value>
    </set-header>
    </when>
    </choose>

    • Marked as answer by johhnygoode Saturday, August 12, 2017 11:43 AM
    Friday, August 11, 2017 2:00 PM
  • Yes, what you have tried is the only way to do this.

    ------------------------------------------------------------------------------------------------------------------

    Do click on "Mark as Answer" on the post that helps you, this can be beneficial to other community members.

    Tuesday, August 15, 2017 8:08 AM