Skip to content

Instantly share code, notes, and snippets.

@ZakiMohammed
Created December 27, 2023 13:47
Show Gist options
  • Save ZakiMohammed/e72a2d7c406cc9247aa5e6074a439e69 to your computer and use it in GitHub Desktop.
Save ZakiMohammed/e72a2d7c406cc9247aa5e6074a439e69 to your computer and use it in GitHub Desktop.
Validate Jwt Policy Fragment
<policies>
<inbound>
<base />
<!-- policy -->
<validate-jwt
header-name="Authorization"
failed-validation-httpcode="401"
failed-validation-error-message="Unauthorized"
require-scheme="Bearer"
output-token-variable-name="output-token">
<openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration/" />
<audiences>
<audience>f0047ad9-83fb-4a82-8167-d253b0dfb0c3</audience>
<audience>08c06aea-ea55-48d4-9611-a43c53bf0955</audience>
</audiences>
<issuers>
<issuer>https://login.microsoftonline.com/31537af4-6d77-4bb9-a681-d2394888ea26/v2.0</issuer>
</issuers>
</validate-jwt>
<!-- custom-headers -->
<set-header name="CO-Jwt-Token" exists-action="override">
<value>@(JsonConvert.SerializeObject(((Jwt)context.Variables["output-token"])))</value>
</set-header>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
<policies>
<inbound>
<base />
<!-- policy -->
<validate-jwt
header-name="Authorization"
failed-validation-httpcode="401"
failed-validation-error-message="Unauthorized"
require-scheme="Bearer"
output-token-variable-name="output-token">
<openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration/" />
<audiences>
<audience>f0047ad9-83fb-4a82-8167-d253b0dfb0c3</audience>
<audience>08c06aea-ea55-48d4-9611-a43c53bf0955</audience>
</audiences>
<issuers>
<issuer>https://login.microsoftonline.com/31537af4-6d77-4bb9-a681-d2394888ea26/v2.0</issuer>
</issuers>
</validate-jwt>
<!-- custom-headers -->
<choose>
<when condition='@((Jwt)context.Variables["output-token"] != null)'>
<set-header name="CO-Jwt-Token" exists-action="override">
<value>@(JsonConvert.SerializeObject(((Jwt)context.Variables["output-token"])))</value>
</set-header>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
<policies>
<inbound>
<base />
<!-- policy -->
<validate-jwt
header-name="Authorization"
failed-validation-httpcode="401"
failed-validation-error-message="Unauthorized"
require-scheme="Bearer"
output-token-variable-name="output-token">
<openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration/" />
<audiences>
<audience>f0047ad9-83fb-4a82-8167-d253b0dfb0c3</audience>
<audience>08c06aea-ea55-48d4-9611-a43c53bf0955</audience>
</audiences>
<issuers>
<issuer>https://login.microsoftonline.com/31537af4-6d77-4bb9-a681-d2394888ea26/v2.0</issuer>
</issuers>
</validate-jwt>
<!-- custom-headers -->
<choose>
<when condition='@(!string.IsNullOrEmpty((string)((Jwt)context.Variables["output-token"]).Claims.GetValueOrDefault("username")))'>
<set-header name="CO-Username" exists-action="override">
<value>@((string)((Jwt)context.Variables["output-token"]).Claims.GetValueOrDefault("username"))</value>
</set-header>
</when>
</choose>
<choose>
<when condition='@(!string.IsNullOrEmpty((string)((Jwt)context.Variables["output-token"]).Claims.GetValueOrDefault("email")))'>
<set-header name="CO-Email" exists-action="override">
<value>@((string)((Jwt)context.Variables["output-token"]).Claims.GetValueOrDefault("email"))</value>
</set-header>
</when>
</choose>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
<policies>
<inbound>
<base />
<include-fragment fragment-id="ValidateJwtFragment" />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
<fragment>
<!-- policy -->
<validate-jwt
header-name="Authorization"
failed-validation-httpcode="401"
failed-validation-error-message="Unauthorized"
require-scheme="Bearer"
output-token-variable-name="output-token">
<openid-config url="https://login.microsoftonline.com/contoso.onmicrosoft.com/v2.0/.well-known/openid-configuration/" />
<audiences>
<audience>f0047ad9-83fb-4a82-8167-d253b0dfb0c3</audience>
<audience>08c06aea-ea55-48d4-9611-a43c53bf0955</audience>
</audiences>
<issuers>
<issuer>https://login.microsoftonline.com/31537af4-6d77-4bb9-a681-d2394888ea26/v2.0</issuer>
</issuers>
</validate-jwt>
<!-- custom-headers -->
<choose>
<when condition='@(!string.IsNullOrEmpty((string)((Jwt)context.Variables["output-token"]).Claims.GetValueOrDefault("username")))'>
<set-header name="CO-Username" exists-action="override">
<value>@((string)((Jwt)context.Variables["output-token"]).Claims.GetValueOrDefault("username"))</value>
</set-header>
</when>
</choose>
<choose>
<when condition='@(!string.IsNullOrEmpty((string)((Jwt)context.Variables["output-token"]).Claims.GetValueOrDefault("email")))'>
<set-header name="CO-Email" exists-action="override">
<value>@((string)((Jwt)context.Variables["output-token"]).Claims.GetValueOrDefault("email"))</value>
</set-header>
</when>
</choose>
</fragment>
<policies>
<inbound>
<base />
<!-- policy -->
<validate-jwt
header-name="Authorization"
failed-validation-httpcode="401"
failed-validation-error-message="Unauthorized"
require-scheme="Bearer"
output-token-variable-name="output-token">
<openid-config url="https://login.microsoftonline.com/#{YOUR_TENANT_ID_1}#/v2.0/.well-known/openid-configuration/" />
<openid-config url="https://login.microsoftonline.com/#{YOUR_TENANT_ID_2}#/v2.0/.well-known/openid-configuration/" />
<audiences>
<audience>#{YOUR_AUDIENCE_1}#</audience>
<audience>#{YOUR_AUDIENCE_2}#</audience>
</audiences>
<issuers>
<issuer>https://login.microsoftonline.com/#{YOUR_TENANT_ID_1}#/v2.0</issuer>
<issuer>https://login.microsoftonline.com/#{YOUR_TENANT_ID_2}#/v2.0</issuer>
</issuers>
</validate-jwt>
<!-- custom-headers -->
<set-header name="CO-Jwt-Token" exists-action="override">
<value>@(JsonConvert.SerializeObject(((Jwt)context.Variables["output-token"])))</value>
</set-header>
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
</outbound>
<on-error>
<base />
</on-error>
</policies>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment