Blog Post

Microsoft Developer Community Blog
3 MIN READ

Introducing a better way to integrate Azure AD with API Management

adrian_hall's avatar
adrian_hall
Icon for Microsoft rankMicrosoft
Nov 18, 2022
Since, well, the beginning of Azure API Management, you've been able to validate that the Json Web Token (JWT) coming into your Azure API Management service is valid before passing it onto the backen...
Updated Nov 21, 2022
Version 3.0
best practices
tips and tricks
Rezaal860's avatar
Rezaal860
Copper Contributor
Feb 03, 2023

adrian_hall we tried the policy fragment route , but soon hit the wall because multi-valued claim check simply doesnt work in the new policy validate-azure-ad-token. To be precise, this wont work:

 

 

<fragment>
	<validate-azure-ad-token tenant-id="contoso.onmicrosoft.com" failed-validation-error-message="Invalid Access token ">
		<client-application-ids>
			<application-id>ABC</application-id>
		</client-application-ids>
		<audiences>
			<audience>api://XYZ</audience>
		</audiences>
    <required-claims>
      <claim name="roles" match="all" separator=",">
                <!-- When i set a variable outside of policy fragment and send it here with the exact same claims, I get a 401 error -->
                <value>Claim1,Claim2,Claim3</value>
        </claim>
    </required-claims>
 
	</validate-azure-ad-token>
</fragment>

 

This is how I reference the fragment policy:

 

 <set-variable name="Claims" value="Claim1,Claim2,Claim3" />
        <include-fragment fragment-id="PolicyFragment-ClaimsValidation" />