You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/api-management/api-management-access-restriction-policies.md
+12-10Lines changed: 12 additions & 10 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -26,8 +26,8 @@ This article provides a reference for API Management access restriction policies
26
26
-[Restrict caller IPs](#RestrictCallerIPs) - Filters (allows/denies) calls from specific IP addresses and/or address ranges.
27
27
-[Set usage quota by subscription](#SetUsageQuota) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.
28
28
-[Set usage quota by key](#SetUsageQuotaByKey) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
29
-
-[Validate Azure Active Directory Token](#ValidateAAD) - Enforces existence and validity of an Azure Active Directory JWT extracted from either a specified HTTP Header, query parameter, or token value.
30
-
-[Validate JWT](#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP header or a specified query parameter.
29
+
-[Validate Azure Active Directory token](#ValidateAAD) - Enforces existence and validity of an Azure Active Directory JWT extracted from either a specified HTTP header, query parameter, or token value.
30
+
-[Validate JWT](#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP header, query parameter, or token value.
31
31
-[Validate client certificate](#validate-client-certificate) - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.
32
32
33
33
> [!TIP]
@@ -561,7 +561,7 @@ This policy can be used in the following policy [sections](./api-management-howt
561
561
562
562
## <aname="ValidateAAD"></a> Validate Azure Active Directory token
563
563
564
-
The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Azure Active Directory service. The JWT can be extracted from a specified HTTP header, query parameter, or provided using a policy expression or context variable.
564
+
The `validate-azure-ad-token` policy enforces the existence and validity of a JSON web token (JWT) that was provided by the Azure Active Directory service. The JWT can be extracted from a specified HTTP header, query parameter, or value provided using a policy expression or context variable.
565
565
566
566
### Policy statement
567
567
@@ -571,15 +571,15 @@ The `validate-azure-ad-token` policy enforces the existence and validity of a JS
571
571
header-name="name of HTTP header containing the token (alternatively, use query-parameter-name or token-value attribute to specify token)"
572
572
query-parameter-name="name of query parameter used to pass the token (alternative, use header-name or token-value attribute to specify token)"
573
573
token-value="expression returning the token as a string (alternatively, use header-name or query-parameter attribute to specify token)"
574
-
failed-validation-httpcode="http status code to return on failure"
574
+
failed-validation-httpcode="HTTP status code to return on failure"
575
575
failed-validation-error-message="error message to return on failure"
576
576
output-token-variable-name="name of a variable to receive a JWT object representing successfully validated token">
577
577
<client-application-ids>
578
-
<application-id>Client Application ID from Azure Active Directory</application-id>
578
+
<application-id>Client application ID from Azure Active Directory</application-id>
579
579
<!-- If there are multiple client application IDs, then add additional application-id elements -->
580
580
</client-application-ids>
581
581
<backend-application-ids>
582
-
<application-id>Backend Application ID from Azure Active Directory</application-id>
582
+
<application-id>Backend application ID from Azure Active Directory</application-id>
583
583
<!-- If there are multiple backend application IDs, then add additional application-id elements -->
584
584
</backend-application-ids>
585
585
<audiences>
@@ -589,7 +589,7 @@ The `validate-azure-ad-token` policy enforces the existence and validity of a JS
589
589
<required-claims>
590
590
<claimname="name of the claim as it appears in the token"match="all|any"separator="separator character in a multi-valued claim">
591
591
<value>claim value as it is expected to appear in the token</value>
592
-
<!-- if there is more than one allowed values, then add additional value elements -->
592
+
<!-- if there is more than one allowed value, then add additional value elements -->
593
593
</claim>
594
594
<!-- if there are multiple possible allowed values, then add additional value elements -->
595
595
</required-claims>
@@ -600,7 +600,7 @@ The `validate-azure-ad-token` policy enforces the existence and validity of a JS
600
600
601
601
#### Simple token validation
602
602
603
-
The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the `Authorization` header using the `Bearer` scheme.
603
+
The following policy is the minimal form of the `validate-azure-ad-token` policy. It expects the JWT to be provided in the `Authorization` header using the `Bearer` scheme. In this example, the Azure AD tenant ID and client application ID are provided using named values.
@@ -612,7 +612,9 @@ The following policy is the minimal form of the `validate-azure-ad-token` policy
612
612
613
613
#### Validate that audience and claim are correct
614
614
615
-
The following policy checks that the audience is the hostname of the API Management instance and that the `ctry` claim is `US`. The decoded JWT is provided in the `jwt` variable after validation. For more details on optional claims, read [Provide optional claims to your app](/azure/active-directory/develop/active-directory-optional-claims).
615
+
The following policy checks that the audience is the hostname of the API Management instance and that the `ctry` claim is `US`. The hostname is provided using a policy expression, and the Azure AD tenant ID and client application ID are provided using named values. The decoded JWT is provided in the `jwt` variable after validation.
616
+
617
+
For more details on optional claims, read [Provide optional claims to your app](/azure/active-directory/develop/active-directory-optional-claims).
| failed-validation-error-message | Error message to return in the HTTP response body if the JWT doesn't pass validation. This message must have any special characters properly escaped. | No | Default error message depends on validation issue, for example "JWT not present." |
648
-
| failed-validation-httpcode | HTTP Status code to return if the JWT doesn't pass validation. | No | 401 |
650
+
| failed-validation-httpcode | HTTP status code to return if the JWT doesn't pass validation. | No | 401 |
649
651
| header-name | The name of the HTTP header holding the token. | One of `header-name`, `query-parameter-name` or `token-value` must be specified. | N/A |
650
652
| match | The `match` attribute on the `claim` element specifies whether every claim value in the policy must be present in the token for validation to succeed. Possible values are:<br /><br /> - `all` - every claim value in the policy must be present in the token for validation to succeed.<br /><br /> - `any` - at least one claim value must be present in the token for validation to succeed. | No | all |
651
653
| output-token-variable-name | String. Name of context variable that will receive token value as an object of type [`Jwt`](api-management-policy-expressions.md) upon successful token validation | No | N/A |
Copy file name to clipboardExpand all lines: articles/api-management/api-management-policies.md
+1-1Lines changed: 1 addition & 1 deletion
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,7 +30,7 @@ More information about policies:
30
30
-[Set usage quota by subscription](api-management-access-restriction-policies.md#SetUsageQuota) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per subscription basis.
31
31
-[Set usage quota by key](api-management-access-restriction-policies.md#SetUsageQuotaByKey) - Allows you to enforce a renewable or lifetime call volume and/or bandwidth quota, on a per key basis.
32
32
-[Validate Azure Active Directory Token](api-management-access-restriction-policies.md#ValidateAAD) - Enforces existence and validity of an Azure Active Directory JWT extracted from either a specified HTTP Header, query parameter, or token value.
33
-
-[Validate JWT](api-management-access-restriction-policies.md#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header or a specified query parameter.
33
+
-[Validate JWT](api-management-access-restriction-policies.md#ValidateJWT) - Enforces existence and validity of a JWT extracted from either a specified HTTP Header, query parameter, or token value.
34
34
-[Validate client certificate](api-management-access-restriction-policies.md#validate-client-certificate) - Enforces that a certificate presented by a client to an API Management instance matches specified validation rules and claims.
0 commit comments