oauth 2.0 - APIM Policy to check that token has specific role - Stack Overflow

I'm using the validate-jwt policy in APIM. As a part of the verification, I want to confirm that the token has a specific role set. If I decode the token, the role appears as an array:

...
"roles": [
  "Api.Call"
],
...

How do I write this check? I've seen that you can use this syntax:

<required-claims>
   <claim name="scope" match="all" separator=",">
        <value>api1.write</value>
   </claim>
</required-claims>

But this is not a string with a specific separator, so that doesn't seem right.

I'm using the validate-jwt policy in APIM. As a part of the verification, I want to confirm that the token has a specific role set. If I decode the token, the role appears as an array:

...
"roles": [
  "Api.Call"
],
...

How do I write this check? I've seen that you can use this syntax:

<required-claims>
   <claim name="scope" match="all" separator=",">
        <value>api1.write</value>
   </claim>
</required-claims>

But this is not a string with a specific separator, so that doesn't seem right.

• oauth-2.0
• azure-api-management
• apim

Share Improve this question Follow edited Feb 4 at 3:30 Ikhtesam Afrin 6,57222 gold badges33 silver badges1010 bronze badges Recognized by Microsoft Azure Collective asked Feb 3 at 17:20 MaxMax 6951010 silver badges2323 bronze badges

Add a comment  | 

1 Answer 1

Sorted by: Reset to default 3

You can use this:

<required-claims>
    <claim name="roles" match="any">
        <value>Api.Call</value>
    </claim>
</required-claims>