I like to validate a JWT in Apigee. As I don’t have access to Java Callout I tried the new build in VerifyJWT Policy. It works to verify the token with a jwks as well as the Issuer but I would like to verify that the correct scopes are included in the token and I found two issues:

Cases 1: The token has more claims than needed for the API resource e.g:

{
"iss": "https://d10l.eu.auth0.com/",
"sub": "auth0|5a70e4e394059f5e7527d6b1",
"aud": [
"https://api.d10l.de",
"https://d10l.eu.auth0.com/userinfo"
],
"iat": 1518429498,
"exp": 1518436698,
"azp": "94YJaDlR5QDpaS7Em6aC02_gj6kA1Q_G",
"scope": "openid profile https://api.d10l.de/products:write https://api.d10l.de/products:read"
}

And I want to check that ‘https://api.d10l.de/products:read` is include. It fails because it does a complete string comparison and fails if three are additional scopes in the token:

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT name="Verify-JWT">
<Algorithm>RS256</Algorithm>
<Source>inbound.jwt</Source>
<PublicKey>
<JWKS ref="cached.auth0.jwks"/>
</PublicKey>
<Issuer>https://d10l.eu.auth0.com/</Issuer>
<AdditionalClaims>
<Claim name="scope">http://api.d10l.de/products:read</Claim>
</AdditionalClaims>
</VerifyJWT>

Cases 2: The API can be access with multiple scopes e.g. `http://api.d10l.de/products:read` or ` http://api.d10l.de/products:admin` would be ok. Something like

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<VerifyJWT name="Verify-JWT">
<Algorithm>RS256</Algorithm>
<Source>inbound.jwt</Source>
<PublicKey>
<JWKS ref="cached.auth0.jwks"/>
</PublicKey>
<Issuer>https://d10l.eu.auth0.com/</Issuer>
<AdditionalClaims>
<Claim name="scope">[http://api.d10l.de/products:read, http://api.d10l.de/products:admin] </Claim>
</AdditionalClaims>
</VerifyJWT>

Again I only can do a simple string comparison while I would need a construct that allows to check that either of the scopes are inside the field.

Is there a way to configure those features?

Thanks Dennis