Hi Folks,
I have question for the scenario when I have an external oAuth provider and inside the oAuth authorization we have a JWT token with information of the user, like user contract_id.
We use access_token for authentication and authorization.
When I call apis from the front-end, I send the contract_id as path parameter, request parameter, headers, anyway. It's dynamic and it depends on Api for each situation, when i have this contract_id, i should decrypt JWT token and check if this contract_id belongs to this user, if not I return 401.
So what's the best way to do this validation, because each api can receive this contract_id in several different ways, Can I use extractvariables in a global policy and set in a variable and this flow can validate all scenarios.
This is the best practice to do this?
Thanks in Advance