Hi community,
Can the OASValidation policy be used to enforce that JWT access token (or introspection response) contains specific scopes as required in OpenAPI? This would be a great and efficient solution to enforce the presence of scopes. And avoid custom logic in proxies to enforce the presence of specific scopes for resources or operations.
paths:
/users:
get:
summary: Get a list of users
security:
- OAuth2: [read]
security:
- OAuth2:
- read
- write
I assume that this is not yet possible, the docs (https://docs.apigee.com/api-platform/reference/policies/oas-validation-policy) don’t mention a word about scope validation.
Looking forward to your feedback!
@dchiesa1maybe something you have more info about?
Verifying scopes through OAS validation would make life so much easier!