This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
Log in to ask a question
Log in to ask a question

Authorize a request by comparing a token attribute with a request attribute

Posted on 03-28-2017 02:00 PM
Not applicable
Reply posted on --/--/---- --:-- AM

We currently have an OAuth token being passed as an `Authorization` header, and the token has a custom attribute called `userId`. In addition, a `userId` header is being sent with the same client request. We'd like to authorize the request by comparing the two values, but are falling short on our attempts.

Currently we have an `OAuthV2` policy as a step in our preflow, and while performing a trace, we see the custom `userId` attribute as a variable in the scope of the policy. However, we haven't figured out how to extract that value to a variable that will be in scope in a subsequent step. The value only seems to be in scope during the execution of that step.

We'd like to avoid performing this authorization on our backend service. Any help is much appreciated!

0 2 256
Topic Labels
0 Likes
2 REPLIES 2

Posted on --/--/---- --:-- AM
akoo
New Member
Reply posted on --/--/---- --:-- AM

Hello @Chris Ramacciotti,

After verifyaccesstoken operation in OAuth V2 policy, try using the following variable

accesstoken.userId

For a list of other variables populated during verification, please see the OAuth v2 info page here.

Posted on --/--/---- --:-- AM
DChiesa
Staff
In response to akoo
Reply posted on --/--/---- --:-- AM

And just some other information Chris...

we see the custom `userId` attribute as a variable in the scope of the policy. However, we haven't figured out how to extract that value to a variable that will be in scope in a subsequent step.

When you say "we see...", I suppose you are referring to the Trace UI. The Trace UI in the Apigee Edge web ui will show you variables that are READ or WRITTEN during each step in the flow. If a step neither reads nor writes a particular value, then the trace ui will not display that variable, but be assured that the variable that was written in a previous step (a variable like accesstoken.userId) is still available and *could be* read in subsequent steps.

Finally, if you want to compare, then in a step directly after VerifyAccessToken, you can include a condition like this: 

<Flow name='Chris-1'>
  <Request> 
    <Step><Name>VerifyAccessToken</Name></Step>
    <Step>
      <Condition>NOT (request.header.userid = accesstoken.userId)</Condition>
      <Name>RaiseFault-UserIdMismatch</Name>
    </Step>
    ...

does that make sense??