I'm using OAuthV2 to validate app access, but I want to also check an input in the request body against a Custom App Attribute containing a string with a delimited list of valid inputs. If there is a match, allow the request to go through. If there isn't, then fail with a message similar to "Access to {invalidInput} is not allowed."
We're not using APIKeys, so I think the VerifyAPIKey policy is useless as the gateway to reading the Custom App Attribute in my case.
There is a JavaScript policy for other request input validations and I think comparing the request input to the Custom App Attribute will be easy enough in that policy, I just don't see how to read the Custom App Attribute within the JavaScript.
Solved! Go to Solution.
I guess you would get the Custom App Attribute after OAuth policy. To get that in Javascript policy you can use flow variables,
var cust_app_attribute = context.getVariable('app.{custom_attributes_name}'); //A named custom attribute of the registered client app.
https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#flowvariables
https://docs.apigee.com/api-platform/reference/policies/javascript-policy#flowvariables
I guess you would get the Custom App Attribute after OAuth policy. To get that in Javascript policy you can use flow variables,
var cust_app_attribute = context.getVariable('app.{custom_attributes_name}'); //A named custom attribute of the registered client app.
https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#flowvariables
https://docs.apigee.com/api-platform/reference/policies/javascript-policy#flowvariables
This did the trick. Thank you!
User | Count |
---|---|
7 | |
2 | |
2 | |
2 | |
1 |