Validate request input against a custom app attribute

I'm using OAuthV2 to validate app access, but I want to also check an input in the request body against a Custom App Attribute containing a string with a delimited list of valid inputs. If there is a match, allow the request to go through. If there isn't, then fail with a message similar to "Access to {invalidInput} is not allowed."

We're not using APIKeys, so I think the VerifyAPIKey policy is useless as the gateway to reading the Custom App Attribute in my case.

There is a JavaScript policy for other request input validations and I think comparing the request input to the Custom App Attribute will be easy enough in that policy, I just don't see how to read the Custom App Attribute within the JavaScript.

Solved Solved
0 2 170
1 ACCEPTED SOLUTION

sidd-harth
Participant V

I guess you would get the Custom App Attribute after OAuth policy. To get that in Javascript policy you can use flow variables,

var cust_app_attribute = context.getVariable('app.{custom_attributes_name}'); //A named custom attribute of the registered client app.

https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#flowvariables

https://docs.apigee.com/api-platform/reference/policies/javascript-policy#flowvariables

View solution in original post

2 REPLIES 2

sidd-harth
Participant V

I guess you would get the Custom App Attribute after OAuth policy. To get that in Javascript policy you can use flow variables,

var cust_app_attribute = context.getVariable('app.{custom_attributes_name}'); //A named custom attribute of the registered client app.

https://docs.apigee.com/api-platform/reference/policies/oauthv2-policy#flowvariables

https://docs.apigee.com/api-platform/reference/policies/javascript-policy#flowvariables

This did the trick. Thank you!