Pasing OAuth scopes to backend service

Hi

I'm searching for an example of how I can make a api proxy pass OAuth scopes to a backend service so it can enforce rules on behalf of the scopes. The backend service is responsible for filtering response data on behalf of the current scope.

What is the best way of leveraging oauth policies on Apigee, but at the same time being able to pass/get oauth scopes in the backend service from eg. an oauth access token.

1 1 101
1 REPLY 1

The OAuthV2 VerifyAccessToken policy will set a context variable "scope" upon verification of a good token.

You can then use an AssignMessage to inject a header into the request that carries that information.

Example

<AssignMessage name='AM-InjectScopeHeader'>
  <Set>
    <Headers>
      <Header name='Scope-from-Apigee'>{scope}</Header>
    </Headers>
  </Set>
</AssignMessage>

If you attach that. AssignMessage policy to the request flow, the upstream system will receive a header with the scopes on the verified token.