I have written an inbound policy which enables CORS and validates the access token against an Authorization-Server. The following policy is working fine:
<policies>
<inbound>
<!-- Extract Token from Authorization header parameter -->
<set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
<!-- Send request to Token Server to validate token (see RFC 7662) -->
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
</send-request>
<cors>
<allowed-origins>
<origin>*</origin>
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
<choose>
<when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
<!-- Return 401 Unauthorized with http-problem payload -->
<return-response response-variable-name="existing response variable">
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error="invalid_token"</value>
</set-header>
</return-response>
</when>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
<set-header name="Access-Control-Allow-Origin" exists-action="override">
<value>*</value>
</set-header>
</outbound>
<on-error>
<base />
</on-error>
</policies>
Now I'm adding a condition which authorizes users to use PUT, POST or DELETE methods only if they belong to a certain group:
<when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
<validate-jwt header-name="Authorization">
<required-claims>
<claim name="groups">
<value>UOM WriteAdmin</value>
</claim>
</required-claims>
</validate-jwt>
</when>
But I'm getting following error while saving the policy:
One or more fields contain incorrect values:
Error in element 'choose' on line 28, column 10: Syntax error, ',' expected
I'm not sure what's wrong. This is the final policy after incorporating authorization logic:
<policies>
<inbound>
<!-- Extract Token from Authorization header parameter -->
<set-variable name="token" value="@(context.Request.Headers.GetValueOrDefault("Authorization","scheme param").Split(' ').Last())" />
<!-- Send request to Token Server to validate token (see RFC 7662) -->
<send-request mode="new" response-variable-name="tokenstate" timeout="20" ignore-error="true">
<set-url>https://sso-dev.shell.com/as/introspect.oauth2</set-url>
<set-method>POST</set-method>
<set-header name="Content-Type" exists-action="override">
<value>application/x-www-form-urlencoded</value>
</set-header>
<set-body>@($"grant_type=urn:pingidentity.com:oauth2:grant_type:validate_bearer&client_id=UnitsOfMeasure&client_secret=somesecret&token={(string)context.Variables["token"]}")</set-body>
</send-request>
<cors>
<allowed-origins>
<origin>*</origin>
</allowed-origins>
<allowed-methods>
<method>*</method>
</allowed-methods>
<allowed-headers>
<header>*</header>
</allowed-headers>
<expose-headers>
<header>*</header>
</expose-headers>
</cors>
<choose>
<when condition="@((bool)((IResponse)context.Variables["tokenstate"]).Body.As<JObject>()["active"] == false)">
<!-- Return 401 Unauthorized with http-problem payload -->
<return-response response-variable-name="existing response variable">
<set-status code="401" reason="Unauthorized" />
<set-header name="WWW-Authenticate" exists-action="override">
<value>Bearer error="invalid_token"</value>
</set-header>
</return-response>
</when>
<when condition="@(new [] {"post=""", "put=""", "delete="""}.Contains(context.Request.Method,StringComparer.OrdinalIgnoreCase))">
<validate-jwt header-name="Authorization">
<required-claims>
<claim name="groups">
<value>UOM WriteAdmin</value>
</claim>
</required-claims>
</validate-jwt>
</when>
</choose>
<base />
</inbound>
<backend>
<base />
</backend>
<outbound>
<base />
<set-header name="Access-Control-Allow-Origin" exists-action="override">
<value>*</value>
</set-header>
</outbound>
<on-error>
<base />
</on-error>
</policies>
Try this:
You seem to have some extra symbols there.