OAuth Policy context example

In some instances, it might be necessary to transmit identity information to sites to provide details of the user attempting to access a site. In such instances, Groovy scripts can be used to inject identity information into various portions of the HTTP request to the target. In this example, the site is expecting the identity of the user to be conveyed through the User HTTP header. This can be accomplished using the OAuth Groovy script rule and the following Groovy script.

user=policyCtx?.context.get("oauth_token")?.attributes?.get("user")?.get(0)
exc?.request?.header?.add("User", "$user")
pass()

The following is more complex Groovy script logic.

test = exc?.request?.header?.getFirstValue("test");
if(test != null && test.equals("foo"))
{
  //rule will fail evaluation if Test header has value 'foo'
  fail()
}
else
{
  //rule will pass evaluation is Test header has value of anything else
  //or isn't present
  pass()
}

Set an exchange property named com.pingidentity.policy.error.info so the value will be available for the $info variable in error templates when an error is encountered. The $info variable can be set by a Groovy Script rule or an OAuth Groovy script rule.

exc?.setProperty("com.pingidentity.policy.error.info", "this value will be passed to the template in $info variable")
not(anything())

Create a whitelisting rule for certain characters.

if (!exc?.request?.uri?.matches("[\\p{Po}\\p{N}\\p{Z}\\p{L}\\p{M}\\p{Zs}\\./_\\-\\()\\{\\}\\[\\]]*"))
 {
  fail()
 }
 else
 {
  pass()
 }

Add a cookie to the response.

// Construct the cookie value
value = "cookie-value"
cookieHeaderFieldValue = "ResponseTestCookie=${value}; Path=/"

// Add the cookie on to the response
exc?.response?.header?.add("Set-Cookie", cookieHeaderFieldValue)

pass()

Combine an AND and OR, invoking an existing rule matcher.

if ((anyOf(containsWebSessionAttribute("engineering", "true"), containsWebSessionAttribute("marketing", "true")) && (containsWebSessionAttribute("manager", "true")))
{pass()
}
else{
fail()
}