OAuth Policy context example

In some instances, it might be necessary to transmit identity information to sites to provide details of the user attempting to access a site. In such instances, Groovy scripts can be used to inject identity information into various portions of the HTTP requestHTTP request A client transaction sent over HTTP to the server specifying a request method (such as GET, POST, DELETE) to execute against a resource or resources on the server. to the target. In this example, the site is expecting the identity of the user to be conveyed through the User HTTP headerHTTP header A section of an HTTP request or response that conveys additional information relevant to the client or server in the transaction.. This can be accomplished using the OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server. Groovy script rule and the following Groovy script.

user=policyCtx?.context.get("oauth_token")?.attributes?.get("user")?.get(0)
exc?.request?.header?.add("User", "$user")
pass()

The following is more complex Groovy script logic.

test = exc?.request?.header?.getFirstValue("test");
if(test != null && test.equals("foo"))
{
  //rule will fail evaluation if Test header has value 'foo'
  fail()
}
else
{
  //rule will pass evaluation is Test header has value of anything else
  //or isn't present
  pass()
}

Set an exchange property named com.pingidentity.policy.error.info so the value will be available for the $info variable in error templates when an error is encountered. The $info variable can be set by a Groovy Script rule or an OAuth Groovy script rule.

exc?.setProperty("com.pingidentity.policy.error.info", "this value will be passed to the template in $info variable")
not(anything())

Create a whitelisting rule for certain characters.

if (!exc?.request?.uri?.matches("[\\p{Po}\\p{N}\\p{Z}\\p{L}\\p{M}\\p{Zs}\\./_\\-\\()\\{\\}\\[\\]]*"))
 {
  fail()
 }
 else
 {
  pass()
 }

Add a cookie to the response.

// Construct the cookie value
value = "cookie-value"
cookieHeaderFieldValue = "ResponseTestCookie=${value}; Path=/"

// Add the cookie on to the response
exc?.response?.header?.add("Set-Cookie", cookieHeaderFieldValue)

pass()

Combine an AND and OR, invoking an existing rule matcher.

if ((anyOf(containsWebSessionAttribute("engineering", "true"), containsWebSessionAttribute("marketing", "true")) && (containsWebSessionAttribute("manager", "true")))
{pass()
}
else{
fail()
}