Set custom variable in Identify&Authorize or Request Processing policies

reamon · December 11, 2023, 11:45pm

API Gatway, version 10.11

Here is what I’m attempting to do (the what).

An externally hosted application is making an HTTP call to an internal application. Using API Gateway as the “outside-in” connectivity. Not an API as most would define it, but close enough.

The client does not provide authentication in the usual manner (no HTTP basic, OAuth, etc.).

But it does sign the HTTP body and puts the signature in the header. Will use API Gateway to confirm the signature.

Summary of steps:

Caller makes an HTTP post call, with a custom HTTP header holding a signature of the body.
API Gateway verifies the signature. Returns 403 if the signature is incorrect.
If signature is correct, forwards everything to the internal application. No response body.

The planned/attempted how:

Use a custom extension to confirm the signature. Could place this in Identify & Authorize or in Request Processing.

The caller does not pass anything except the HTTP body and a header with the signature. The signature is created using a shared secret. The secret is not passed along in the HTTP call.

Since I may need different secret depending on the caller, I need to identify the caller. This is doable via an Application, defining HTTP headers or body content that identify the caller and IAM policy.

I would like to store the shared secret for a given caller in the application definition. Perhaps as a custom header that is used only internally, never passed in. Or perhaps leverage the API key that is automatically created – use that as the shared key but not used in the IAM policy. Just pass that along to the custom extension via custom variable.

Defining the custom var is where I’ve run into an issue. The documentation indicates a var can be set:

${customTransactionFields.FIELD_NAME}
Example: ${customTransactionFields.sample}

Provides you an option to get or set custom fields to the transactional events for this request. To set the custom fields, you can configure the customTransactionFields.FIELD_NAME custom variable in Custom Extension policy

I’ve tried a variety of ways to set a custom field value but in all cases neither the customFieldsMap table nor the MessageContext contains the value that is set. I’ve tried static values, system vars that should be present (e.g. apiId) and various key names. Adding to the fun is the docs seem to both distinguish and conflate “custom vars” and “context vars.”

I’m clearly missing something fundamental. Anyone have guidance or a hint? Or perhaps a different “how” to achieve that “what”?

Vikash_Sharma1 · February 26, 2024, 8:48am

hi @reamon ,
I was trying some custom variable in the API GW and those were working.
I was referring the variable framework documentation Page Number Starting with 373

I was able to extract the data from my request and assign it with some new custom key in the native request .

Regards
Vikash Sharma

reamon · February 26, 2024, 4:06pm

Thanks for your input.

I was not able to get a custom attribute defined in an Application. Does not seem to be any mechanism to do so. Was thinking I could refer to that in a policy.

I was able to structure things so that I could get the calling Application within a custom extension in the Identify & Access policy. I could then get the API token that is set in that Application to use as the secret.

As such, did not need to use custom vars but I do appreciate your response!