API Gatway, version 10.11
Here is what I’m attempting to do (the what).
An externally hosted application is making an HTTP call to an internal application. Using API Gateway as the “outside-in” connectivity. Not an API as most would define it, but close enough.
The client does not provide authentication in the usual manner (no HTTP basic, OAuth, etc.).
But it does sign the HTTP body and puts the signature in the header. Will use API Gateway to confirm the signature.
Summary of steps:
- Caller makes an HTTP post call, with a custom HTTP header holding a signature of the body.
- API Gateway verifies the signature. Returns 403 if the signature is incorrect.
- If signature is correct, forwards everything to the internal application. No response body.
The planned/attempted how:
Use a custom extension to confirm the signature. Could place this in Identify & Authorize or in Request Processing.
The caller does not pass anything except the HTTP body and a header with the signature. The signature is created using a shared secret. The secret is not passed along in the HTTP call.
Since I may need different secret depending on the caller, I need to identify the caller. This is doable via an Application, defining HTTP headers or body content that identify the caller and IAM policy.
I would like to store the shared secret for a given caller in the application definition. Perhaps as a custom header that is used only internally, never passed in. Or perhaps leverage the API key that is automatically created – use that as the shared key but not used in the IAM policy. Just pass that along to the custom extension via custom variable.
Defining the custom var is where I’ve run into an issue. The documentation indicates a var can be set:
${customTransactionFields.FIELD_NAME}
Example: ${customTransactionFields.sample}Provides you an option to get or set custom fields to the transactional events for this request. To set the custom fields, you can configure the customTransactionFields.FIELD_NAME custom variable in Custom Extension policy
I’ve tried a variety of ways to set a custom field value but in all cases neither the customFieldsMap table nor the MessageContext contains the value that is set. I’ve tried static values, system vars that should be present (e.g. apiId) and various key names. Adding to the fun is the docs seem to both distinguish and conflate “custom vars” and “context vars.”
I’m clearly missing something fundamental. Anyone have guidance or a hint? Or perhaps a different “how” to achieve that “what”?