Forum Discussion

sricharan61's avatar
Oct 23, 2019

How can i use oAuth session variables in APM policy to decide which ACL can be assigned

I am trying to create a policy where i can try and grab the session variable 'session.oauth.client.last.id_token.groups' that the Oauth client agent gets and use that to decide which ACL can be assigned to the user based on the group ID value of that session variable. I am not seeing any options in the assignment tab of the policy parameters that can leverage this session variable information.

5 Replies

  • Hi


    Have you tried adding an expression to the Resource Assign object? So something like


    • Hi Iaine


      I tried setting up the configuration like this.

      expr {[mcget {session.oauth.client.last.id_token.groups}] =="xxxxxxx-xxxx-xxxx-x-xx"}

      Static ACLs: /Common/test





      expr {[mcget {session.oauth.client./Common/AzureADB2BOauthprov.id_token.g roups}]== "xxxxxx-xxxx-xxxx-xxx-xxxxxx"}

      Static ACLs: /Common/test



      as i saw both these entries in the access logs for the groups information in different session variable names.


      but i do not see the resource assign parameter logs invoking a match for these expressions to send to ACL in the access logs


  • Dumb question I know, but is the resource assigning happening after the oauth call?


    Have you tried outputing the variables to a message box just prior to the acl assignment to ensure that the variables are present and correct?

  • Hi Iaine


    Looks like its working, its just that the logs is are not showing the exact match happening by the condition we are setting. It simply shows what ACL was assigned. I set up a logging message after the oauth client to be able to see that user group match logged in the session logs.

  • Turning on debug logging in the APM logging profile would have shown this activity.


    General rule of thumb - if you don't see it in the logs, turn on debug and you will.