Supported Header Value Expressions for Authentication Policies
When you configure enterprise application's authentication policies, you can add header variables to requests forwarded to the application, by selecting a user attribute from a list of pre defined user attributes, or by entering an expression.
In the header Value field for Authentication Policies, you can provide a simple literal string or an attribute identifier instead of selecting the user attribute from the drop down list. If you use an attribute identifier, App Gateway attempts to replace the attribute identifier by the value of the attribute after authentication happens.
The following types of attribute identifiers are supported by authentication policies:
- Application: This attribute identifier accesses the information of the enterprise application registered in Oracle Identity Cloud
Service.
Format:
$subject.client.<attr>
- User: This attribute identifier accesses information of the user signed in to Oracle Identity Cloud
Service.
Format:
$subject.user.<attr>
- Request: This attribute identifier accesses request information.
Format:
$request.<attr>
For user attribute scope, App Gateway supports any simple top-level attribute in the JSON Response from /admin/v1/Users
such as string
, boolean
, or int
values.
App Gateway also supports user extension attributes as header value expressions for authentication policies, using the following format $subject.user.urn:ietf:params:scim:schemas:extension:enterprise:2.0:User:<attributeName>
, and custom attributes using the following format $subject.user.urn:ietf:params:scim:schemas:idcs:extension:custom:User:<customAttributeName>
Table 5-5 Example of User Attribute Scope Names and Return Values
Attribute Name | Header Value Expression | Description |
---|---|---|
Full Name |
|
The user's full name. |
User Name |
|
The user's login username. |
Emails |
Other types of emails also supported: |
The user's primary email address. |
Phone Numbers |
Other types of phone numbers supported: |
The user's phone number. |
Addresses |
|
The user's mailing address. |
Groups |
|
A list of comma-separated group names to which the user is assigned to through direct or indirect membership. |
idcsCreatedBy |
|
The display name of the user or application who created this resource. |
idcsLastModifiedBy |
|
The display name of the user or application who modified this resource. |
Department |
|
The user's department. |
Employee Number |
|
The user's employee number. |
Example of supported values for request attribute scope:
Table 5-6 Example of Request Attribute scope names and supported values
Attribute Name | Header Value Expression | Description |
---|---|---|
policy_appname |
|
Returns the name of the enterprise application registered in Oracle Identity Cloud Service. |
policy_name |
|
Returns the policy name of the specific policy matched for the request. |
policy_res |
|
Returns the resource URL pattern matched for the request. The format is: "<type>:<pattern>" Example: |
policy_action |
|
Returns the HTTP Method ( |
res_host |
|
Returns the host name from the original Request. |
res_port |
|
Returns the port number from the original Request. |
res_type |
|
Returns the protocol (HTTP or HTTPS) of the original Request. |
res_url |
|
Returns the full requested URL. |