How can I control api execution based on app_metadata value?
I think you can authorize the API itself with an access token.
I would like to know if it is possible to control api execution by the value of metadata.
For example, if app_metadata is {"group": "g1"}
, I want to only allow access to resources for g1. I want to block requests with different metadata such as g2 and g3.
Here are my current ideas:
- Added app_metadta as custom claim to access token. Check the values obtained from parameters and claims during api execution.
- Execute the user-management API on the backend, get the metadata and compare it with the parameters of the api request.
Is it possible to use such a function?
- scope
- permissions
Any help would be greatly appreciated.