Authenticating API server requests
As with the PingAuthorize API Security Gateway mode, API server requests that the Sideband API authorizes do not strictly require authentication. However, the default policy set requires bearer token authentication.
About this task
The Sideband API uses configured Access Token Validators to evaluate bearer tokens that are included in incoming requests. The HttpRequest.AccessToken
attribute supplies the validation result to the policy request, and the TokenOwner
attribute provides the user identity that is associated with the token.
Policies use this authentication information to affect the processing requests and responses. For example, the following policy in the default policy set requires all requests to be made with an active access token:
Rule: Deny if HttpRequest.AccessToken.active Equals false Statement: Code: denied-reason Applies To: Deny Payload: {"status":401, "message": "invalid_token", "detail":"Access token is expired or otherwise invalid"}
The following table identifies the configuration properties that determine the manner in which Sideband API Endpoints handle authentication.
Property | Description |
---|---|
|
Determines whether the Sideband API Endpoint evaluates bearer tokens, and if so, whether the Sideband API Endpoint forwards them to the API server by way of the API gateway. |
|
Sets the Access Token Validators that the Sideband API Endpoint uses. As this property contains no value by default, the Sideband API Endpoint can potentially use each Access Token Validator that is configured on the server to evaluate every bearer token. To constrain the set of Access Token Validators that a Sideband API Endpoint uses, set this property to use one or more specific values. This setting is ignored if |