PingAuthorize

Creating a policy for permitted OAuth2 clients

This tutorial describes how to configure a policy to allow specific OAuth2 clients for a REST service. A REST service typically allows only requests from an allow list of OAuth2 clients.

About this task

In the PingAuthorize Policy Editor, define a policy in which each rule specifies an allowed client.

Steps

  1. Go to Policies → Policies.

  2. Expand Global Decision Point and SCIM Policy Set.

  3. Highlight Token Policies and click and then Add Policy.

  4. For the name, replace Untitled with Permitted Clients.

  5. From the Combining Algorithm list, select Unless one decision is permit, the decision will be deny.

  6. Click Add Rule.

  7. For the name, replace Untitled with Client: client1.

  8. From the Effect list, select Permit.

  9. In the Condition section:

    1. Click Comparison.

    2. From the Select an Attribute list, select HttpRequest.AccessToken.client_id.

    3. From the middle, comparison-type list, select Equals.

    4. In the final field, enter client1.

  10. Click Add Rule.

  11. For the name, replace Untitled with Client: client2.

  12. From the Effect list, select Permit.

  13. In the Condition section:

    1. Click Comparison.

    2. From the Select an Attribute list, select HttpRequest.AccessToken.client_id.

    3. From the middle, comparison-type list, select Equals.

    4. In the final field, enter client2.

  14. Expand Advice and Obligations.

    Do not click Show Advice and Obligations within the client1 or client2 rules.

  15. Click Components.

  16. From Advice, drag Unauthorized Client to the Advice and Obligations box.

  17. Click Save changes.

Result

The completed configuration should resemble the following image.

A screen capture of the Permitted Clients policy window with a Combining Algorithm and two rules configured as specified, and an Unauthorized Client advice, flagged as Obligatory