PingAuthorize

Modifying the rule for the Create Game endpoint

Now that we have defined a policy that permits or denies the ability to create a game based on the email address of the person creating the game, we will modify the rule so that any user can create a game, but only those with real email addresses can create games with invitees. This section demonstrates how a policy can take an action based on data in the request body.

About this task

To review, the Meme Game API offers a game creation endpoint that looks like this:

POST /api/v1/games
{
    "data": {
        "type": "game",
        "attributes": {
            "invitees": ["friend@example.com"]
        }
    }
}

The requester specifies one or more invitees using the data.attributes.invitees field. We will update our policy with a second rule that disallows a new game if anybody else is invited to it.

Steps

  1. Define a Trust Framework attribute to represent the data.attributes.invitees field.

    1. In the Policy Editor, go to Trust Framework and click Attributes.

    2. From the menu, select Add new Attribute.

    3. For the name, replace Untitled with Meme Game invitees.

    4. Verify that in the Parent field, no parent is selected.

      To remove a parent, click the delete icon to the right of the Parent field.

    5. Click the next to Resolvers and click Add Resolver.

    6. Set Resolver type to Attribute.

    7. Select the attribute HttpRequest.RequestBody.

    8. Click the next to Value Processors and click Add Processor.

    9. Set Processor to JSON Path.

    10. Set the value to $.data.attributes.invitees.

    11. Set Value type to Collection.

    12. For Value Settings, select Default value and specify square brackets ([]) to indicate an empty collection.

    13. Set Type to Collection.

    14. Click Save changes.

      The following image shows the new attribute.

      Screen capture of the

    This Trust Framework attribute introduces resolvers and value processors, which are two important components. To better understand these components, see For further consideration: Resolvers and value processors.

  2. Modify a rule to use the Meme Game invitees attribute we just created.

    1. In the Policy Editor, go to Policies.

    2. Select the Users starting a new game policy.

    3. Rename the Deny if token subject ends with @example.com rule to Deny if token subject ends with @example.com AND request contains invitees.

    4. Expand the rule by clicking its icon.

    5. For Effect, select Deny.

    6. Specify a second comparison.

      1. Click Comparison.

      2. From the Select an Attribute list, select Meme Game invitees.

      3. In the second field, select Does Not Equal.

      4. In the third field, type [].

    7. Click Save changes.

    The following image shows the rule.

    Screen capture of the

  3. Test the policy.

    As before, you can test your policy by sending an HTTP request or using the Policy Editor test interface. Try testing using the following combinations of inputs:

    • An access token with the subject user.0@example.com and with invitees.

      This should be denied.

    • An access token with the subject user.0@my-company.com and with invitees.

      This should be permitted.

    • An access token with the subject user.0@example.com and no invitee list.

      This should be permitted.

    • An access token with the subject user.0@my-company.com and no invitee list.

    This should be permitted.