PingAuthorize

Authenticating API server requests

As with the PingAuthorize API Security Gateway mode, API server requests that the Sideband API authorizes do not strictly require authentication. However, the default policy set requires bearer token authentication.

About this task

The Sideband API uses configured Access Token Validators to evaluate bearer tokens that are included in incoming requests. The HttpRequest.AccessToken attribute supplies the validation result to the policy request, and the TokenOwner attribute provides the user identity that is associated with the token.

Policies use this authentication information to affect the processing requests and responses. For example, the following policy in the default policy set requires all requests to be made with an active access token.

Rule: Deny if HttpRequest.AccessToken.active Equals false

Advice:
  Code: denied-reason
  Applies To: Deny
  Payload: {"status":401, "message": "invalid_token", "detail":"Access token is expired or otherwise invalid"}

The following table identifies the configuration properties that determine the manner in which Sideband API Endpoints handle authentication.

Property Description

http-auth-evaluation-behavior

Determines whether the Sideband API Endpoint evaluates bearer tokens, and if so, whether the Sideband API Endpoint forwards them to the API server by way of the API gateway.

access-token-validator

Sets the Access Token Validators that the Sideband API Endpoint uses. As this property contains no value by default, the Sideband API Endpoint can potentially use each Access Token Validator that is configured on the server to evaluate every bearer token.

To constrain the set of Access Token Validators that a Sideband API Endpoint uses, set this property to use one or more specific values.

This setting is ignored if http-auth-evaluation-behavior is set to do-not-evaluate.