Attaching the PingAuthorize Shared Flow to API proxies
About this task
To attach the PingAuth Shared Flow to the API proxies where you want to use PingAuthorize as the external authorization policy runtime service:
Steps
-
Add a Flow Callout policy:
-
Go to one of your APIs in Develop → API Proxies and click the Develop tab.
Ensure you are on the latest revision of the proxy.
-
Click the icon to add a policy to the Policies list.
-
In the Extension section, click Flow Callout.
-
Select PingAuth from the Shared Flow list. Enter a policy name and then click Add.
-
-
Attach the Flow Callout policy to flows.
Because PingAuthorize typically provides fine-grained authorization, you should integrate PingAuthorize late in the PreFlow of the request to the proxy endpoint, after the coarse-grained authentication and authorization functions. See the Apigee documentation for more information on integrating PingAuthorize.
-
In the Proxy Endpoints list on the left navigation pane, select PreFlow, and then click +Step in the Request section to add a flow step to the request.
-
On the Existing tab of Policy instance, select the Flow Callout policy that you created previously and click Add.
-
In the Target Endpoints list on the left navigation pane, select PreFlow, and then click +Step in the Response section to add a flow step to the response.
This allows PingAuthorize to process the API response from the target API before it is processed by Apigee.
-
On the Existing tab of the Policy instance, select and add the previously created Flow Callout policy.
-
-
Save and deploy the updated proxy.
Next steps
Configure fine-grained authorization policies in your PingAuthorize Policy Editor. To understand how to target specific API requests and extract other HTTP metadata to use in your policies, see Sideband API policy requests.