PingAuthorize

Getting a path component from the request URL

For this use case, the resource owner is given in the URL for the meme game API. To get the owner requires pulling the corresponding path component from the request URL.

Before you begin

This procedure assumes you have created a meme game API server named meme-game, similar to the one shown in the "Configure an API External Server for the Meme Game API" step in Configuring a reverse proxy for the Meme Game API.

About this task

In general, you can configure PingAuthorize to control access based on the path component that best suits your needs. For example, consider the /purchases/1234 path. The purchases component is a class of resources, while 1234 is a specific resource for a given purchase.

The meme game API has URLs of the form meme-game/api/v1/users/user.0/answers. The user.0 path component is a specific resource owner. The following steps explain how to get the specific resource owner from a request URL.

Steps

  1. In the PingAuthorize administrative console, create a new gateway API endpoint.

    A Gateway API Endpoint controls how PingAuthorize Server proxies incoming HTTP client requests to an upstream API server.

    1. In the administrative console, click Configuration and then Gateway API Endpoints.

    2. Click New Gateway API Endpoint.

    3. For Name, specify meme-game user_answers.

    4. For Inbound Base Path, specify /meme-game/api/v1/users/{UserFromUrl}/answers.

      The inbound base path defines the base request path for requests to be received by PingAuthorize Server.

      Using the curly braces (\{ and }) around a string creates an item with the name given by the string so that we can refer to it later. That notation also preserves the item to pass along in the next step.

    5. For Outbound Base Path, specify /api/v1/users/{UserFromUrl}/answers.

      The outbound base path defines the base request path for requests that PingAuthorize Server forwards to an API server.

    6. For API Server, specify meme-game. This is the API External Server you defined previously.

    7. For Service, specify meme-game.user_answers.

      You will use this service in the PingAuthorize Policy Editor to get a value to define an attribute.

      The following image shows this configuration.

      Screen capture that shows the new gateway API endpoint configured as specified
    8. Save your changes.

  2. Send a test request to the gateway to see how PingAuthorize handles the request. The following request uses Postman.

    Screen capture of Postman making a request to https://localhost:7443/meme-game/api/v1/users/user.0 as user.1
  3. Check the request in the Policy Editor.

    Go to Policies in the left pane and then click Decision Visualiser along the top. Under Recent Decisions, click the Refresh icon. Select the decision and click Request.

    In the request, the attributes include a Gateway object. Items set in the gateway API endpoint in the previous step are in this Gateway object. One of the items in the object is UserFromUrl, providing the exact path component we want. The following image shows the Gateway object.

    Screen capture that shows the Decision Visualiser where the decision’s request has a gateway object that includes UserFromUrl
  4. Create an attribute to pull UserFromUrl from the object.

    1. Go to Trust Framework and then click Attributes along the top.

    2. From the menu, select Add new Attribute.

    3. For the name, replace Untitled with Users identifier from the URL.

    4. Click the next to Resolvers and click Add Resolver.

    5. Set Resolver type to Attribute and select the Gateway attribute.

    6. Click the next to Value Processors and click Add Processor.

    7. Set Processor to JSON Path to pull an item from a JSON object and specify a value of $.UserFromUrl.

      The following image shows this configuration.

      Screen capture of the attribute to pull UserFromUrl from the object, configured as specified
    8. Click Save changes.

  5. Test the new attribute.

    1. Click Test just above the attribute name.

    2. Pass in a gateway object that uses UserFromUrl.

      In the Request, set Attributes to Gateway and specify a value of \{"UserFromUrl":"user.0"}.

      The next image shows the test setup.

      Screen capture of test where the request sets a Gateway attribute, configured as specified
    3. Click Execute.

      The test result should be user.0.

Result

The Users identifier from the URL attribute is available for use in policies.