Sideband API policy request attributes

The following tables provide an overview of policy request attributes.

Policy request attributes are associated with a policy request that the Sideband API generates.

Attribute Description Type

Attribute	Description	Type
`action`	Identifies the request-processing phase and the HTTP method, such as `GET` or `POST`. The value is formatted as `<phase>-<method>`. Example values include `inbound-GET`, `inbound-POST`, `outbound-GET`, and `outbound-POST`.	String
`attributes`	Additional attributes that do not correspond to a specific entity type in the Trust Framework. For more information, see the next table.	Object
`domain`	Unused.	String
`identityProvider`	Name of the Access Token Validator that evaluates the bearer token in an incoming request.	String
`service`	Identifies the API service. By default, this value is set to the name of the Sideband API Endpoint. To override the default value, set the Sideband API Endpoint’s `service` property. Multiple Sideband API Endpoints can use the same service value.	String

action

Identifies the request-processing phase and the HTTP method, such as GET or POST.

The value is formatted as <phase>-<method>. Example values include inbound-GET, inbound-POST, outbound-GET, and outbound-POST.

String

attributes

Additional attributes that do not correspond to a specific entity type in the Trust Framework.

For more information, see the next table.

Object

domain

Unused.

String

identityProvider

Name of the Access Token Validator that evaluates the bearer token in an incoming request.

String

service

Identifies the API service. By default, this value is set to the name of the Sideband API Endpoint.

To override the default value, set the Sideband API Endpoint’s service property.

Multiple Sideband API Endpoints can use the same service value.

String

The following table identifies the additional attributes that are included in attributes.

Attribute Description Type

Attribute	Description	Type
`Gateway`	Additional gateway-specific information about the request not provided by the following attributes.	Object
`HttpRequest.AccessToken`	Parsed access token. For more information, see the following table.	Object
`HttpRequest.ClientCertificate`	Properties of the client certificate, if one was used.	Object
`HttpRequest.CorrelationId`	A unique value that identifies the request and response, if available.	String
`HttpRequest.IPAddress`	The client IP address.	String
`HttpRequest.QueryParameters`	Request URI query parameters.	Object
`HttpRequest.RequestBody`	The request body, if available.	Object
`HttpRequest.RequestHeaders`	The HTTP request headers.	Object
`HttpRequest.RequestURI`	The request URI.	String
`HttpRequest.ResourcePath`	Portion of the request URI path that follows the inbound base path that the Sideband API Endpoint defines.	String
`HttpRequest.ResponseBody`	The response body, if available. This attribute is provided only for outbound policy requests.	Object
`HttpRequest.ResponseHeaders`	The HTTP response headers, if available.	Object
`HttpRequest.ResponseStatus`	The HTTP response status code, if available.	Number
`TokenOwner`	The access token subject as a SCIM resource, as obtained by the access token validator.	Object

Gateway

Additional gateway-specific information about the request not provided by the following attributes.

Object

HttpRequest.AccessToken

Parsed access token.

For more information, see the following table.

Object

HttpRequest.ClientCertificate

Properties of the client certificate, if one was used.

Object

HttpRequest.CorrelationId

A unique value that identifies the request and response, if available.

String

HttpRequest.IPAddress

The client IP address.

String

HttpRequest.QueryParameters

Request URI query parameters.

Object

HttpRequest.RequestBody

The request body, if available.

Object

HttpRequest.RequestHeaders

The HTTP request headers.

Object

HttpRequest.RequestURI

The request URI.

String

HttpRequest.ResourcePath

Portion of the request URI path that follows the inbound base path that the Sideband API Endpoint defines.

String

HttpRequest.ResponseBody

The response body, if available. This attribute is provided only for outbound policy requests.

Object

HttpRequest.ResponseHeaders

The HTTP response headers, if available.

Object

HttpRequest.ResponseStatus

The HTTP response status code, if available.

Number

TokenOwner

The access token subject as a SCIM resource, as obtained by the access token validator.

Object

When handling an outbound response, HTTP request data is only available if specifically provided by the API gateway plugin.

The following table identifies the fields that are associated with the HttpRequest.AccessToken attribute, which is populated by the access token validator.

These fields correspond approximately to the fields that are defined by the IETF Token Introspection specification, RFC 7662.

Attribute Description Type

Attribute	Description	Type
`access_token`	The actual access token from the client request.	String
`active`	Indicates whether this access token is currently active, as determined by the access token validator.	Boolean
`audience`	Identifies the recipients for whom the access token is intended. Typically, the authorization server sets this field to identify the resource servers that can accept the token.	Array
`client_id`	Client ID of the application that was granted the access token.	String
`expiration`	Date and time at which the access token expired.	DateTime
`issued_at`	Date and time at which the access token was issued.	DateTime
`issuer`	Token issuer. Typically, this value is a URI that identifies the authorization server.	String
`not_before`	Date and time before which a resource server does not accept an access token.	DateTime
`scope`	Identifies the list of scopes granted to this token.	Collection
`subject`	Token subject. This value represents a user identifier that the authorization server sets.	String
`token_owner`	User identifier that was resolved by the access token validator’s token resource lookup method. This value is always a SCIM ID of the form `<resource type>/<resource ID>`.	String
`token_type`	Token type, as set by the authorization server. Typically, this value is `bearer`.	String
`user_token`	Flag that the access token validator sets to indicate the token was originally issued to a subject. If the flag is `false`, the token contains no subject and was issued directly to a client.	Boolean
`username`	Subject’s user name. This value represents a user identifier that the authorization server sets.	String

access_token

The actual access token from the client request.

String

active

Indicates whether this access token is currently active, as determined by the access token validator.

Boolean

audience

Identifies the recipients for whom the access token is intended. Typically, the authorization server sets this field to identify the resource servers that can accept the token.

Array

client_id

Client ID of the application that was granted the access token.

String

expiration

Date and time at which the access token expired.

DateTime

issued_at

Date and time at which the access token was issued.

DateTime

issuer

Token issuer. Typically, this value is a URI that identifies the authorization server.

String

not_before

Date and time before which a resource server does not accept an access token.

DateTime

scope

Identifies the list of scopes granted to this token.

Collection

subject

Token subject. This value represents a user identifier that the authorization server sets.

String

token_owner

User identifier that was resolved by the access token validator’s token resource lookup method. This value is always a SCIM ID of the form <resource type>/<resource ID>.

String

token_type

Token type, as set by the authorization server. Typically, this value is bearer.

String

user_token

Flag that the access token validator sets to indicate the token was originally issued to a subject. If the flag is false, the token contains no subject and was issued directly to a client.

Boolean

username

Subject’s user name. This value represents a user identifier that the authorization server sets.

String

The following table identifies the fields that the HttpRequest.ClientCertificate attribute can contain.

Attribute Description Type

Attribute	Description	Type
`algorithm`	Name of the certificate signature algorithm, such as `SHA256withRSA`.	String
`algorithmOID`	Signature algorithm OID.	String
`issuer`	Distinguished name (DN) of the certificate issuer.	String
`notAfter`	Expiration date and time of the certificate.	DateTime
`notBefore`	Earliest date on which the certificate is considered valid.	DateTime
`subject`	DN of the certificate subject.	String
`subjectRegex`	Regular expression that must be matched by the subject field of the certificate to ensure that the certificate belongs to the requesting client.	String
`valid`	Indicates whether the SSL client certificate is valid.	Boolean

algorithm

Name of the certificate signature algorithm, such as SHA256withRSA.

String

algorithmOID

Signature algorithm OID.

String

issuer

Distinguished name (DN) of the certificate issuer.

String

notAfter

Expiration date and time of the certificate.

DateTime

notBefore

Earliest date on which the certificate is considered valid.

DateTime

subject

DN of the certificate subject.

String

subjectRegex

Regular expression that must be matched by the subject field of the certificate to ensure that the certificate belongs to the requesting client.

String

valid

Indicates whether the SSL client certificate is valid.

Boolean

The following table identifies the fields that the Gateway attribute can contain.

Attribute Description Type

Attribute	Description	Type
`_BasePath`	Portion of the HTTP request URI that matches the Sideband API Endpoint’s `base-path` value.	String
`_TrailingPath`	Portion of the HTTP request URI that follows the `_BasePath`.	String
`base path parameters`	Parameters in a Sideband API Endpoint’s `base-path` configuration property are included as fields of the `Gateway` attribute.	String
`base path parameters`	The `Gateway` attribute can contain multiple, arbitrary custom attributes that are defined by the `policy-request-attribute` of the Sideband API Endpoint configuration.	String

_BasePath

Portion of the HTTP request URI that matches the Sideband API Endpoint’s base-path value.

String

_TrailingPath

Portion of the HTTP request URI that follows the _BasePath.

String

base path parameters

Parameters in a Sideband API Endpoint’s base-path configuration property are included as fields of the Gateway attribute.

String

base path parameters

The Gateway attribute can contain multiple, arbitrary custom attributes that are defined by the policy-request-attribute of the Sideband API Endpoint configuration.

String

PingAuthorize

Sideband API policy request attributes