PingGateway 2024.9

PingOneApiAccessManagementFilter

Use the PingOneApiAccessManagementFilter with PingOne Authorize’s API Access Management capability, where the PingOne API moderates requests and responses as follows:

  • Allows requests, optionally instructing PingGateway to edit the requests.

  • Rejects requests, instructing PingGateway on how to respond to the client, such as with an HTTP 403 and a custom message.

  • Instructs PingGateway to update responses from the backend; for example, instructions to remove content from the response body or to add or remove headers.

The filter sends the following elements to the PingOne API for the request:

  • Client IP address

  • Client port

  • HTTP method used

  • URL targeted

  • HTTP version used

  • HTTP headers

  • HTTP content (if the content matches any of the optional includeBodyContentTypes)

The filter sends the following elements to the PingOne API for the response:

  • Original URL queried

  • Original method called

  • HTTP status code

  • HTTP status message

  • HTTP version

  • HTTP headers

  • HTTP content (if the content matches any of the optional includeBodyContentTypes)

Usage

{
  "name": string,
  "type": "PingOneApiAccessManagementFilter",
    "config": {
      "gatewayServiceUri": configuration expression<url>,
      "secretsProvider": SecretsProvider reference,
      "gatewayCredentialSecretId": configuration expression<secret-id>,
      "includeBodyContentTypes": [ configuration expression<string> ] || configuration expression<string>,
      "sidebandHandler": Handler reference,
      "accessToken": runtime expression<string>
  }
}

Configuration

"gatewayServiceUri": configuration expression<url>, required

The URL of the API gateway in the PingOne API.

To find the URL, go to your PingOne Authorize environment, select Authorization > API gateways, and note the value of the Service URL.

"secretsProvider": SecretsProvider reference, required

The SecretsProvider to query for the credential to access the PingOne API.

"gatewayCredentialSecretId": configuration expression<secret-id>, required

The secret ID of the PingOne API credential.

The secret ID must point to a GenericSecret in the secretsProvider.

To add the credential, go to your PingOne Authorize environment, select Authorization > API gateways, and select your gateway.

"includeBodyContentTypes": array of configuration expression<string>, optional

If any of these content types are present, include the body of the request or response in the request to the PingOne API.

Including the body in every request and response can impact the HTTP exchange latency.

Default: Do not send the request body to the PingOne API.

"sidebandHandler": Handler reference, optional

An HTTP client handler to use to contact the PingOne API.

The handler sends requests and responses to the HTTP Access Policy service. It then processes authorization decisions to accept, reject, or rewrite requests and responses.

Default: ForgeRockClientHandler

"accessToken": runtime expression<string>, optional

The location of the access token to send to the PingOne API.

Default: none, the token is expected to be present in the request’s "Authorization" header.