---
title: Capture client identifiers - Sideband
description: ASE identifies attackers for HTTP(s) protocol using five client identifiers:
component: pingintelligence
version: 5.1
page_id: pingintelligence:api_security_enforcer:pingintelligence_capture_client_identifiers
canonical_url: https://docs.pingidentity.com/pingintelligence/5.1/api_security_enforcer/pingintelligence_capture_client_identifiers.html
revdate: April 3, 2024
section_ids:
  configure-ase-support-for-oauth2-tokens: Configure ASE support for OAuth2 tokens
  configure-ase-support-for-api-keys: Configure ASE support for API keys
---

# Capture client identifiers - Sideband

ASE identifies attackers for HTTP(s) protocol using five client identifiers:

* Username

* API keys

* OAuth2 token

* Cookie

* IP address

|   |                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | ASE supports the extraction of usernames coming in a JSON Web Tokens( JWTs) or custom headers. For more information, see [Extract user information from JWT in sideband mode](pingintelligence_exactract_user_informaton_jwt_sideband.html) and [Extract username from custom header in sideband mode](pingintelligence_extract_username_custom_header_sideband.html). ASE can also receive Usernames from a gateway policy, when ASE is deployed in a sideband mode. The PingIntelligence ABS AI engine identifies them based on metadata logged in ASE's access log files. |

The following sections describe how to configure ASE to capture OAuth2 Tokens and API keys.

## Configure ASE support for OAuth2 tokens

ASE supports capturing and blocking of OAuth2 tokens. To enable OAuth2 token capture, set the value of `oauth2_access_token` to `true` in the API JSON file. Here is a snippet of an API JSON file with OAuth2 token capture activated. To disable, change the value to `false`.

```
"api_metadata": {
	 "protocol": "http",
	 "url": "/",
	 "hostname": "*",
	 "cookie": "",
				"cookie_idle_timeout": "200m",
				"logout_api_enabled": false,
				"cookie_persistence_enabled": true,
				"oauth2_access_token": true,
				"is_token_mandatory": false,
				"apikey_qs": "",
				"apikey_header": "",
				"login_url": "",
				"enable_blocking": true,
				"api_mapping": {
				"internal_url": ""
				},
```

When `enable_blocking` is `true`, ASE checks the token against the list of tokens in the whitelist and blacklist. If the token is in the blacklist, the client using the token is immediately blocked. Further, when `is_token_mandatory` is set to`true`, and the incoming request has a missing token, ASE adds the IP address of the client to blacklist and blocks the request.

|   |                                                                                                                                                                                                                              |
| - | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
|   | For ASE to check and block the client, `enable_firewall` and `enable_ase_detected_attack` must be set to `true` in [Sideband ASE configuration using the `ase.conf` file](pingintelligence_sideband_ase_configuration.html). |

The following diagram shows the traffic flow in an OAuth2 environment.

![dsk1564009016418](../../5.2/_images/dsk1564009016418.png)

## **Configure ASE support for API keys**

ASE supports capturing and blocking of API keys. Depending on the API setup, the API key can be captured from the query string or API header. Each API JSON file can be configured with either the query string (`apikey_qs`) or API header (`apikey_header`) parameter.

Here is a snippet of an API JSON file showing API key being configured to capture the API key from the Query String (`apikey_qs`).

```
"api_metadata": {
				"protocol": "http",
				"url": "/",
				"hostname": "*",
				"cookie": "",
				"cookie_idle_timeout": "200m",
				"logout_api_enabled": false,
				"cookie_persistence_enabled": true,
				"oauth2_access_token": true,
				"is_token_mandatory": false,
				"apikey_qs": "key_1.4",
				"apikey_header": "",
				"login_url": "",
				"enable_blocking": true,
				"api_mapping": {
				"internal_url": ""
				},
```

When an API key is included in the API JSON file, ASE supports blocking of API keys which are manually added to the blacklist.