PingOne

Tutorial 3: Fine-grained API authorization

Learn how to write a fine-grained custom policy in PingOne Authorize that authorizes an application interaction by comparing a combination of user attributes.

In the first tutorial, you configured PingOne Authorize and Kong Gateway to protect Meme Game APIs so that only an authorized client could access the APIs. You learned how PingOne Authorize hides the complexities of OAuth and OpenID Connect.

Now, suppose you are tasked with helping the Meme Game application team resolve a specific problem with an API. When starting a new game, the first player optionally invites other players using their email addresses. To prevent email spam, you’ll create a policy that prevents a player from starting a new game with other players if the first player’s email address comes from a generic domain.

In this custom policy, you’ll authorize a specific application interaction by comparing a combination of attributes, in this case, the first player’s email address and the invitee list. As with many custom policies, the business driver for this policy comes from outside the application team, specifically, the need to reduce email spam that impacts your organization’s mail reputation.

Before you begin

Make sure:

What you’ll learn

You’ll learn how to:

  • Author custom policies for API operations

  • Use user attributes in policies

  • Extract attributes from API request bodies and use them in policies

  • Test policies

  • Examine recent decisions

What you’ll do

Follow these steps to complete the tutorial: