Tutorial 3: Fine-grained API authorization
Learn how to write a fine-grained custom policy in PingOne Authorize that authorizes an application interaction by comparing a combination of user attributes.
In the first tutorial, you configured PingOne Authorize and Kong Gateway to protect Meme Game APIs so that only an authorized client could access the APIs. You learned how PingOne Authorize hides the complexities of OAuth and OpenID Connect.
Now, suppose you are tasked with helping the Meme Game application team resolve a specific problem with an API. When starting a new game, the first player optionally invites other players using their email addresses. To prevent email spam, you’ll create a policy that prevents a player from starting a new game with other players if the first player’s email address comes from a generic domain.
In this custom policy, you’ll authorize a specific application interaction by comparing a combination of attributes, in this case, the first player’s email address and the invitee list. As with many custom policies, the business driver for this policy comes from outside the application team, specifically, the need to reduce email spam that impacts your organization’s mail reputation.
Before you begin
Make sure:
-
PingOne SSO and PingOne Authorize are in your PingOne environment. For more information, see Getting started with PingOne Authorize.
-
You’ve completed Tutorial 1: Controlling access to APIs managed by an API service to set up the environment you need for this tutorial.
What you’ll learn
You’ll learn how to:
-
Author custom policies for API operations
-
Use user attributes in policies
-
Extract attributes from API request bodies and use them in policies
-
Test policies
-
Examine recent decisions
What you’ll do
Follow these steps to complete the tutorial:
-
Add Meme Game users in PingOne.
-
Define an API operation that requires custom policies.
-
Add an attribute for the game invitee list.
-
Create and test a policy that checks specific conditions for the API operation.
-
Test the end-to-end use case using Postman.