Getting memes of another user
Demonstrate access control for specific API operations by signing on as users with different permissions.
About this task
To act as a user, you’ll use Postman’s built-in ability to do OpenID Connect sign-on. Sign on as the game administrator and get an access token to allow Postman to act as the administrator. Then, repeat this for the game player. You’ll demonstrate access control by sending a request to review submitted memes as the administrator and then as the player.
Steps
-
In Postman, go to Collections and click PingOne Authorize: API Access Management Tutorials to open the collection.
-
At the bottom of the Authorization tab, click Clear cookies.
-
Click Get New Access Token.
Result:
Postman launches the sign-on flow. You’ll sign on as the gameadmin user with the password you saved earlier.
-
For the Username, enter
gameadmin
. -
For the Password, enter the password you saved earlier. Click Sign On.
Now you’ll change the password for the gameadmin user.
-
For Current Password, enter the one-time password (OTP) again.
-
Enter a New Password, and then enter it again in Verify New Password.
Copy the password to a convenient location. You’ll need it to sign on later.
-
Click Save.
-
When authentication is complete, click Proceed or wait for the confirmation box to time out.
-
In Manage Access Tokens, click the Pencil icon and change the Token Name to
gameadmin
. Press Enter.This makes it easier to keep track of which user the token is for.
-
Click Use Token.
Result:
Now Postman has an access token to act as the gameadmin user.
Try the request to review submitted memes as the administrator.
-
Select the User gets memes of another user request and click Send.
Result:
Success! You get a
200 OK
response with data in the response body.Now you’ll get an access token to allow Postman to act as the gameplayer user.
-
To get an access token for the gameplayer user, repeat steps 1-11, with the following changes:
-
In step 4, enter
gameplayer
for the Username. -
In step 10, change the Token Name to
gameplayer
.Result:
Now you have an access token that allows Postman to act as the gameplayer user.
Repeat the request to see if the player can review submitted memes
-
-
Select the User gets memes of another user request and click Send.
Result:
You get a
403 Forbidden
response. This demonstrates that the player can’t review another user’s submitted memes.Because you have both tokens, you can have Postman act as the administrator or the player by selecting the corresponding token in the Access Token list on the Authorization tab.
Congratulations! You’ve demonstrated that only administrators can review submitted memes.
Troubleshooting:
Not getting the right results? See Viewing API Access Management events in your PingOne environment audit log.
Result
In this tutorial, you configured group-based access control for a protected API operation and demonstrated that only authorized users can perform the privileged action.