Add an OAuth attribute rule to examine a request and determine whether to grant access to a target service based on a match found between the attributes associated with an OAuth access token and attribute values specified in the rule.
- Click Access and then go to .
- Click + Add Rule.
In the Name field, enter a unique name, up to 64
Special characters and spaces are allowed.
- From the Type list, select OAuth Attribute.
- From the Attribute Name list, select the attribute name you want to match to an attribute associated with an OAuth access token.
In the Attribute Value field, enter the value to
The attribute values come from the contract in your OAuth access token manager in PingFederate. For more information, see Defining the Access Token Attribute Contract.
Add additional rows of attribute name and value pairs as needed.
If multiple rows are included here, all conditions must match for the rule to match.
Select Negate if, when a match is found, access is not
Verify what you enter for the attribute. If you enter an attribute that does not exist, such as if the attribute is misspelled, and you select Negate, the rule will always succeed.
To configure rejection handling, click Show Advanced
Settings, then select a rejection handling method:
If you select Basic, you can customize an error message to display as part of the default error page rendered in the end-user's browser if rule evaluation fails. This page is among the templates you can modify with your own branding or other information. If you select Basic, provide this information:
- If you select Default, use the Rejection Handler list to select an existing rejection handler that defines whether to display an error template or redirect to a URL.
- If you select Basic,, you can customize an error
message to display as part of the default error page rendered in the end user's
browser if rule evaluation fails. This page is among the templates you can
modify with your own branding or other information. If you select
Basic, provide this information:
- In the Error Response Code field, enter the HTTP status response code to send if rule evaluation fails. The default is 403.
- In the Error Response Status Message field, enter the HTTP status response message to send if rule evaluation fails. The default is Forbidden.
- In the Error Response Template File field, enter the HTML template page for customizing the error message that displays if rule evaluation fails. This template file is located in the <PA_HOME>/conf/template/ directory.
- From the Error Response Content Type list, select the type of content for the error response. This lets the client properly display the response.
- Click Save.