The API security gateway authenticates requests through bearer tokens by default, and you can configure it to handle authentication according to your preferences.
Although the gateway does not strictly require the authentication of requests, the default policy set requires bearer token authentication.
To support this approach, the gateway uses the configured access token validators to
evaluate bearer tokens that are included in incoming requests. The result of that
validation is supplied to the policy request in the
HttpRequest.AccessToken
attribute, and the user identity associated
with the token is provided in the TokenOwner
attribute.
Policies use this authentication information to affect the processing of requests and responses. For example, a policy in the default policy set requires that all requests are made with an active access token.
Rule: Deny if HttpRequest.AccessToken.active Equals false
Statement:
Code: denied-reason
Applies To: Deny
Payload: {"status":401, "message": "invalid_token", "detail":"Access token is expired or otherwise invalid"}
Gateway API Endpoints include the following configuration properties to specify the manner in which they handle authentication.
Property | Description |
---|---|
http-auth-evaluation-behavior
|
Determines whether the Gateway API Endpoint evaluates bearer tokens, and if so, whether the bearer token is forwarded to the API server. |
access-token-validator
|
Sets the access token validators that the Gateway API Endpoint uses. By
default, this property has no value, and the Gateway API Endpoint can evaluate
every bearer token by using each access token validator that is configured on
the server. To constrain the set of access token validators that a Gateway API
Endpoint uses, set this property to use one or more specific values. If
|