Before calculating a decision, the XACML-JSON PDP API attempts to authorize the client making the XACML-JSON PDP API request by invoking the Policy Decision Service.
A PDP authorization request can be targeted
in
policy as having service PDP with action authorize. The default
policies included with PingAuthorize Server perform this
authorization by only permitting requests with active access tokens that contain the
urn:pingauthorize:pdp
scope. You can see this policy in .
The parent of the Token Authorization policy, PDP API Endpoint Policies, constrains the Token Authorization policy to apply to the PDP service only.
For example, under the default policies, the following request would result in an authorized client when the PDP is configured with a mock access token validator.
curl --insecure -X POST \
-H 'Authorization: Bearer {"active":true,"scope":"urn:pingauthorize:pdp", "sub":"<valid-subject>"}' \
-H 'Content-Type: application/xacml+json' \
-d '{"Request":{}}' "https://<your-pingauthorize-host>:<your-pingauthorize-port>/pdp"
The default policies are intended to provide a foundation. You can modify these policies if additional authorization logic is required.