There are many policy request attributes generated by the security gateway, including
attributes nested within the attributes
,
HttpRequest.AccessToken
, HttpRequest.ClientCertificate
,
and Gateway
fields.
The following table identifies the attributes of a policy request that the gateway generates.
Policy request attributes | Description | Type |
---|---|---|
action
|
Identifies the gateway request processing phase and the HTTP method,
such as GET or POST. The value is formatted as
Example values include |
String |
attributes
|
Identifies additional attributes that do not correspond to a specific entity type in the PingAuthorize Trust Framework. For more information about these attributes, see the following table. | Object |
domain
|
Unused. | String |
identityProvider
|
Identifies the access token validator that evaluates the bearer token used in an incoming request. | String |
service
|
Identifies the API service. By default, this attribute is set to the name of the Gateway API Endpoint, which can be overridden by setting the Gateway API Endpoint's service property. Multiple Gateway API Endpoints can use the same service value. | String |
The following table identifies the additional attributes that are included in
attributes
.
Attribute | Description | Type |
---|---|---|
Gateway
|
Provides additional gateway-specific information about the request not provided by the following attributes. | Object |
HttpRequest.AccessToken
|
Parsed access token. For more information, see the following table. | Object |
HttpRequest.ClientCertificate
|
Properties of the client certificate, if one was used. | Object |
HttpRequest.CorrelationId |
A unique value that identifies the request and response, if available. | String |
HttpRequest.IPAddress |
The client IP address. | String |
HttpRequest.QueryParameters
|
Request URI query parameters. | Object |
HttpRequest.RequestBody
|
The request body, if available. | Object |
HttpRequest.RequestHeaders |
The HTTP request headers. | Object |
HttpRequest.RequestURI
|
The request URI. | String |
HttpRequest.ResourcePath
|
Portion of the request URI path following the inbound base path that the Gateway API Endpoint defines. | String |
HttpRequest.ResponseBody
|
The response body, if available. This attribute is provided only for outbound policy requests. | Object |
HttpRequest.ResponseHeaders |
The HTTP response headers, if available. | Object |
HttpRequest.ResponseStatus |
The HTTP response status code, if available. | Number |
TokenOwner
|
The access token subject as a SCIM resource, as obtained by the access token validator. | Object |
The access token validator populates the HttpRequest.AccessToken
attribute, which contains the fields in the following table. These fields correspond
approximately to the fields that the IETF Token Introspection specification (RFC
7662) defines.
Attribute | Description | Type |
---|---|---|
access_token |
The actual access token from the client request. | String |
active |
Indicates whether this access token is currently active, as determined by the access token validator. | Boolean |
audience
|
Identifies the recipients for whom the access token is intended. Typically, the authorization server sets this field to indicate the resource servers that might accept the token. | Array |
client_id
|
The client ID of the application that was granted the access token. | String |
expiration
|
Date and time at which the access token expires. | DateTime |
issued_at
|
Date and time at which the access token was issued. | DateTime |
issuer
|
Token issuer. This attribute is usually a URI that identifies the authorization server. | String |
not_before
|
Date and time before which a resource server does not accept the access token. | DateTime |
scope |
Identifies the list of scopes granted to this token. | Collection |
subject
|
Token subject. This attribute is a user identifier that the authorization server sets. | String |
token_owner
|
User identifier that was resolved by the access token validator's token
resource lookup method. This attribute is always a SCIM ID of the form
<resource type>/<resource ID> . |
String |
token_type
|
The token type, as set by the authorization server. This value is
typically set to bearer . |
String |
user_token
|
Flag that the access token validator sets to indicate that the token was
issued originally to a subject. If this flag is false , the
token does not have a subject and was issued directly to a client. |
Boolean |
username
|
Subject's user name. This attribute is a user identifier that the authorization server sets. | String |
The following table identifies the fields that the
HttpRequest.ClientCertificate
attribute contains.
Attribute | Description | Type |
---|---|---|
algorithm
|
Name of the certificate signature algorithm, such as
SHA256withRSA . |
String |
algorithmOID
|
Signature algorithm OID. | String |
issuer
|
Distinguished name (DN) of the certificate issuer. | String |
notAfter
|
Expiration date and time of the certificate. | DateTime |
notBefore
|
Earliest date on which the certificate is considered valid. | DateTime |
subject
|
DN of the certificate subject. | String |
subjectRegex |
Regular expression that must be matched by the subject field of the certificate to ensure that the certificate belongs to the requesting client. | String |
valid
|
Indicates whether the certificate is valid. | Boolean |
The following table identifies the fields that the Gateway
attribute
contains.
Attribute | Description | Type |
---|---|---|
_BasePath
|
Portion of the HTTP request URI that matches the Gateway API Endpoint's
inbound-base-path value. |
String |
_TrailingPath
|
Portion of the HTTP request URI that follows the
_BasePath . |
String |
base path parameters | Parameters used in a Gateway API Endpoint's
inbound-base-path configuration property are included as
fields of the Gateway attribute. |
String |
custom attribute | The Gateway attribute might contain multiple arbitrary
custom attributes that are defined by the
policy-request-attribute of the Gateway API Endpoint
configuration. |
String |