You also learned:

  • Policies can apply "outbound"--upstream server API responses before they are sent to the API client.
  • HttpRequest.ResponseBody is the upstream server API response body before it is sent to the client.
  • Attributes that cannot be resolved because of any reason including processing errors might impact policy outcomes.
  • PingAuthorize supplies the user profile of access token subject as the Trust Framework attribute TokenOwner.
  • You must populate the child attributes of the TokenOwner that you want to use in policy.
  • Many attributes in LDAP are multivalued.
  • Advice are the mechanism to modify the API response in some way.
  • In this case, denied-reason was used to set the HTTP status code and message body.