Page created: 26 Jul 2021
|
Page updated: 17 Feb 2022
This tutorial describes how to create a policy for a REST service to control access based on an acceptable audience value.
An authorization server like PingFederate might set an audience
field
on the access tokens that it issues, naming one or more services that are allowed to
accept the access token. A REST service can use the audience
field to
ensure that it does not accept access tokens that are intended for use with a different
service.
As with the Permitted Clients policy, each rule in the Permitted Audiences policy defines an acceptable audience value.