You also learned:

  • Policies can apply to outbound upstream server API responses before they are sent to the API client.
  • HttpRequest.ResponseBody is the upstream server API response body before it is sent to the client.
  • Attributes that cannot be resolved because of any reason, including processing errors, might impact policy outcomes.
  • PingAuthorize supplies the user profile of the access token subject as the Trust Framework attribute TokenOwner.
  • You must populate the child attributes of the TokenOwner that you want to use in a policy.
  • Many attributes in LDAP are multivalued.
  • Advice is used to modify the API response in some way.
  • In this case, denied-reason was used to set the HTTP status code and message body.