The Sideband API uses configured Access Token Validators to evaluate bearer tokens that are included in incoming requests. The HttpRequest.AccessToken attribute supplies the validation result to the policy request, and the TokenOwner attribute provides the user identity that is associated with the token.

Policies use this authentication information to affect the processing requests and responses. For example, the following policy in the default policy set requires all requests to be made with an active access token:

Rule: Deny if Equals false

  Code: denied-reason
  Applies To: Deny
  Payload: {"status":401, "message": "invalid_token", "detail":"Access token is expired or otherwise invalid"}

The following table identifies the configuration properties that determine the manner in which Sideband API Endpoints handle authentication.

Property Description
http-auth-evaluation-behavior Determines whether the Sideband API Endpoint evaluates bearer tokens, and if so, whether the Sideband API Endpoint forwards them to the API server by way of the API gateway.

Sets the Access Token Validators that the Sideband API Endpoint uses. As this property contains no value by default, the Sideband API Endpoint can potentially use each Access Token Validator that is configured on the server to evaluate every bearer token.

To constrain the set of Access Token Validators that a Sideband API Endpoint uses, set this property to use one or more specific values.

This setting is ignored if http-auth-evaluation-behavior is set to do-not-evaluate.