In the first tutorial, you configured PingOne Authorize and Kong Gateway to protect Meme Game APIs so that only an authorized client could access the APIs. You learned how PingOne Authorize hides the complexities of OAuthOAuth A standard framework that enables an application (OAuth client) to obtain access tokens from an OAuth authorization server for the purpose of retrieving protected resources on a resource server. and OpenID Connect (OIDC)OpenID Connect (OIDC)OIDC An authentication protocol built on top of OAuth that authenticates users and enables clients (relying parties) of all types to request and receive information about authenticated sessions and users. OIDC is extensible, allowing clients to use optional features such as encryption of identity data, discovery of OpenID Providers (OAuth authorization servers), and session management..

Now, suppose you are tasked with helping the Meme Game application team resolve a specific problem with an API. When starting a new game, the first player optionally invites other players using their email addresses. To prevent email spam, you'll create a policy that prevents a player from starting a new game with other players if the first player's email address comes from a generic domain.

In this custom policy, you'll authorize a specific application interaction by comparing a combination of attributes, in this case, the first player’s email address and the invitee list. As with many custom policies, the business driver for this policy comes from outside the application team, specifically, the need to reduce email spam that impacts your organization’s mail reputation.

Before you begin

Make sure:

What you'll learn

You'll learn how to:

  • Author custom policies for API operations
  • Use user attributes in policies
  • Extract attributes from API request bodies and use them in policies
  • Test policies
  • Examine recent decisions

What you'll do

Follow these steps to complete the tutorial: