Tutorial 3: Fine-grained API authorization - PingOne - PingOne Cloud Platform

In the first tutorial, you configured PingOne Authorize and Kong Gateway to protect Meme Game APIs so that only an authorized client could access the APIs. You learned how PingOne Authorize hides the complexities of OAuth and OpenID Connect (OIDC).

Now, suppose you are tasked with helping the Meme Game application team resolve a specific problem with an API. When starting a new game, the first player optionally invites other players using their email addresses. To prevent email spam, you'll create a policy that prevents a player from starting a new game with other players if the first player's email address comes from a generic domain.

In this fine-grained policy, you'll authorize a specific application interaction by comparing a combination of attributes, in this case, the first player’s email address and the invitee list. As with many fine-grained policies, the business driver for this policy comes from outside the application team, specifically, the need to reduce email spam that impacts your organization’s mail reputation.

Before you begin

Make sure:

• PingOne SSO and PingOne Authorize are in your PingOne environment. For more information, see Getting started with PingOne Authorize.
• You've completed Tutorial 1: Controlling access to APIs managed by an API service to set up the environment you need for this tutorial.

What you'll learn

You'll learn how to:

• Author fine-grained policies for API operations
• Use user attributes in policies
• Extract attributes from API request bodies and use them in policies
• Test policies
• Examine recent decisions

What you'll do

Follow these steps to complete the tutorial:

• Add Meme Game users in PingOne.
• Define an API operation that requires fine-grained policies.
• Add an attribute for the user’s email address.
• Add an attribute for the game invitee list.
• Create and test a policy that checks specific conditions for the API operation.
• Test the end-to-end use case using Postman.