You’ll use Postman to simulate a user authenticating to the game application and making API requests to start a new game. You’ll demonstrate that the user whose email address comes from a generic domain is not allowed to start a game while inviting others, but they are allowed to start a game when playing by themselves. You’ll also demonstrate that the user with an email address from a trusted domain is allowed to start games with or without inviting others.

  1. Sign on as genericuser:
    1. In Postman, go to Collections and click PingOne Authorize: API Access Management Tutorials to open the collection.
      Screen capture of the PingOne Authorize: API Access Management Tutorials collection in Postman showing the Authorization tab.
    2. At the bottom of the Authorization tab, click Clear cookies.
    3. Click Get New Access Token.

      Postman launches the sign-on flow. You’ll sign on as genericuser with the password you saved earlier.

      Screen capture of the Authenticate via Browser window in Postman showing the PingOne sign-on window.
    4. For the Username, enter genericuser.
    5. For the Password, enter the password you saved earlier. Click Sign On.

      Now, you’ll change the password for genericuser.

    6. For Current Password, enter the one-time passcode (OTP) again.
    7. Enter a New Password, and then enter it again in Verify New Password.

      Copy the password to a convenient location. You'll need it to sign on later.

    8. Click Save.
    9. When authentication is complete, click Proceed.
    10. In Manage Access Tokens, click the Pencil icon and change the Token Name to genericuser. Press Enter.

      This makes it easier to keep track of which user the token is for.

      Screen capture of the Manage Access Tokens window in Postman showing the Token Name.
    11. Click Use Token.

      Now Postman has an access token to act as genericuser.

      Screen capture of the Current Token in Postman showing access token settings.

      Now, try to start games with and without invitees.

  2. Select the User starts game with invitees request and click Send.

    You get a 403 Forbidden response. This demonstrates that a user whose email address is from a generic domain is not allowed to invite others to new games.

  3. Select the User starts game without invitees request and click Send.

    Success! You get a 201 Created response with data in the response body. This demonstrates that a user whose email address is from a generic domain is only allowed to play the game by themselves.

    Now, you’ll get an access token to allow Postman to act as companyuser.

  4. To get an access token for companyuser, repeat step 1, with the following changes:
    1. In step 1d, enter companyuser for the Username.
    2. In step 1j, change the Token Name to companyuser.

    You have an access token that allows Postman to act as the companyuser.

    Repeat the requests to see if the user can start games and invite others.

    Note:

    The meme-game.com API does not send invitation emails or store the email addresses of the invited list of users. Regardless, never send real email addresses in your testing with this API.

  5. Select the User starts game with invitees request and click Send.

    Success! You get a 201 Created response.

  6. Select the User starts game without invitees request and click Send.

    Success! You get a 201 Created response.

Congratulations! You created a fine-grained authorization policy that meets your business requirements and you tested the policy.