An API service models an API protected by PingOne Authorize.
API Access Management in PingOne Authorize works with the integration kit in your API gateway, using the best practices of OAuth and OpenID Connect (OIDC), to manage API access control across these distributed systems. API Access Management integrates with your API gateway to seamlessly provide policy-based access control for your HTTP APIs.
An API service in PingOne Authorize groups related API operations into a protection domain that clients access with a single OAuth token. When you define an API service, you can use PingOne to issue access tokens and manage users for the API service, or you can use external providers, such as PingFederate and PingDirectory.
Token validation by external providers is currently supported only for Apigee gateway integrations.
PingOne token provider
If PingOne is issuing tokens and managing users for the API service, you can use a built-in set of access control rules that are tightly integrated with PingOne. You can also define custom access control policies that handle more complex authorization scenarios.
Optionally, you can configure your API gateway to include validated access token claims in the decision request. PingOne Authorize will verify that the audience claim matches the audience value configured for the API service’s resource.External token providers
If you use external providers to issue tokens and manage users for the API service, you can define custom access control policies, but you can’t use built-in API Access Management rules. You must configure your API gateway to validate access tokens and pass verified claims to PingOne in the inbound request.
PingOne Authorize relies on your API gateway for token validation and does not verify any matching claims.
With external providers, PingOne Authorize doesn’t include the userContext
object in
decision requests. This object provides information about PingOne users only and doesn’t
resolve user identity information from external directories.
You can use the subject claim in the decision request’s PingOne.API Access Management.Identity.Access Token parameter to resolve user identity information from an external service for use in attributes, services, and custom policies.