An API service models an API protected by PingOne Authorize.
API Access Management in PingOne Authorize
works with the integration kit in your API gateway, using the best practices of
Token and user management
An API service in PingOne Authorize groups related API operations into a protection domain that clients access with a single OAuth token. When you define an API service, you can use PingOne to issue access tokens and manage users for the API service, or you can use external providers, such as PingFederate and PingDirectory.
- PingOne token provider
If PingOne is issuing tokens and managing users for the API service, you can use a built-in set of access control rules that are tightly integrated with PingOne. You can also define custom access control policies that handle more complex authorization scenarios.
Optionally, you can configure your API gateway to include validated access token claims in the decision request. PingOne Authorize will verify that the audience claim matches the audience value configured for the API service’s resource.
- External token providers
If you use external providers to issue tokens and manage users for the API service, you can define custom access control policies, but you can’t use built-in API Access Management rules. You must configure your API gateway to validate access tokens and pass verified claims to PingOne in the inbound request.Important:
Token validation by external providers is currently supported only for Apigee gateway integrations. PingOne Authorize relies on your API gateway for token validation and does not verify any matching claims.
With external providers, PingOne Authorize doesn’t include the
userContextobject in decision requests. This object provides information about PingOne users only and doesn’t resolve user identity information from external directories.Note:
You can use the subject claim in the decision request’s PingOne.API Access Management.Identity.Access Token parameter to resolve user identity information from an external service for use in attributes, services, and custom policies.
Access control policies
To control access to your APIs, you can define basic rules and custom policies. Basic rules grant access based on authorized scopes and user membership in groups. For more information about basic rules, see Defining operations for protected actions.
For more complex access control scenarios, you can define custom policies in the API Access Management policy tree. For more information, see Adding custom policies for API services and operations.
Each API service has a system-owned decision endpoint that provides an environment for managing and deploying authorization policies relevant to the API service. The decision endpoint is created when you deploy the API service for the first time, and it has the same name as the API service. For more information, see Deploying an API service.