API Gateway 10.15 | Using API Gateway | Implement APIs | Policies | Identify and Access | Identify & Authorize
 
Identify & Authorize
 
OAuth Authentication in API Gateway
Securing APIs using OAuth 2.0 in API Gateway with Local Authorization Server
Securing APIs using OAuth 2.0 with API Gateway as Resource Server and Remote Integration Server as Authorization Server
Securing APIs using OAuth 2.0 in API Gateway using Third Party Authorization Server
Securing APIs Using OAUTH 2.0 In API Gateway Using External Ports
Defining Multpile OAuth 2.0 Scopes in API Gateway
Retrieving OAuth Token
Secure API using OAuth2 with refresh token workflow
JWT Authentication Use case and Workflow
OpenID Authentication Use case and Workflow
Securing Access Token Calls with PKCE
This policy identifies and validates the authorization of the applications to access the APIs. The application are identified using a set of identification types such as API key, hostname address, and HTTP basic authentication and so on based on the configuration. API Gateway can identify and authorize the application based on the following Application Lookup condition:
*Registered applications. Identifies the application and validates the identified application against the registered applications. On successful validation, API Gateway allows access to the API. The application that are associated with the API are called as registered application.
*Global applications. Identifies the application and validates the identified application against the global applications. On successful validation, API Gateway allows access to the API. All the active applications that are available in API Gateway are called as global application.
*Global applications and DefaultApplication. Verifies the identity of the application against the global applications and on identification failure the API Gateway allows access to the API as default application.
Note:
If Allow anonymous is selected and even if the Application Lookup condition does not meet, API Gateway allows access to the API.
The table lists the properties that you can specify for this policy:
Property
Description
Condition
Specifies the condition operator for the identification and authentication types.
Select any of the following condition operators:
*AND. Applies all the identification and authentication types.
*OR. Applies one of the selected identification and authentication types.
Note:
Even though this policy provides the option of choosing an AND or OR operation between the different identification and authentication types, the operation across the different policies in the IAM stage is always AND.
Allow anonymous
Specifies whether to allow all users to access the API without restriction.
When you add a security policy and configure Allow anonymous, all requests are allowed to pass through to the native API, but the successfully identified requests are grouped under the respective identified application, and all unidentified requests are grouped under a common application named asDefaultApplication (sys:defaultApplication). While you allow all requests to pass through you can perform all application-specific actions, such as, viewing the runtime events for a particular application, monitor the service level agreement for a few applications and send an alert email based on some criteria like request count or availability, and throttle the requests from a particular application and not allow the request from that application if the number of requests reach the configured hard limit within configured period of time.
Identification Type. Specifies the identification type. You can select any of the following.
You can set the "trigger policy violation event" to true or false if authorization header is not provided for the following identification types:
1) HTTP Basic authentication
2) OAuth2 token
3) TokenId connect
For other identification types, the default value is true. That is, policy violation events are triggered for the requests without authorization headers.
Note:
When you add an API to a package for monetization, the API key authentication mechanism is automatically added to the IAM policy at API level. If the API already contains an IAM policy that has two authentication mechanisms with the AND condition, then the condition will be switched to OR. This ensures the monetization is supported when certain consumers access the API by just using the API key.
API Key
Specifies using the API key to identify and validate the client's API key to verify the client's identity in the registered list of applications for the specified API.
Select one of the Application Lookup condition:
*Registered applications. Identifies the client's API key against the API key of all the applications registered to the API. On successful identification, API Gateway allows access to the API.
*Global applications. Identifies the client's API key against the API key of all the applications available in API Gateway. On successful identification, API Gateway allows access to the API.
*Global applications and DefaultApplication. Identifies the client's API key against all the applications available in API Gateway. Even though, if no global application is identified, API Gateway allows access to the API as default application.
When this option is selected, you can use the API key as:
*Header parameter to consume an API. For example,
x-Gateway-APIKey:a4b5d569-2450-11e3-b3fc-b5a70ab4288a
*Query parameter to invoke an API resource. For example,
http://pie-3HKYMH2:5555/gateway/PetstoreAPI/1.0.3/store/
inventory?APIKey=faab7ac6-97a4-4228-908d-f1930faba470
Hostname Address
Specifies using host name address to identify the client, extract the client's hostname from the HTTP request header and verify the client's identity in the specified list of applications in API Gateway.
Select one of the Application Lookup condition:
*Registered applications. Identifies the client's hostname against the hostname identifier of all the applications registered to the API. On successful identification, API Gateway allows access to the API.
*Global applications. Identifies the client's hostname against the hostname identifier of all the applications available in API Gateway. On successful identification, API Gateway allows access to the API.
*Global applications and DefaultApplication. Identifies the client's hostname against the hostname identifier of all the applications available in API Gateway. If no global application is identified, then API Gateway allows access to the API as default application.
Note:
If the client request has X-Forwarded-For header, then API Gateway resolves the hostname from the IP address present in the X-Forwarded-For header. Else, API Gateway resolves the hostname from the client's IP address.
HTTP Basic Authentication
Specifies using Authorization Header in the request to identify and authorize the client application against the list of applications with the identifier username in API Gateway.
Provide the following information:
*Select one of the Application Lookup condition:
*Registered applications. Authenticates the user and identifies the user against username identifier of all the applications registered to the API. On successful authentication and identification, API Gateway allows access to the API.
*Global applications. Authenticates the user and identifies the user against username identifier of all the applications available in the API Gateway. On successful authentication and identification, API Gateway allows access to the API.
*Global applications and DefaultApplication.
1. Authenticates the user and identifies the user against username identifier of all the applications available in the API Gateway.
2. On successful authentication and if no global application is identified, then API Gateway allows access to the API as default application.
3. In case if the authentication fails, then API Gateway does not allow access to the API.
*If Global applications and DefaultApplication and Allow anonymous are selected:
1. Authenticates the user and identifies the user against username identifier of all the applications available in the API Gateway.
2. On successful authentication and if no global application is identified, then API Gateway allows access to the API as default application.
3. In case if the authentication fails, then API Gateway still allows access to the API.
*Trigger policy violation event on missing authorization header. Creates a policy violation event for basic authentication if Authorization Headers are missing.
Possible values:
*true. Requests without authorization headers are logged as a policy violation event.
false. Requests without authorization headers are not logged as a policy violation event.
IP Address Range
Specifies using the IP address range to identify the client, extract the client's IP address from the HTTP request header, and verify the client's identity against the specified list of applications in API Gateway.
Select one of the Application Lookup condition:
*Registered applications. Identifies the client's IP address against the IP address range identifier of all the applications registered to the API. On successful identification, API Gateway allows access to the API.
*Global applications. Identifies the client's IP address against the IP address range identifier of all the applications available in API Gateway. On successful identification, API Gateway allows access to the API.
*Global applications and DefaultApplication. Identifies the client's IP address against the IP address range identifier of all the applications available in API Gateway. If no global application is identified, then API Gateway allows access to the API as default application.
Note:
If the client request has X-Forwarded-For header, then API Gateway uses the IP address present in the X-Forwarded-For header. Else, API Gateway uses the client's IP address for identification.
JWT
Specifies using the JSON Web Token (JWT) to identify the client, extract the claims from the JWT and validate the client's claims, and verify the client's identity against the specified list of applications in API Gateway.
Select one of the Application Lookup condition:
*Registered applications. Identifies the JWT against the claims identifier of all the applications registered to the API. On successful identification, API Gateway allows access to the API.
*Global applications. Identifies the JWT against the claims identifier of all the applications available in API Gateway. On successful identification, API Gateway allows access to the API.
*Global applications and DefaultApplication. Identifies the JWT against the claims identifier of all the applications available in API Gateway. If no global application is identified, then API Gateway allows access to the API as default application.
Note:
You can use the claims in the JWT for further processing using request transformation policy.
Kerberos Token
Specifies using the Kerberos token to identify the client, extract the client's credentials from the Kerberos token, and verify the client's identity against the specified list of applications in API Gateway.
Note:
You have to enforce the Inbound Auth - Message policy with the property, Kerberos Token Authentication, configured, so when Identify & Authorize policy is executed, the user details fetched are used to match with application's data to identify the application.
Select one of the Application Lookup condition:
*Registered applications. Authenticates the incoming Kerberos token and identifies the user against the username identifier of all the applications registered to the API. On successful authentication and identification, API Gateway allows access to the API.
*Global applications. Authenticates the incoming Kerberos token and identifies the user against the username identifier of all the applications available in API Gateway. On successful authentication and identification, API Gateway allows access to the API.
*Global applications and DefaultApplication.
1. Authenticates the incoming Kerberos token and identifies the user against username identifier of all the applications available in the API Gateway.
2. On successful authentication and if no global application is identified, then API Gateway allows access to the API as default application.
3. In case if the authentication fails, then API Gateway does not allow access to the API.
*If Global applications and DefaultApplication and Allow anonymous are selected:
1. Authenticates the incoming Kerberos token and identifies the user against username identifier of all the applications available in the API Gateway.
2. On successful authentication and if no global application is identified, then API Gateway allows access to the API as default application.
3. In case if the authentication fails, then API Gateway still allows access to the API.
Note:
You can use the username for further processing using the request transformation policy.
OAuth2 Token
Specifies using the OAuth2 token to identify the client, extract the access token from the HTTP request header, and verify the client's identity against the specified list of applications in API Gateway.
By default, OAuth2 token is identified against the registered applications.
Note:
You can use the client id and other parameters for further processing using the request transformation policy.
OpenID Connect
Specifies using the OpenID (ID) token to identify the client, extract the client's credentials from the ID token, and verify the client's identity against the specified list of applications in API Gateway.
Select one of the Application Lookup condition:
*Registered applications. Identifies the client's identity resolved as part of OpenID validation against all the applications registered to the API. On successful identification, API Gateway allows access to the API.
*Global applications. Identifies the client's identity resolved as part of OpenID validation against all the applications available in API Gateway. On successful identification, API Gateway allows access to the API.
*Global applications and DefaultApplication. Identifies the client's identity resolved as part of OpenID validation against all the applications available in API Gateway. If no global application is identified, then API Gateway allows access to the API as default application.
Note:
You can use the client id and other parameters for further processing using the request transformation policy.
SSL Certificate
Specifies using the SSL certificate to identify the client, extract the client's identity certificate, and verify the client's identity (certificate-based authentication) against the specified list of applications in API Gateway. The client certificate that is used to identify the client is supplied by the client to API Gateway during the SSL handshake over the transport layer or is added in the header of the request.
The certificate included in the custom header can be in the following formats:
*Base64 encoded PEM certificate with BEGIN CERTIFICATE and END CERTIFICATE delimiters
*Non-Base64 encoded PEM certificate with BEGIN CERTIFICATE and END CERTIFICATE delimiters.
*PEM certificate can be without BEGIN CERTIFICATE and END CERTIFICATE delimiters if a single certificate is added.
*URL encoded PEM certificate with BEGIN CERTIFICATE and END CERTIFICATE delimiters.
*URL encoded PEM certificate can be without the BEGIN CERTIFICATE and END CERTIFICATE delimiters if a single certificate is added.
If the transport protocol is HTTP then API Gateway checks for the existence of a header and fetches the certificate from the certificate header. If the certificate is coming from the custom header, then API Gateway does not check the validity of the certificate. API Gateway identifies the application using the certificate. The certificate should be validated by some external entity before sending it to API Gateway in a custom header.
If the transport protocol is HTTPS then API Gateway first tries to identify the application based on the certificate exposed by the client during the SSL handshake. If there is no client certificate or the identification based on the client certificate fails API Gateway tries to identify based on the certificate provided in the header.
The header name is customizable and can be customized in the extended settings property, customCertificateHeader, the default value being X-Client-Cert.
Select one of the Application Lookup condition:
*Registered applications. Identifies the client's certificate against the client certificate identifier of all the applications registered to the API. On successful identification, API Gateway allows access to the API.
*Global applications. Identifies the client's certificate against the client certificate identifier of all the applications available in API Gateway. On successful identification, API Gateway allows access to the API.
*Global applications and DefaultApplication. Identifies the client's certificate against the client certificate identifier of all the applications available in API Gateway. If no global application is identified, then API Gateway allows access to the API as default application.
WS Security Username Token
This is applicable only for SOAP APIs.
Specifies using the WS security username token to identify the application, extract the client's credentials (username token and password) from the WSSecurity SOAP message header, and verify the client's identity against the specified list of applications in API Gateway.
Note:
You have to enforce the Inbound Auth - Message policy with the property, Require WSS Username token, configured, so when Identify & Authorize policy is executed, the user details fetched are used to match with application's data to identify the application.
Select one of the Application Lookup condition:
*Registered applications. Authenticates the client's WSS username token and identifies the user against the username identifier of all the applications registered to the API. On successful authentication and identification, API Gateway allows access to the API.
*Global applications. Authenticates the client's WSS username token and identifies the user against the username identifier of all the applications available in API Gateway. On successful authentication and identification, API Gateway allows access to the API.
*Global applications and DefaultApplication.
1. Authenticates the client's WSS username token and identifies the user against the username identifier of all the applications available in the API Gateway.
2. On successful authentication and if no global application is identified, then API Gateway allows access to the API as default application.
3. In case if the authentication fails, then API Gateway does not allow access to the API.
*If Global applications and DefaultApplication and Allow anonymous are selected:
1. Authenticates the client's WSS username token and identifies the user against the username identifier of all the applications available in the API Gateway.
2. On successful authentication and if no global application is identified, then API Gateway allows access to the API as default application.
3. In case if the authentication fails, then API Gateway still allows access to the API.
Note:
You can use the username for further processing using the request transformation policy.
WS Security X.509 Certificate
This is applicable only for SOAP APIs.
Specifies using the WS security X.509 certificate to identify the client, extract the client identity certificate from the WS-Security SOAP message header, and verify the client's identity against the specified list of applications inAPI Gateway.
Note:
You have to enforce the Inbound Auth - Message policy with the property, Require X.509 Certificate, configured, so when Identify & Authorize policy is executed, the user details fetched are used to match with application's data to identify the application.
Select one of the Application Lookup condition:
*Registered applications. Identifies the client's X.509 certificate against the client certificate identifier of all the applications registered to the API. On successful identification, API Gateway allows access to the API.
*Global applications. Identifies the client's X.509 certificate against the client certificate identifier of all the applications available in API Gateway. On successful identification, API Gateway allows access to the API.
*Global applications and DefaultApplication. Identifies the client's X.509 certificate against the client certificate identifier of all the applications available in API Gateway. If no global application is identified, then API Gateway allows access to the API as default application.
Payload Element
Specifies using the payload identifier to identify the client, extract the custom authentication credentials supplied in the request represented using the payload identifier, and verify the client's identity against the specified list of applications in API Gateway.
*Select one of the Application Lookup condition:
*Registered applications. Identifies the client's payload against the Payload Identifier of all the applications registered to the API. On successful identification, API Gateway allows access to the API.
*Global applications. Identifies the client's payload against the Payload Identifier of all the applications available in API Gateway. On successful identification, API Gateway allows access to the API.
*Global applications and DefaultApplication. Identifies the client's payload against the Payload Identifier of all the applications available in API Gateway. If no global application is identified, then API Gateway allows access to the API as default application.
In the Payload identifier section, click Add payload identifier, provide the following information, and click Add.
*Expression type: Specifies the type of expression, which is used for identification. You can select one the following expression type:
*XPath. This is not applicable to a GraphQL API. Provide the following information:
*Payload Expression. Specifies the payload expression that the specified expression type in the request has to be converted to. For example: /name/id
*Namespace Prefix. The namespace prefix of the payload expression to be validated.
*Namespace URI. The namespace URI of the payload expression to be validated.
Note:
You can add multiple namespace prefix and URI by clicking .
*JSONPath. Provide the JSONPath for the payload identification. For example, $.name.id
*Text. Provide the regular expression for the payload identification. For example, any valid regular expression.
You can add multiple payload identifiers as required.
Note:
Only one payload identifier of each type is allowed. For example, you can add a maximum of three payload identifiers, each being of a different type.
HTTP Headers
Specifies using any header in the request to identify and authorize the client application against the list of applications with the identifier in API Gateway.
Provide the following information:
*Select one of the Application Lookup condition:
*Registered applications. Identifies the client's header against the Header Key - Value pair identifier of all the applications registered to the API. On successful identification, API Gateway allows access to the API.
*Global applications. Identifies the client's header against the Header Key - Value pair identifier of all the applications available in API Gateway. On successful identification, API Gateway allows access to the API.
*Global applications and DefaultApplication. Identifies the client's header against the Header Key - Value pair identifier of all the applications available in API Gateway. If no global application is identified, then API Gateway allows access to the API as default application.