Parameter | Description |
Condition | The condition operator for the identification and authentication types specified for validating the client credentials. Select one of the following condition operators: ![]() ![]() |
Allow anonymous | Enable or disable the incoming requests to access the API without any restriction. When you enforce a security policy and select Allow anonymous, Microgateway allows all incoming requests to pass through to the native API. The successfully identified requests are grouped under the respective identified application, and all unidentified requests are grouped under a common application named unknown. Even when all the incoming requests are allowed to pass through without any restriction you can perform all application-specific actions, such as: ![]() ![]() ![]() |
Identification Type. Specifies the identification type. You can configure one or more of the following identification types. | |
API Key | Denotes using the API key to identify and validate the authenticity of the client's identity against the registered applications for the specified API. |
Hostname Address | Denotes using the host name to identify the client, extract the client's host name from the HTTP request header, and verify the client's identity against the specified applications in Microgateway. Configure one of the following Application Lookup conditions to verify the client's identity: ![]() ![]() ![]() |
HTTP Basic Authentication | Denotes using the Authorization request header to identify and authorize the client application against the specified applications in Microgateway that have the identifier username. Configure one of the following Application Lookup conditions to verify the client's identity: ![]() ![]() ![]() |
IP Address Range | Denotes using the IP address range to identify the client, extract the client's IP address from the HTTP request header, and verify the client's identity against the specified applications in Microgateway. Configure one of the following Application Lookup conditions to verify the client's identity: ![]() ![]() ![]() |
OAuth2 Token | Denotes using the OAuth2 token to identify the client, extract the client's credentials from the OAuth2 token, and verify the client's identity against the specified list of applications in Microgateway. The tokens issued by API Gateway are validated by delegating them to the API Gateway instance. Configure the communication details that are used by Microgateway to introspect the API Gateway-issued OAuth2 tokens. For details on how to configure the communication details, see webMethods API Gateway User's Guide. Note: The client id and other parameters can be used for further processing using the request transformation policy. |
JWT | Denotes using the JSON Web Token (JWT) to identify the client, extract the claims from the JWT and validate the client's claims, and verify the client's identity against the specified applications in Microgateway. Configure one of the following Application Lookup conditions to verify the client's identity: ![]() ![]() ![]() Note: The claims in the JWT can be used for further processing using the request transformation policy. |
OpenID Connect | Denotes using the OpenID (ID) token to identify the client, extract the client's credentials from the ID token, and verify the client's identity against the specified list of applications in Microgateway. You might have one of the following Application Lookup conditions to verify the client's identity: ![]() ![]() ![]() Note: The client id and other parameters can be used for further processing using the request transformation policy. |
SSL Certificate | Denotes using the SSL certificate to identify the client, extract the client's identity certificate, and verify the client's identity (certificate-based authentication) against the specified applications in Microgateway. Whenever both SSL certificate and custom header certificate are present, the identification is done using the SSL certificate. When the identification fails for the certificate obtained from SSL handshake, the identification using the certificate from the custom header is done. Microgateway extracts the client certificate that is used to identify the client from the request header. The certificate passed in the header should be Base64Encoded or the certificate chain passed in the header should be in the Base64Encoded (.pem) format. If the transport protocol is HTTP or HTTPS, Microgateway checks for the existence of a header and fetches the certificate from the certificate header. If the certificate is from the custom header, Microgateway does not check the validity of the certificate and identifies the application using the certificate. Note: Software AG recommends that an external entity validates the certificate sent in the custom header. During asset provisioning at Microgateway start up, the header name is included in the system-settings.yml file. You can customize the header name by modifying the value and including it in the user-defined custom settings YAML file. Configure one of the following Application Lookup conditions to verify the client's identity: ![]() ![]() ![]() |
Payload Element | Denotes using the payload identifier to identify the client, extract the custom authentication credentials supplied in the request represented using the payload identifier, and verify the client's identity against the specified applications in Microgateway. Configure one of the following Application Lookup conditions to verify the client's identity: ![]() ![]() ![]() In the Payload identifier section, provide the following information: ![]() ![]() ![]() For example: /name/id ![]() ![]() ![]() For example: $.name.id ![]() You can have multiple payload identifiers. However, only one payload of each type is allowed. For example, you can have a maximum of three payload identifiers, each being of a different type. |