Set authorization

Set authorization policy applies authentication to outgoing requests. It sets credentials directly or uses credentials from the incoming request.

The policy prepares authorization details for the target endpoint by selecting the authentication scheme and defining the required parameters. It supports Basic Authentication, OAuth2 tokens, NTLM negotiation, JWT forwarding, Kerberos authentication, and anonymous access. Each spec component controls how the policy interprets credentials, manages protocol-specific behavior, and attaches authorization information to the request.

In IBM API Studio, this policy is identified by the kind SetAuthorization.

Example of a SetAuthorization policy:

apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: basic-custom
  namespace: lwgw
spec:
  basic:
    static:
      username: "aaa"
      password: "bbb" #secret
    valueType: "plain"  # plain | jsonata
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: basic-incoming
  namespace: lwgw
spec:
  basic:
    useIncoming : {}
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: oauth2-custom
  namespace: lwgw
spec:
  oAuth2:
    token : "atfqI-QW3HXqF1hkot1e6hJDIj4qHnwTEUXiGJFf09k.SRHhlx6wlDz5GZncAr99HfM7FUbDQlUg73MapL0TJ2I"
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: oauth2-incoming
  namespace: lwgw
spec:
  oAuth2:
    useIncoming: {}
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: ntlm-incoming
  namespace: ntlm
  version: 1.0
spec:
  ntlm:
    useIncoming: {}
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: ntlm-transparent
  namespace: ntlm
  version: 1.0
spec:
  ntlm:
    transparent: {}
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: ntlm-transparent
  namespace: ntlm
  version: 1.0
spec:
  ntlm:
    static:
      username: ''
      password: ''
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: jwt-incoming
  namespace: ntlm
  version: 1.0
spec:
  jwt:
    useIncoming: {}
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: kerberos-2
  namespace: kerberos
  version: 1.0
spec:
  kerberos:
    useIncoming: {}
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: kerberos-3
  namespace: kerberos
  version: 1.0
spec:
  kerberos:
    delegateIncomingCredentials:
      clientPassword: ''
      clientPrincipal: ''
      servicePrincipal: ''
      servicePrincipalNameform: 'Username' # Username|Hostbased
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: kerberos-4
  namespace: kerberos
  version: 1.0
spec:
  kerberos:
    incomingHTTPBasicAuthCred:
      servicePrincipal: ''
      servicePrincipalNameform: 'Username' # Username|Hostbased
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: kerberos-5
  namespace: kerberos
  version: 1.0
spec:
  kerberos:
    useCustomCredentials:
      clientPassword: ''
      clientPrincipal: ''
      servicePrincipal: ''
      servicePrincipalNameform: 'Username' # Username|Hostbased
  message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
  name: anonymous
  namespace: kerberos
  version: 1.0
spec:
  anonymous: {}
---

To use the Set authorization policy, you can specify the following configurations:

Basic authentication

Use Basic authentication when the target endpoint expects a username and password in the authorization header. This section allows you to set fixed credentials or forward the credentials received in the incoming request.

Type Description
spec.basic.static Defines fixed basic authentication credentials.

This section includes:

  • username. Specify the username.
    Note: IBM API Studio does not provide a separate domain field. Include the domain in the username in the format domain\username, for example eur\myusername. If domain is not required, provide only the username.
  • password. Specify the password.
    Note: webMethods API Gateway expects the password as a Base64-encoded catalog property. Create a catalog property in API Manager under Manage > Catalog settings > Catalog properties and reference the property key using $(propertykeyname). If you provide a plain-text password, the publish operation can fail with Base64 validation errors.
  • valueType. Specify how the policy interprets the credentials, such as plain or jsonata.
spec.basic.useIncoming Uses basic authentication credentials from the incoming request.
spec.message Specifies the message target. Set the value to request to apply the authorization settings to the outbound request.

OAuth2

Use OAuth2 authentication when the target endpoint requires a Bearer token. This section lets you provide a static access token or reuse the token that arrives with the client request.

Type Description
spec.oAuth2.token Adds a fixed OAuth2 access token.

This section includes:

  • token. Specify the OAuth2 access token.
spec.oAuth2.useIncoming Uses the Bearer token from the incoming request.
spec.message Specifies the message target. Set the value to request to apply the authorization settings to the outbound request.

NTLM

Use NTLM authentication when interacting with services that require NTLM negotiation. This section supports direct credential input, transparent client–server negotiation, and forwarding of incoming NTLM credentials.

Type Description
spec.ntlm.useIncoming Uses NTLM credentials from the incoming request.
spec.ntlm.transparent Enables transparent NTLM negotiation between the client and the target endpoint.
spec.ntlm.static Defines fixed NTLM credentials.

This section includes:

  • username. Specify the NTLM user name.
    Note: IBM API Studio does not provide a separate domain field. Include the domain in the username in the format domain\username, for example eur\myusername. If domain is not required, provide only the username.
  • password. Specify the NTLM password.
    Note: webMethods API Gateway expects the password as a Base64-encoded catalog property. Create a catalog property in API Manager under Manage > Catalog settings > Catalog properties and reference the property key using $(propertykeyname). If you provide a plain-text password, the publish operation can fail with Base64 validation errors.
spec.message Specifies the message target. Set the value to request to apply the authorization settings to the outbound request.

JWT

Use JWT authentication when the request needs to forward a JSON Web Token to the target endpoint. This section forwards the JWT from the incoming request without modification.

Type Description
spec.jwt.useIncoming Uses the JSON Web Token received in the request.
spec.message Specifies the message target. Set the value to request to apply the authorization settings to the outbound request.

Kerberos

Use Kerberos authentication when the target endpoint relies on Kerberos tickets. This section supports forwarding incoming Kerberos credentials, delegating them, using Basic Authentication to obtain Kerberos tickets, or applying fully custom Kerberos principals and passwords.

Type Description
spec.kerberos.useIncoming Uses Kerberos credentials from the incoming request.
spec.kerberos.delegateIncomingCredentials Delegates incoming Kerberos credentials.

This section includes:

  • clientPrincipal. Specify the client principal.
  • clientPassword. Specify the client principal password.
  • servicePrincipal. Specify the service principal.
  • servicePrincipalNameform. Specify the principal name form, such as Username or Hostbased.
spec.kerberos.incomingHTTPBasicAuthCred Uses Basic Authentication credentials to obtain Kerberos tickets.

This section includes:

  • servicePrincipal. Specify the service principal.
  • servicePrincipalNameform. Specify the principal name form.
spec.kerberos.useCustomCredentials Uses custom Kerberos client and service credentials.

This section includes:

  • clientPrincipal. Specify the client principal.
  • clientPassword. Specify the client password.
  • servicePrincipal. Specify the service principal.
  • servicePrincipalNameform. Specify the principal name form.
spec.message Specifies the message target. Set the value to request to apply the authorization settings to the outbound request.

Anonymous

Use Anonymous authentication when the target endpoint does not require credentials. This section sends the request without adding any authorization information.

Type Description
spec.anonymous Sends the request without adding authentication.