Set authorization
Set authorization policy applies authentication to outgoing requests. It sets credentials directly or uses credentials from the incoming request.
The policy prepares authorization details for the target endpoint by selecting the authentication scheme and defining the required parameters. It supports Basic Authentication, OAuth2 tokens, NTLM negotiation, JWT forwarding, Kerberos authentication, and anonymous access. Each spec component controls how the policy interprets credentials, manages protocol-specific behavior, and attaches authorization information to the request.
In IBM API Studio, this policy is identified by
the kind SetAuthorization.
Example of a SetAuthorization policy:
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: basic-custom
namespace: lwgw
spec:
basic:
static:
username: "aaa"
password: "bbb" #secret
valueType: "plain" # plain | jsonata
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: basic-incoming
namespace: lwgw
spec:
basic:
useIncoming : {}
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: oauth2-custom
namespace: lwgw
spec:
oAuth2:
token : "atfqI-QW3HXqF1hkot1e6hJDIj4qHnwTEUXiGJFf09k.SRHhlx6wlDz5GZncAr99HfM7FUbDQlUg73MapL0TJ2I"
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: oauth2-incoming
namespace: lwgw
spec:
oAuth2:
useIncoming: {}
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: ntlm-incoming
namespace: ntlm
version: 1.0
spec:
ntlm:
useIncoming: {}
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: ntlm-transparent
namespace: ntlm
version: 1.0
spec:
ntlm:
transparent: {}
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: ntlm-transparent
namespace: ntlm
version: 1.0
spec:
ntlm:
static:
username: ''
password: ''
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: jwt-incoming
namespace: ntlm
version: 1.0
spec:
jwt:
useIncoming: {}
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: kerberos-2
namespace: kerberos
version: 1.0
spec:
kerberos:
useIncoming: {}
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: kerberos-3
namespace: kerberos
version: 1.0
spec:
kerberos:
delegateIncomingCredentials:
clientPassword: ''
clientPrincipal: ''
servicePrincipal: ''
servicePrincipalNameform: 'Username' # Username|Hostbased
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: kerberos-4
namespace: kerberos
version: 1.0
spec:
kerberos:
incomingHTTPBasicAuthCred:
servicePrincipal: ''
servicePrincipalNameform: 'Username' # Username|Hostbased
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: kerberos-5
namespace: kerberos
version: 1.0
spec:
kerberos:
useCustomCredentials:
clientPassword: ''
clientPrincipal: ''
servicePrincipal: ''
servicePrincipalNameform: 'Username' # Username|Hostbased
message: "request"
---
apiVersion: api.ibm.com/v1
kind: SetAuthorization
metadata:
name: anonymous
namespace: kerberos
version: 1.0
spec:
anonymous: {}
---
To use the Set authorization policy, you can specify the following configurations:
Basic authentication
Use Basic authentication when the target endpoint expects a username and password in the authorization header. This section allows you to set fixed credentials or forward the credentials received in the incoming request.
| Type | Description |
|---|---|
spec.basic.static |
Defines fixed basic authentication credentials. This section includes:
|
spec.basic.useIncoming |
Uses basic authentication credentials from the incoming request. |
spec.message |
Specifies the message target. Set the value to request to apply the authorization settings to the outbound request. |
OAuth2
Use OAuth2 authentication when the target endpoint requires a Bearer token. This section lets you provide a static access token or reuse the token that arrives with the client request.
| Type | Description |
|---|---|
spec.oAuth2.token |
Adds a fixed OAuth2 access token. This section includes:
|
spec.oAuth2.useIncoming |
Uses the Bearer token from the incoming request. |
spec.message |
Specifies the message target. Set the value to request to apply the
authorization settings to the outbound request. |
NTLM
Use NTLM authentication when interacting with services that require NTLM negotiation. This section supports direct credential input, transparent client–server negotiation, and forwarding of incoming NTLM credentials.
| Type | Description |
|---|---|
spec.ntlm.useIncoming |
Uses NTLM credentials from the incoming request. |
spec.ntlm.transparent |
Enables transparent NTLM negotiation between the client and the target endpoint. |
spec.ntlm.static |
Defines fixed NTLM credentials. This section includes:
|
spec.message |
Specifies the message target. Set the value to request to apply the
authorization settings to the outbound request. |
JWT
Use JWT authentication when the request needs to forward a JSON Web Token to the target endpoint. This section forwards the JWT from the incoming request without modification.
| Type | Description |
|---|---|
spec.jwt.useIncoming |
Uses the JSON Web Token received in the request. |
spec.message |
Specifies the message target. Set the value to request to apply the
authorization settings to the outbound request. |
Kerberos
Use Kerberos authentication when the target endpoint relies on Kerberos tickets. This section supports forwarding incoming Kerberos credentials, delegating them, using Basic Authentication to obtain Kerberos tickets, or applying fully custom Kerberos principals and passwords.
| Type | Description |
|---|---|
spec.kerberos.useIncoming |
Uses Kerberos credentials from the incoming request. |
spec.kerberos.delegateIncomingCredentials |
Delegates incoming Kerberos credentials. This section includes:
|
spec.kerberos.incomingHTTPBasicAuthCred |
Uses Basic Authentication credentials to obtain Kerberos tickets. This section includes:
|
spec.kerberos.useCustomCredentials |
Uses custom Kerberos client and service credentials. This section includes:
|
spec.message |
Specifies the message target. Set the value to request to apply the
authorization settings to the outbound request. |
Anonymous
Use Anonymous authentication when the target endpoint does not require credentials. This section sends the request without adding any authorization information.
| Type | Description |
|---|---|
spec.anonymous |
Sends the request without adding authentication. |