Identify and Authorize

Edit online

This policy identifies and validates the authorization of the applications to access the APIs. The applications are identified using a set of identification types such as API key, hostname address, and HTTP basic authentication and so on based on the configuration. webMethods API Gateway can identify and authorize the application based on the following application lookup conditions.

Registered applications.
Identifies the application and validates the identified application against the registered applications. On successful validation, webMethods API Gateway allows access to the API. The applications that are associated with the API are called as registered applications.
Global applications.
Identifies the application and validates the identified application against the global applications. On successful validation, webMethods API Gateway allows access to the API. All the active applications that are available in webMethods API Gateway are called as global applications.
Global applications and DefaultApplication.
Verifies the identity of the application against the global applications and on identification failure, the webMethods API Gateway allows access to the API as default application.

Note: If Allow anonymous is selected and even if the Application Lookup condition does not meet, webMethods API Gateway allows access to the API.

The table lists the properties that you can specify for this policy:

Parameter	Description
Condition	Specifies the condition operator for the identification and authentication types.Select any of the following condition operators: AND. Applies all the identification and authentication types. OR. Applies one of the selected identification and authentication types. Note: Even though this policy provides the option of choosing an AND or operation between the different identification andOR authentication types, the operation across the different policies in the IAM stage is always AND.
Allow Anonymous	Specifies whether to allow all users to access the API without restriction. When you add a security policy and configure Allow anonymous, all requests are allowed to pass through to the native API, but the successfully identified requests are grouped under the respective identified application, and all unidentified requests are grouped under a common application named as `DefaultApplication (Sys:defaultApplication)`. While you allow all requests to pass through you can perform all application-specific actions, such as, viewing the runtime events for a particular application, monitor the service level agreement for a few applications and send an alert email based on some criteria like request count or availability, and throttle the requests from a particular application and not allow the request from that application if the number of requests reach the configured hard limit within configured period of time.
Identification Type. Specifies the identification type. You can select any of the following.
API Key	Specifies using host name address to identify the client, extract the client's hostname from the HTTP request header and verify the client's identity in the specified list of applications in webMethods API Gateway. Select one of the Application Lookup condition. Registered applications. Identifies the client's hostname against the `hostname` identifier of all the applications registered to the API. On successful identification, webMethods API Gateway allows access to the API. Global applications. Identifies the client's hostname against the `hostname` identifier of all the applications available in webMethods API Gateway. On successful identification, webMethods API Gateway allows access to the API. Global applications and DefaultApllication. Identifies the client's hostname against the identifier of all the applications available in A`hostname`PI Gateway. If no global application is identified, then webMethods API Gateway allows access to the API as default application. Note: If the client request has X-Forwarded-For header, then webMethods API Gateway resolves the hostname from the IP address present in the X-Forwarded-For header. Else, webMethods API Gateway resolves the hostname from the client's IP address.
HTTP Basic Authentication	Specifies using Authorization Header in the request to identify and authorize the client application against the list of applications with the identifier `username` in API Gateway. To authenticate by using IAM policy with Basic Auth, you must first generate an MCSP API key for the API Gateway instance. Use your username and the generated API key as the password in the Authorization header of your request. For more information on generating an API key, see Generating API key. Provide the following information: Select one of the Application Lookup condition. Registered applications. Authenticates the user and identifies the user against `username` identifier of all the applications registered to the API. On successful authentication and identification, webMethods API Gateway allows access to the API. Global applications. Authenticates the user and identifies the user against `username` identifier of all the applications available in the webMethods API Gateway. On successful authentication and identification, webMethods API Gateway allows access to the API. Global applications and Default Application. Authenticates the user and identifies the user against `username` identifier of all the applications available in the webMethods API Gateway. On successful authentication and if no global application is identified, then webMethods API Gateway allows access to the API as default application. In case if the authentication fails, then webMethods API Gateway does not allow access to the API. If Global applications and Default Application and Allow anonymous are selected: Authenticates the user and identifies the user against `username` identifier of all the applications available in the webMethods API Gateway. On successful authentication and if no global application is identified, then webMethods API Gateway allows access to the API as default application. In case if the authentication fails, then webMethods API Gateway still allows access to the API. Important: If an external IDP (Identity Provider) is configured to authenticate the users in IBM webMethods Hybrid Integration and if you have enforced HTTP Basic Authentication policy for an API, webMethods API Gateway cannot authenticate as the user is not local to . As a workaround, the corresponding users can be created in , so that webMethods API Gateway can authenticate the local users.
IP Address Range	Specifies using the IP address range to identify the client, extract the client's IP address from the HTTP request header, and verify the client's identity against the specified list of applications in webMethods API Gateway. Select one of the Application Lookup condition. Registered applications. Identifies the client's IP address against the `IP address range` identifier of all the applications registered to the API. On successful identification, webMethods API Gateway allows access to the API. Global applications. Identifies the client's IP address against the `IP address range` identifier of all the applications available in webMethods API Gateway. On successful identification, webMethods API Gateway allows access to the API. Global applications and DefaultApplication. Identifies the client's IP address against the `IP address range` identifier of all the applications available in webMethods API Gateway. If no global application is identified, then webMethods API Gateway allows access to the API as default application. Note: If the client request has X-Forwarded-For header, then webMethods API Gateway uses the IP address present in the X-Forwarded-For header. Else, webMethods API Gateway uses the client's IP address for identification.
JWT	Specifies using the JSON Web Token (JWT) to identify the client, extract the claims from the JWT and validate the client's claims, and verify the client's identity against the specified list of applications in webMethods API Gateway. Select one of the Application Lookup condition. Registered applications. Identifies the JWT against the `claims` identifier of all the applications registered to the API. On successful identification, webMethods API Gateway allows access to the API. Global applications. Identifies the JWT against the `claims` identifier of all the applications available in webMethods API Gateway. On successful identification, webMethods API Gateway allows access to the API. Global applications and DefaultApplication. Identifies the JWT against the `claims` identifier of all the applications available in webMethods API Gateway. If no global application is identified, then webMethods API Gateway allows access to the API as default application. Note: You can use the claims in the JWT for further processing using request transformation policy.
Kerberos Token	Specifies using the Kerberos token to identify the client, extract the client's credentials from the Kerberos token, and verify the client's identity against the specified list of applications in webMethods API Gateway.Note: Note: You have to enforce the Inbound Authentication - Message policy with the property, Kerberos Token Authentication, configured, so when Identify and Authorize Application policy is executed, the user details fetched are used to match with application's data to identify the application. Select one of the Application Lookup condition Registered applications. Authenticates the incoming Kerberos token and identifies the user against the `username` identifier of all the applications registered to the API. On successful authentication and identification, webMethods API Gateway allows access to the API. Global applications. Authenticates the incoming Kerberos token and identifies the user against the `username` identifier of all the applications available in webMethods API Gateway. On successful authentication and identification, webMethods API Gateway allows access to the API. Global applications and DefaultApplication. Authenticates the incoming Kerberos token and identifies the user against `username` identifier of all the applications available in the webMethods API Gateway. On successful authentication and if no global application is identified, then webMethods API Gateway allows access to the API as default application. In case if the authentication fails, then webMethods API Gateway does not allow access to the API. If Global applications and DefaultApplication and Allow anonymous are selected: Authenticates the incoming Kerberos token and identifies the user against `username` identifier of all the applications available in the webMethods API Gateway. On successful authentication and if no global application is identified, then webMethods API Gateway allows access to the API as default application. In case if the authentication fails, then webMethods API Gateway still allows access to the API. Note: You can use the username for further processing using the request transformation policy.
OAuth2 Token	Specifies using the OAuth2 token to identify the client, extract the access token from the HTTP request header, and verify the client's identity against the specified list of applications in webMethods API Gateway. By default, OAuth2 token is identified against the registered applications. Note: You can use the client id and other parameters for further processing using the request transformation policy.
Open Id Connect	Specifies using the OpenID (ID) token to identify the client, extract the client's credentials from the ID token, and verify the client's identity against the specified list of applications in webMethods API Gateway. Select one of the Application Lookup condition. Registered applications. Identifies the client's identity resolved as part of OpenID validation against all the applications registered to the API. On successful identification, webMethods API Gateway allows access to the API. Global applications. Identifies the client's identity resolved as part of OpenID validation against all the applications available in webMethods API Gateway. On successful identification, webMethods API Gateway allows access to the API. Global applications and DefaultApplication. Identifies the client's identity resolved as part of OpenID validation against all the applications available in API Gateway. If no global application is identified, then webMethods API Gateway allows access to the API as default application. Note: You can use the client id and other parameters for further processing using the request transformation policy.
SSL Certificate	Specifies using the SSL certificate to identify the client, extract the client's identity certificate, and verify the client's identity (certificate-based authentication) against the specified list of applications in webMethods API Gateway. The client certificate that is used to identify the client is supplied by the client to webMethods API Gateway during the SSL handshake over the transport layer or is added in the header of the request. The certificate included in the custom header can be in the following formats: Base64 encoded PEM certificate with BEGIN CERTIFICATE and END CERTIFICATE delimiters Non-Base64 encoded PEM certificate with BEGIN CERTIFICATE and END CERTIFICATE delimiters PEM certificate can be without BEGIN CERTIFICATE and END CERTIFICATE delimiters if a single certificate is added. URL encoded PEM certificate with BEGIN CERTIFICATE and END CERTIFICATE delimiters. URL encoded PEM certificate can be without the BEGIN CERTIFICATE and END CERTIFICATE delimiters if a single certificate is added. If the transport protocol is HTTP then webMethods API Gateway checks for the existence of a header and fetches the certificate from the certificate header. If the certificate is coming from the custom header, then webMethods API Gateway does not check the validity of the certificate. webMethods API Gateway identifies the application using the certificate. The certificate should be validated by some external entity before sending it to webMethods API Gateway in a custom header. If the transport protocol is HTTPS then webMethods API Gateway first tries to identify the application based on the certificate exposed by the client during the SSL handshake. If there is no client certificate or the identification based on the client certificate fails, webMethods API Gateway tries to identify based on the certificate provided in the header. The header name is customizable and can be customized in the extended settings property, customCertificateHeader, the default value being `X-Client-Cert`. Select one of the Application Lookup condition. Registered applications. Identifies the client's certificate against the `client certificate` identifier of all the applications registered to the API. On successful identification, webMethods API Gateway allows access to the API. Global applications. Identifies the client's certificate against the `client certificate` identifier of all the applications available in API Gateway. On successful identification, webMethods API Gateway allows access to the API. Global applications and Default Application. Identifies the client's certificate against the `client certificate` identifier of all the applications available in webMethods API Gateway. If no global application is identified, then webMethods API Gateway allows access to the API as default application.
WS Security Username Token	This is applicable only for SOAP APIs. Specifies using the WS security username token to identify the application, extract the client's credentials (username token and password) from the WSSecurity SOAP message header, and verify the client's identity against the specified list of applications in webMethods API Gateway. Note: You have to enforce the Inbound Authentication - Message policy with the property, Require WSS Username token, configured, so when Identify and Authorize Application policy is executed, the user details fetched are used to match with application's data to identify the application. Select one of the Application Lookup condition: Registered applications. Authenticates the client's WSS username token and identifies the user against the`username` identifier of all the applications registered to the API. On successful authentication and identification, webMethods API Gateway allows access to the API. Global applications. Authenticates the client's WSS username token and identifies the user against the`username` identifier of all the applications available in webMethods API Gateway. On successful authentication and identification, webMethods API Gateway allows access to the API. Global applications and DefaultApplication. Authenticates the client's WSS username token and identifies the user against the `username` identifier of all the applications available in the webMethods API Gateway. On successful authentication and if no global application is identified, then webMethods API Gateway allows access to the API as default application. In case if the authentication fails, then webMethods API Gateway does not allow access to the API. If Global applications and DefaultApplication and Allow anonymous are selected: Authenticates the client's WSS username token and identifies the user against the `username` identifier of all the applications available in webMethods API Gateway. On successful authentication and if no global application is identified, then webMethods API Gateway allows access to the API as default application. In case if the authentication fails, then webMethods API Gateway still allows access to the API. Note: You can use the username for further processing using the request transformation policy.
WS Security X.509 Certificate	This is applicable only for SOAP APIs. Specifies using the WS security X.509 certificate to identify the client, extract the client identity certificate from the WS-Security SOAP message header, and verify the client's identity against the specified list of applications in webMethods API Gateway. Note: You have to enforce the Inbound Authentication - Message policy with the property, Require X.509 Certificate, configured, so when Identify and Authorize Application policy is executed, the user details fetched are used to match with application's data to identify the application. Select one of the Application Lookup condition Registered applications. Identifies the client's X.509 certificate against the client certificate identifier of all the applications registered to the API. On successful identification, webMethods API Gateway allows access to the API. Global applications. Identifies the client's X.509 certificate against the client certificate identifier of all the applications available in webMethods API Gateway. On successful identification, webMethods API Gateway allows access to the API. Global applications and Default Application. Identifies the client's X.509 certificate against the client certificate identifier of all the applications available in webMethods API Gateway. If no global application is identified, then webMethods API Gateway allows access to the API as default application.
Payload Element	Specifies using the payload identifier to identify the client, extract the custom authentication credentials supplied in the request represented using the payload identifier, and verify the client's identity against the specified list of applications in webMethods API Gateway. Select one of the Application Lookup condition. Registered applications. Identifies the client's payload against the Payload Identifier of all the applications registered to the API. On successful identification, API Gateway allows access to the API. Global applications. Identifies the client's payload against the Payload Identifier of all the applications available in webMethods API Gateway. On successful identification, API Gateway allows access to the API. Global applications and Default Application. Identifies the client's payload against the Payload Identifier of all the applications available in webMethods API Gateway. If no global application is identified, then webMethods API Gateway allows access to the API as default application. In the Payload identifier section, click Add payload identifier, provide the following information, and click Add. Expression type: Specifies the type of expression, which is used for identification. You can select one the following expression type: XPath. This is not applicable to a GraphQL API. Provide the following information: Payload Expression. Specifies the payload expression that the specified expression type in the request has to be converted to. For example: /name/id Namespace Prefix. The namespace prefix of the payload expression to be validated. Namespace URI. The namespace URI of the payload expression to be validated. Note: You can add multiple namespace prefix and URI by clicking Add. JSONPath. Provide the JSONPath for the payload identification. For example, $.name.id Text. Provide the regular expression for the payload identification. For example, any valid regular expression. You can add multiple payload identifiers as required. Note: Only one payload identifier of each type is allowed. For example, you can add a maximum of three payload identifiers, each being of a different type.
HTTP Headers	Specifies using any header in the request to identify and authorize the client application against the list of applications with the identifier in webMethods API Gateway. Provide the following information: Select one of the Application Lookup condition: Registered applications. Identifies the client's header against the Header Key - Value pair identifier of all the applications registered to the API. On successful identification, webMethods API Gateway allows access to the API. Global applications. Identifies the client's header against the Header Key - Value pair identifier of all the applications available in webMethods API Gateway. On successful identification, webMethods API Gateway allows access to the API. Global applications and Default Application. Identifies the client's header against the Header Key - Value pair identifier of all the applications available in webMethods API Gateway. If no global application is identified, then webMethods API Gateway allows access to the API as default application.