Configuring API protection
The API protection uses the OAuth 2.0 protocol. To configure the API protection, you must create a definition and a client.
You must then attach the API protection definition to a resource.
- Creating an API protection definition
Create API protection definitions to configure the settings that dictate the behavior of how resources are accessed. The configuration settings protect the resources from unauthorized access. - Managing API protection definitions
An API protection definition is a set of configurations that define how resources are accessed. - API Protection token management properties
When you configure API Protection for OAuth and OpenID Connect, you must specify properties for token management. - API Protection OpenID Connect Provider properties
When you configure API Protection for OAuth and OpenID Connect, and you enable OpenID Connect , you must specify properties for the OIDC Provider. - PIN policy
Advanced Access Control extends OAuth 2.0 capabilities with a PIN policy. - Registering an API protection client
Register OAuth API protection clients in the Clients panel. Clients are the entities against which OAuth access and refresh tokens are granted at runtime. - Managing registered API protection clients
Manage registered OAuth API protection clients. - Managing policy attachments
Attach policies or API protection definitions to resources so that the policies and definitions can be enforced. - Using oauthScope attributes in an access control policy
You can use the subject and resource oauthScope attributes as part of an access control decision for a resource. - Uploading OAuth response files
Use the local management interface to upload your own custom OAuth response files. - OAuth introspection
An Introspection URL implemented to the spec of RFC 7662 allows for information about an access token to be returned. This allows OAuth clients to query a token to identify if the token exists and is valid. Extensions to this endpoint have been made to also include some information about the token, beyond whether the token is valid. - OAuth revocation endpoint
You can use a revocation endpoint to ensure that tokens are revoked.
Parent topic: OAuth 2.0 and OIDC support