The api policy template and definition are then

This preview shows page 108 - 110 out of 266 pages.

The API policy template and definition are then downloaded as usual to any Mule runtime that registers as that API instance 5.3.13. Introducing compliance-related API policies Two of Anypoint Platform’s API policies can be categorized as related to compliance: Client ID enforcement CORS control Client ID enforcement will be discussed in 5.3.27 . The CORS policy participates in interactions with API clients defined by CORS (Cross-Origin Resource Sharing): Rejects HTTP requests whose Origin request header does not match configured origin domains • Sets Access-Control- HTTP response headers to match configured cross-origins, usage of credentials, etc. Responds to CORS pre-flight HTTP OPTIONS requests (containing Access-Control-Request- request headers) as per the policy configuration (setting Access-Control- response headers) The CORS policy can be important for Experience APIs invoked from a browser. See for a good discussion of CORS. 5.3.14. Introducing security-related API policies Anypoint Platform provides security-related API policies in the following categories: • Authentication/Authorization IP-based access control Payload threat protection Tokenization ( 5.4.3 ) 5.3.15. Introducing OAuth 2.0 token enforcement API policies OAuth 2.0-based API policies have a dependency on a suitable Identity Provider for Client Management: 106
OpenAM access token enforcement requires OpenAM as an Identity Provider PingFederate access token enforcement requires PingFederate as an Identity Provider OpenId Connect access token enforcement requires an Identity Provider compatible with OIDC (incl. Dynamic Client Registration), such as Okta OAuth 2.0 access token enforcement using external provider requires an external OAuth 2.0 provider that just validates access tokens and is not configured in Anypoint Platform Client Management Client IDs/secrets of API clients registered with Anypoint Platform not kept in sync with such an external OAuth 2.0 provider as would be the case if Client Management were configured at the Anypoint Platform-level The Mule OAuth 2.0 provider is a custom-developed application component that can serve as such an external OAuth 2.0 provider: see template in Anypoint Exchange Use of this API policy is discouraged other than for testing and exploration 5.3.16. Understanding the interaction between Anypoint Platform, PingFederate and the access token enforcement policy When an Identity Provider such as PingFederate is configured for Client Management on Anypoint Platform, then API clients who register with Anypoint Platform for access to an API, and therefore receive client ID and secret, are kept in sync between Anypoint Platform and the Identity Provider.

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture

  • Left Quote Icon

    Student Picture