You must configure an authorization policy and then assign it to the protected resource. Access Gateway makes decisions based on the rules defined in the authorization policy after validating the OAuth tokens.
Resources protected by OAuth tokens do not execute any authentication procedure. Hence, evaluation of policies associated with OAuth protected resources cannot fetch any user attributes outside the OAuth scope. All the user attributes needed for the protected resource must be part of the OAuth scope. Ensure that the proxy services protected by OAuth are not associated with any policies that refer to authentication contract, profiles, LDAP attribute, LDAP OU, roles, or RISK score. Any policy, which requests for data other than the scope of OAuth token fails.
Perform the following steps to configure an Authorization policy for scopes:
Click Devices > Access Gateway > Edit > [Reverse Proxy name] > [Proxy Service name].
Select the Protected Resources tab.
Click the protected resource for which you want to configure an Authorization policy.
Select the Authorization tab.
Click Manage Policies > New.
Specify a name for the policy and select Access Gateway: Authorization for the policy type.
Click OK.
Specify the following details:
|
Field |
Action |
|---|---|
|
Description |
(Optional) Describe the purpose of this rule. |
|
Priority |
Specify the order in which a rule is applied in the policy, when the policy has multiple rules. The highest priority is 1 and the lowest priority is 10. NOTE:If two rules have the same priority, a Deny rule is applied before a Permit rule. |
|
Conditions |
Click New and then select OAuth Scopes. For Value, select the scope from the list. |
|
Actions |
Select one of the following options:
|
Click OK > OK.
Select the policy you created and click Apply Changes > Close.
Select the Authorization policy and click Enable > OK.