Sets up a simple authentication (authN) and authorization (authZ) combination for role-based access control (RBAC) to a mock Employees API and its operations.
⚙️ Supported infrastructures: All infrastructures
👟 Expected Run All runtime (excl. infrastructure prerequisite): ~2-3 minutes
- Understand how API Management supports OAuth 2.0 authentication (authN) with JSON Web Tokens (JWT).
- Learn how authorization (authZ) can be accomplished based on JWT claims.
- Configure authN and authZ at various levels in the API Management hierarchy.
- Use external secrets in policies.
This sample combines authentication (authN) and authorization (authZ) into authX. This scenario focuses on a Human Resources API that requires privileged role-based access to GET and to POST data. This is simplistic but shows the combination of authN and authZ.
There are two personas at play:
HR Administrator- holds broad rights to the APIHR Associate- has read-only permissions
Both personas are part of an HR_Members group and may access the HR Employees API, but its operations permissions are more granular.
Many organizations require 100% authentication for their APIs. While that is prudent and typically done at the global All APIs level, we refrain from doing so here as to not impact other samples. Instead, we focus on authentication at the API Management API and API operation levels.