Versions Compared

Old Version 139

changes.mady.by.user John Brinckwirth

Saved on

compared with

New Version Current

changes.mady.by.user John Brinckwirth

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: APIM-1164

...

The API Policy Manager enables you to apply a range of authentication/authorization, traffic management, request transformation, and request validation policies to APIs. You can configure these API policies to be applicable at different levels in the hierarchy in the API Manager console, APIs, and API version. The API policies can also be applied to Org, the shared folder in a Project Space, and Project folders. For example, when you apply a Request Size Limit policy to a Project, the policy validates the following condition: any request with a request body sent to the Tasks within in that Project that does not exceed the limit.

In addition to validating requests, you can use API policies to authenticate and authorize requests using various authentication methods. Without the API Policy Manager, an API can only be invoked by a user registered with the SnapLogic SnapLogic® platform or by using a bearer token. With an APIM authenticator policy, clients can be authenticated through an OAuth2 server or a REST service, as well as  and also other available authentication policies available. Thus, SnapLogic Tasks can be made available to a much wider audience.

APIM supports OpenID Connect (OIDC) as an authentication method for your Generic OAuth2 API policy. Multiple Identity Providers are supported. When you set up Generic OAuth2 as the authorization agent with OIDC, your OIDC application becomes the authentication provider for the API.

...

Policies Snap Pack

API Policies are available in your Org when you subscribe to the APIM feature and Policies Snap Pack. Despite its name, the Policies Snap Pack does not contain Snaps, but it does function like other Snap Packs.

You can configure Snap Pack to use one of the two following distributions:

  • Stable contains policies that have been available for a few releases. This distribution is updated quarterly release.

  • Latest contains the newest policies and policy features. This distribution is typically updated every month.

The distributions are determined by the Snaplex version updates, which coincide with the monthly and quarterly releases.

The following resources provide more information about the SnapLogic release process:

Policies Snap Pack Settings in Classic Manager

You can change Snap Pack versions in the Snap Packs page, which includes a View distribution menu. Options include: 

  • New: This option shows Snap Pack choices (Latest or Stable) for an updated Snaplex. 

  • Old: This option shows Snap Pack choices (Latest or Stable) for a deprecated Snaplex. 

You can set the View Distribution and Policies Snap Pack version here.

...

Policies Snap Pack Settings in Admin Manager

You can change the View Distribution and Policies Snap Pack settings in Admin Manager. Learn More.

Supported API Policies

Authentication and Authorization

These policies manage the authorization and authentication of the API caller. The Generic OAuth2 policy is the most common. It requires a 3rdthird-party service in its setup. You can also use OpenID Connect provider with Generic OAuth2. The OAuth 2.0 Client Credentials policy is a variation on OAuth 2.0 workflow where the authentication flow is based on the Client Credential flow from Okta. The API Key Authenticator provides another authentication mechanism in its use of a key that serves as a license for using the API. The Callout Authenticator provides an alternative to the Generic OAuth2 authentication flow.

...

Authentication Policy Requirement

All authentication policies require the Authorize By Role policy to authenticate the API caller.

  • Anonymous Authenticator: Allows anonymous access to a Task. The user’s roles are taken from the Anonymous Authenticator API policy configuration.

  • API Key Authenticator: Authenticates a client using API keys passed as a header or query parameter. 

  • Authorize By Role: Authorizes a request based on the role associated with the client. If a request is not authorized, it is rejected with a 403 Forbidden error.

  • Callout Authenticator: Authenticates a client by calling out to a REST service to validate a token in the request and then authenticating the user.

  • Generic OAuth2: Authenticates requests from users registered in an existing identity provider. 

  • JWT Validator: Authenticates a request with a token.

  • OAuth 2.0 Client Credentials: Authenticates users with a token in your OAuth 2.0 environment.

Inbound/Outbound

These policies provide authentication and enhanced security for inbound and outbound traffic across your Snaplexes and 3rd-party endpoint servers.

Inbound TLS: Use this policy with APIM Proxies to ensure that inbound endpoints are verified by TLS certificates during API processing. Supported by Groundplexes only.

Outbound Basic Auth: Use the Outbound Basic Auth Policy to set up a Basic Authentication account for verification at a proxy endpoint level when you establish a connection with a service or a system.

Outbound OAuth2: Use this policy to set specific OAuth2 parameters such as authorization URL's which are generated through access tokens with client credentials (client ID and client secret) to enforce OAuth2 authentication for upstream API calls.

Outbound TLS: Use this policy with APIM Proxies to ensure that outbound endpoints are verified by TLS certificates during API processing.

Validation

Validation policies apply validation criteria during the process of policy application. Some policies provide additional layers of security, like for example, the SQL Threat Detector and Request Size Limit policies. Other policies enforce compliance, such as JSON and XML validator policies, enforce compliance. The Early and Authorized Request policies provide generic mechanisms for enforcing compliance. For example, if a request must contain a certain specific HTTP header, you can configure either of these policies to reject the request if it does not contain the header.

...

Traffic Shaping

These policies enable the manipulation of incoming request traffic. You can use these policies to protect your API gateways from being overloaded with too many requests (Request Size Limit) or even eliminate traffic from specific sources (IP Restriction). The HTTP Redirect policy allows you to divert requests by customizing the HTTP 300 codes when your API is down because of maintenance.

  • Client Throttling: Limits Task invocations for a given specific client over during a window of specific time period by throttling or rejecting requests from that client. Installing Install this API policy can to help protect a Snaplex from being overloaded by too many requests.

  • Request Size Limit: Limits the size of each request. 

  • IP Restriction: Restricts access based on the client IP address of the request. If the request does not meet the configured requirements, it is rejected with a 403 Forbidden error.

  • CORS Restriction: Sets the appropriate headers for requests coming from a different domain so that the response is not blocked by the browser.

  • HTTP Redirect: Manages HTTP redirection for API requests.

  • HTTP Response Cache: Use this policy for highly reoccurring and static responses to manage latency and response times, which can reduce the load on the upstream API as well as the proxy server.

  • HTTP Retry: Use this policy to set up retry logic for requests made to your Proxy and Proxy endpoints.

Transformation

These policies enable you to change the requests or responses based on criteria. You can use these policies to add or modify headers.

...