Authorization Policy

The YAML file provided below contains an example YAML configuration for an IBM Application Gateway (IAG) container which:

  1. Specifies a server certificate;
  2. Configures an IBM Security Verify tenant as the identity provider using OIDC;
  3. Defines a single Web application which will be proxied by the IAG;
  4. Defines an authorization policy for the Web application.

Example YAML

version: "23.04"

# Configure an IAG container to proxy a single Web application, and define
# an authorization policy for the Web application.  This configuration will 
# simply define a server certificate, configure an IBM Security Verify tenant 
# as the identity provider, define a single application and then define some
# authorization rules for this application.

# Specify a server certificate to be used by the container.  The server 
# certificate was created using an openssl command:
#  openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 \
#        -out cert.pem
# To remove the dependency on external files a base-64 representation of the
# key.pem and cert.pem files can be embedded within this YAML, where the 
# base-64 encoded file is prefixed with 'B64:', for example: 
#   "B64:PGhy4KICAgIDxoND5...."
# If no certificate is specified a self-signed certificate will be 
# automatically created and used by the container.

        - "@cert.pem"
        - "@key.pem"

# Specify an IBM Security Verify tenant as the identity provider for the 
# container.  Please note that the values provided below are for illustrative
# purposes only and don't reflect a real tenant.  A free tenant can be created 
# using the instructions found at the following URL:
# The discovery endpoint has the following format:
#    https://<tenant host>/oidc/endpoint/default/.well-known/openid-configuration
# The redirect URI which is used in the SSO flow is constructed from the host 
# header contained in the request, appended with '/pkmsoidc' (for example: 
#  This redirect URI should be
# specified when creating the custom application within the IBM Security
# Verify administrators console.

    discovery_endpoint: ""
    client_id: "300141b6-690b-4e4e-862d-2c96da2bb1ba"
    client_secret: "wPP8rM8N0d"

# Define an resource server which will be hosted at the '/static' path of the
# IAG container.  A single Web server, located at, 
# hosts the resource server.
# An authorization policy has also been defined which:
#   1. Allows 'application owners' to retrieve any resource;
#   2. Allows unauthenticated used to retrieve the '/unauth' resource;
#   3. Allows any authenticated user to retrieve the '/everyone' resource;
#   4. Denies access to everything else.

  - path: "/static"
    connection_type: "tcp"
      - host: ""
        port: 1337
    transparent_path: false

    - name: "app_owners"
        - "GET"
        - "*"
      rule: (any groupIds = "application owners")
      action: "permit"

    - name: "any_user"
        - "GET"
        - "/unauth"
      rule: "anyuser"
      action: "permit"

    - name: "any_auth_user"
        - "GET"
        - "/everyone"
      rule: "anyauth"
      action: "permit"

    - name: "go-away"
        - "*"
      rule: "()"
      action: "deny"