Management API Security
The Management API does not allow anonymous access and is secured by an OAuth access token issued by the Management UI host.
Requesting a Token
The Management UI host provides an OAuth 2 (RFC 6749) compliant token endpoint to request access tokens. You create a client ID and secret for Management API clients when you set up the configuration for the Management UI host. Your client application will use this shared client ID and secret to request access tokens for the Management API.
To request an access token, send a POST to the /connect/token endpoint:
POST /token HTTP/1.1
Host: policyserver.example.com
Content-Type: application/x-www-form-urlencoded
grant_type=client_credentials&
client_id=<insert id here>&
client_secret=<insert secret here>
Note
Technically, this is using so-called OAuth 2.0 Client Credentials Grant. Client ID and secret can be sent either via an authorization header or the POST body. For more information, see the OAuth 2.0 spec
The response will contain an access token and a lifetime:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
"access_token":"2YotnFZFEjr1zCsicMWpAA",
"expires_in":3600,
}
Using your own Token Service
If you already have an OAuth 2.0 authorization server, you can use this server to issue access tokens for PolicyServer.
By default, the tokens you issue must contain an audience of value policyserver.runtime
for the runtime API and/or policyserver.management
for the management API.
But these values can be changed in configuration.
You establish trust with your authorization server by setting the base-address in configuration, e.g. in JSON:
"PolicyServer": {
"host": {
"identity": {
"externalTokenIssuer": {
"authority": "https://demo.identityserver.io"
"runtimeApiAudience" : "policyserver.runtime",
"managementApiAudience" : "policyserver.management"
}
}
}
}
Note
The authorization server must support OpenID Connect discovery.
Warning
If the access token contains a sub claim the call will be unauthorized if the caller is not an authorized PolicyServer administrator.
Using the Access Token
To use the access token, send it on the authorization header to the Management API:
GET /management/policies
Host: policyserver.example.com
Authorization: Bearer 2YotnFZFEjr1zCsicMWpAA
...