Authzen-token-issuance-authorizer (Section)#
Path: /profiles/profile{id, type}/settings/authorization-server/token-issuance-authorizers/token-issuance-authorizer{id}/authzen-token-issuance-authorizer
A token issuance authorizer that uses the AuthZen protocol to evaluate scope access decisions with an external Policy Decision Point (PDP). Scopes are expected in hierarchical format (e.g. resource:segment:action). The first segment becomes the resource type, the last segment is used as the action name if present in available-actions (otherwise default-action is used), and any middle segments are sent as the resource path.
Parameters#
| Name | Type | Required | Default | Description |
|---|---|---|---|---|
| http-client | leafref | optional | A reference to the HTTP client used to connect to the AuthZen PDP. Configure TLS trust settings on this client if the PDP uses a custom CA. | |
| evaluations-url | string | required | Full URL of the AuthZen Access Evaluations endpoint (e.g. https://pdp.example.com/access/v1/evaluations). | |
| subject-type | string | optional | user | The AuthZen subject type to use in evaluation requests |
| default-action | string | optional | read | The default action to use in evaluation requests when the scope suffix does not represent any of the configured available-actions or the scope is a simple (non-hierarchical) value |
| available-actions | multi-value, string | optional | read | Action names that may appear as the last segment of a hierarchical scope. When the last scope segment matches one of these, it is used as the action name. |
| wrap-in-opa-input | boolean | optional | false | When enabled, the entire request body is wrapped under an ‘input’ key. This is required for OPA-based PDPs, which expect the document under ‘input’. |