You have to install the REST API Access Policy plugin (com.glide.rest.policy) plugin. While creating the authentication profile for the API access policy, you can choose the authentication method (Basic Auth, ID Token, Certificate-based Auth, or OAuth). You can optionally also add a policy in the profile to enforce IP/location restrictions.
My esteemed colleague @Jason Nichols has created this awesome video series on YouTube for scripted REST APIs. This series also includes the API access policy feature.
On the Standard auth profile record (table std_http_auth) that already exists in the instance "OAuth token" there is no OAuth Entity associated by default. Can I leave this blank and create a REST API access policy with "global" checked(Vancouver) to block all basic auth attempts? I want to extend this to apply IP Filter criteria.
The main question I have is can I leave "OAuth Entity" field blank in the standard auth profile record and proceed to create a rest api access policy?
