Implementing OAuth2 "Token Relay" with OpenIG

This topic has 2 replies, 2 voices, and was last updated 6 years, 8 months ago by Miguel F.

  • Author
    Posts
  • #8463
     Miguel F
    Participant

    Hi,

    I want to use OpenIG as OAuth2 client (using OAuth2ClientFilter) so OpenIG is able to get OAuth2 tokens and I want to implement “Token Relay” adding an “Authorization” header with the bearer token that OAuth2ClientFilter has just obtained so the header is propagated downstream.

    The OAuth2ClientFilter filter itself is working fine: OpenIG redirects to the authentication endpoint (OpenAM in my case), it obtains an authorization code (i’m implementing authorization_code grant type) and finally an OAuth2 token.

    However, i’ve been not able to set OpenIG to add the recently obtained token to the current request.
    As far as I understand, it is necessary to add a “HeaderFilter” to the chain that retrieves the stored oauth2 token -${attributes.oauth2AccessToken} according to the documentation – so it sets the header.

    I tried to implement this but the header with the oauth2 token is not added to the request.
    Just as a test, i added a second “HeaderFilter” that just adds a hardcoded header but it is not added to the request either.
    However, just as a test, if I remove the OAuth2ClientFilter and the first “HeaderFilter” that adds the oauth2 token as a header, the third “HeaderFilter” (the hard-coded one) works and I see the test header in the request.
    So my guess is that for some reason, after the OAuth2ClientFilter the other filters are not being applied.. but I’m not able to understand what is wrong.
    OpenIG starts properly and I see no errors when loading the config.

    The definition of my filters is as follows:

    {
       "heap":[
          {
             "comment":"To reuse issuers, configure them in the parent route",
             "name":"openam",
             "type":"Issuer",
             "config":{
                "comment":"original: wellKnownEndpoint http://openam:8080/openam/oauth2/.well-known/openid-configuration",
                "authorizeEndpoint":"http://openam.example.com:8080/openam/oauth2/authorize",
                "tokenEndpoint":"http://openam:8080/openam/oauth2/access_token",
                "userInfoEndpoint":"http://openam:8080/openam/oauth2/userinfo"
             }
          },
          {
             "comment":"To reuse client registrations, configure them in the parent route",
             "name":"OidcRelyingParty",
             "type":"ClientRegistration",
             "config":{
                "clientId":"OpenIG",
                "clientSecret":"password",
                "issuer":"openam",
                "scopes":[
                   "openid",
                   "profile"
                ]
             }
          }
       ],
       "handler":{
          "type":"Chain",
          "config":{
             "filters":[
                {
                   "type":"OAuth2ClientFilter",
                   "config":{
                      "clientEndpoint":"/openid",
                      "requireHttps":false,
                      "requireLogin":true,
                      "target":"${attributes.openid}",
                      "failureHandler":{
                         "type":"StaticResponseHandler",
                         "config":{
                            "comment":"Trivial failure handler for debugging only",
                            "status":500,
                            "reason":"Error",
                            "entity":"${attributes.openid}"
                         }
                      },
                      "registration":"OidcRelyingParty"
                   }
                },
                {
                   "name":"OAuth2TokenRelayFilter",
                   "type":"HeaderFilter",
                   "comment":"Propagates OAuth2 token downstream",
                   "config":{
                      "messageType":"REQUEST",
                      "add":{
                         "Authorization":[
                            "Bearer ${attributes.oauth2AccessToken}"
                         ]
                      }
                   }
                },
                {
                   "name":"AddTestHeaderFilter",
                   "type":"HeaderFilter",
                   "config":{
                      "messageType":"REQUEST",
                      "add":{
                         "TEST":[
                            "MYTEST"
                         ]
                      }
                   }
                }
             ],
             "handler":"ClientHandler"
          }
       },
       "condition":"${matches(request.uri.path, '^/')}"
    }

    I would really appreaciate any help! Thanks so much.

    • This topic was modified 6 years, 8 months ago by Miguel F.
    #8466

    The expression you’re using in the first HeaderFilter is not correct.
    You should have:

    "Authorization": [ "Bearer ${attributes.openid.access_token}" ]
    

    If you want to look at the content of the attributes‘ Map, you can capture your OAuth2ClientFilter:

    {
      "type":"OAuth2ClientFilter",
      "capture": [ "filtered_request" ],
      "config":{
        // ...
      }
    }
    

    Just make sure that you have the CaptureDecorator properly configured with captureContext: true (you may want re-define your own decorator).
    https://backstage.forgerock.com/#!/docs/openig/4/reference#CaptureDecorator

    #8491
     Miguel F
    Participant

    Hi Guillaume,

    Thanks so much! That was helpful. I managed to get this working. Now OpenIG is getting OAuth2 tokens from OpenAM and adding them in the ‘Authorization’ header so they are propagated downstream to my resource servers.
    I still need to make further test to check that everything is working fine (how token refreshment is performed and so on) but for now it looks good.

    I guess OpenIG is aware about token expiry dates and is able to refresh the oauth2 token automatically right?

    Thank so much for your help again :-)

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?