OIDC Authorization Code Flow with OpenIG and OpenAM

This topic has 5 replies, 2 voices, and was last updated 4 years, 5 months ago by Nav.

  • Author
    Posts
  • #21127
     Nav
    Participant

    Hello Folks,

    We are trying to protect a web application with “OIDC Authorization Code Flow” as described in the link given below. we are planning to build a POC using Forgerock OpenAM and OpenIG.

    http://ldapwiki.com/wiki/OpenID%20Connect

    Can we configure OpenIG (Proxy & OpenID Relying party) receive access token from OpenAM(OpenID Authz Server) and pass it to backend application(ResourceServer)? Also what changes need to be done on backend application if the backend application needs to verify and extract access token? Please suggest if anyone has done it before using forgerock and if any documentation available.

    Thanks,
    Nav

    #21128
     Nav
    Participant

    Just wanted to mention the version we are using as well.

    OpenAM 13.0
    OpenIG 4.0

    Thanks

    #21154
     Joachim Andres
    Participant

    Judging by your other request to this forum, you made progress.

    For completeness: The benefit of IG really is to simplify the application and so that the applications can off load token validation to IG. This includes token caching as well. The idea is that the impact on the application is minimal, so it is important how you pass on user information.

    IG can pass the token to the downstream application. A common way to pass user information is via HTTP headers (see HeaderFilter and CryptoHeaderFilter).

    Cheers,
    Joachim

    #21165
     Nav
    Participant

    Thanks Joachim for being so patient and answering my queries.

    While we can use HeaderFilter/CryptoFilter to transport headers to backend application, I would like to understand how these filters can secure the backend application in below scenarios.

    1) How can the ResourceServer(backend application) make sure that it received the headers only from a trusted client(OIDC relying party)? I am trying to understand this from insider threat perspective where an employee may send headers to backend application by encrypting with the secret key used for CryptoFilter.

    2) How do we supply user authorization information to the backend application? Does OpenIG have to extract it from custom scopes(defined in OpenAM AuthzServer) and transport them to backend application?

    Thanks,
    Nav

    #21166
     Joachim Andres
    Participant

    Hi Nav,

    Concerning 1.), apart from encrypting the data on a attribute basis (like with CryptoHeader), there are typically 3 ways to establish the “trust zone” between IG and the backend :
    a.) Network segmentation
    b.) Mutual SSL between IG and backend (see ClientHandler)
    c.) Co-deploy IG with backend in a microgateway deployment model where gateway and backend form one unit of deployment

    Concerning 2.), access token data is made available in the contexts.oauth2.accessToken.info variable for use in further filters (i.e. HeaderFilter)
    For an example, see: https://backstage.forgerock.com/docs/ig/5.5/gateway-guide/index.html#oauth2-rs-ig-proc-accesstoken

    Cheers,
    Joachim

    #21174
     Nav
    Participant

    Hi Joachim,

    Thanks for inputs. We will definitely have network segmentation to minimize the attach surface internally and establish SSL communication.

    Regarding 2), Do we need to configure OpenIG which is acting as OIDC Relying Party now should also be configured as OAuth2 Resource Server? As I mentioned in my another post, Can we extract the role information from scopes like “attributes.openid.user_info.name” and transport back to the application? Maybe not as part of OpenID scope, but a custom scope which has claims related to roles.

    Also, Now that we have OpenIG sending information to the backend application, can we restrict/authorize the access to OpenIG URLs before OpenIG kicks off OAuth2 authorization activity? maybe protecting the OpenIG URLs using RBAC information from User data LDAP? Just looking for best practices in building this authentication/authorization chain. can we achieve something like below using OpenAM & OpenIG

    1) Protect OpenIG URls
    2) OpenAM to authenticate and authorize access to OpenIG using user password and roles stored in LDAP
    3) Once the user is authorized to access OpenIG URLs, then OpenIG to start authorization activity by identifying the user from SSOcookie and get id and access tokens.
    4) Finally OpenIG to redirect the user with headers to the backend application.

    Can you suggest if the above approach can be achieved using OpenIG and OpenAM or any better ways to handle this?

    Thanks,
    Nav

    Thanks,
    Naveen

Viewing 6 posts - 1 through 6 (of 6 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?