This topic has 1 reply, 2 voices, and was last updated 4 years, 5 months ago by Joachim Andres.

  • Author
    Posts
  • #21170
     bertalanvoros
    Participant

    Hello All,

    Is it possible or would it make sense at all to combine oauth and openam policy enforcement?
    In terms of getting an token by oauth then also being matched against the relevant policies in openam when accessing certain resources on an api.

    Essentially replacing the browser login part of the PEP example with a token obtained by oauth.

    I am working my way through the examples in the documentation and it’s not entirely clear if this is possible or not.

    Thanks in advance,

    #21171
     Joachim Andres
    Participant

    Hi Bertalan,

    The OAuth2ResourceServerFilter does enforce scopes and serves as such as an authorization filter.

    First you need to determine the subject to be passed to the PEF.You have 3 ways to pass a subject :
    1.) sso token – typically form predecing SSO (parameter: ssoTokenSubject)
    2.) jwt – typically and id_token from preceding OIDC-based authentication (parameter: jwtSubject)
    3.) claims (parameter: claimsSubject)
    See: https://backstage.forgerock.com/docs/ig/5.5/reference/index.html#PolicyEnforcementFilter
    In your case it may be 3.) as you have neither an sso token nor an id_token. Note that the policy engine does not take access tokens.

    Second you need to make sure that the PolicyEnforcementFilter does not send back an HTTP-302 (redirect). So you need to configure a failureHandler (configurable with the PEF).

    Cheers,
    Joachim

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?