Reading OIDC Token within IG

Home Forums ForgeRock Products Identity Gateway Reading OIDC Token within IG

Learn more about our upcoming Identity Summits

This topic has 3 replies, 2 voices, and was last updated 7 months, 1 week ago by violette.

  • Author
    Posts
  • July 9, 2019 at 11:00 pm #26085
     reeprice
    Participant

    I am using IG for API endpoint protection. Currently IG and AM are configured to complete OAuth authentication and also pass back an ID_token. I would like for IG to take in the ID_token with an additional call and convert some of the attributes contended in the id_token to headers values. Does anyone have an example of this use case? Do I need to use the token transformation filter? The example I found was using SAML and that will not work for my use case.

    July 10, 2019 at 9:46 am #26086
     violette
    Participant

    Hello reeprice,

    If you are using an OAuth2ClientFilter, you should be able to access the openid attributes by using ${attributes.openid}.
    The IdToken is available in ${attributes.openid.id_token}.
    The claims are available in ${attributes.openid.id_token_claims}.
    Then, you can use a HeaderFilter to place the values in a header.

    You can use the HeaderFilter after the Oauth2ClientFilter, such as:

    
{
  "type": "HeaderFilter",
  "config": {
    "messageType": "REQUEST",
    "add": {
      "myIdToken": [
        "${attributes.openid.id_token}"
      ]
    }
  }
}

    Which type of call/modifications do you need to do on the claims?

    Reference:
    https://backstage.forgerock.com/docs/ig/6.5/reference/#OAuth2ClientFilter
    https://backstage.forgerock.com/docs/ig/6.5/reference/#HeaderFilter

    • This reply was modified 7 months, 2 weeks ago by violette.
    July 10, 2019 at 7:33 pm #26092
     reeprice
    Participant

    I am using OAuth2ResourceServerFilter to validate my Access token. Can OAuth2ClientFilter do this as well? Do you have an example of this use case. Basically I want to make two calls. The first call I get an Access Token and id_token. On the 2nd call the access token is validated and the id_token values are saved into context to be used by additional filter.

    July 12, 2019 at 9:51 am #26094
     violette
    Participant

    Without routes context, I can only said that the OAuth2ResourceServerFilter validates a Request that contains an OAuth 2.0 access token and The OAuth2ClientFilter is responsible for authenticating the end-user using OAuth2/OIDC delegated authorization. This is two different use cases.

    In your case, you are using IG as a Relying Party, such as described in https://backstage.forgerock.com/docs/ig/6.5/gateway-guide/#chap-oauth2-rs, for validating the access_token.
    If your token is validated, then you can add a ScriptableFilter after the OAuth2ResourceServerFilter to extract id_token value(provided as a header from your AM) and perform some modifications on its claims. Then, once your modifications are done, you can use a HeaderFilter.

    Do I need to use the token transformation filter?

    > No, except if you want to transform your id_token into SAML assertions.

    • This reply was modified 7 months, 1 week ago by violette.
  • Author
    Posts
Viewing 4 posts - 1 through 4 (of 4 total)

You must be logged in to reply to this topic.

Leaderboard

The leaderboard is based on our rockin' informal points system, read about it here.
Visit our blog

©2020 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?