This topic has 7 replies, 4 voices, and was last updated 2 years, 1 month ago by violette.
-
AuthorPosts
-
July 9, 2019 at 11:00 pm #26085
reeprice
ParticipantI am using IG for API endpoint protection. Currently IG and AM are configured to complete OAuth authentication and also pass back an ID_token. I would like for IG to take in the ID_token with an additional call and convert some of the attributes contended in the id_token to headers values. Does anyone have an example of this use case? Do I need to use the token transformation filter? The example I found was using SAML and that will not work for my use case.
July 10, 2019 at 9:46 am #26086violette
ParticipantHello reeprice,
If you are using an
OAuth2ClientFilter
, you should be able to access the openid attributes by using${attributes.openid}
.
The IdToken is available in${attributes.openid.id_token}
.
The claims are available in${attributes.openid.id_token_claims}
.
Then, you can use a HeaderFilter to place the values in a header.You can use the HeaderFilter after the Oauth2ClientFilter, such as:
{ "type": "HeaderFilter", "config": { "messageType": "REQUEST", "add": { "myIdToken": [ "${attributes.openid.id_token}" ] } } }
Which type of call/modifications do you need to do on the claims?
Reference:
https://backstage.forgerock.com/docs/ig/6.5/reference/#OAuth2ClientFilter
https://backstage.forgerock.com/docs/ig/6.5/reference/#HeaderFilter-
This reply was modified 2 years, 11 months ago by
violette.
July 10, 2019 at 7:33 pm #26092reeprice
ParticipantI am using OAuth2ResourceServerFilter to validate my Access token. Can OAuth2ClientFilter do this as well? Do you have an example of this use case. Basically I want to make two calls. The first call I get an Access Token and id_token. On the 2nd call the access token is validated and the id_token values are saved into context to be used by additional filter.
July 12, 2019 at 9:51 am #26094violette
ParticipantWithout routes context, I can only said that the
OAuth2ResourceServerFilter
validates a Request that contains an OAuth 2.0 access token and TheOAuth2ClientFilter
is responsible for authenticating the end-user using OAuth2/OIDC delegated authorization. This is two different use cases.In your case, you are using IG as a
Relying Party
, such as described in https://backstage.forgerock.com/docs/ig/6.5/gateway-guide/#chap-oauth2-rs, for validating the access_token.
If your token is validated, then you can add a ScriptableFilter after the OAuth2ResourceServerFilter to extract id_token value(provided as a header from your AM) and perform some modifications on its claims. Then, once your modifications are done, you can use a HeaderFilter.Do I need to use the token transformation filter?
> No, except if you want to transform your id_token into SAML assertions.
-
This reply was modified 2 years, 11 months ago by
violette.
May 15, 2020 at 5:08 pm #27937jimbot
ParticipantI’d love to see an example of a ScriptableFilter extracting a claim value from an access_token. For instance if I’ve added mail as a scope on the AM side, and I’ve got an OAuth2ClientFilter functioning, what would the ScriptableFilter look like to pull out mail, so that I can insert it into a header value?
In other words, I want to use OAuth for auth/scope request, and when IG sees the token result, I want to extract the mail (and a roles/isMemberOf array) from the access token and shove it into a header. I can add the token as a whole, (and the id_token too) with ${attributes.openid.access_token} but I can’t seem to get at the claim values. Does the Client filter not do that type of introspection or make the claim values available? Your note stating “perform some modifications on its claims” makes me think this is possible.–Jim
May 15, 2020 at 8:50 pm #27939Jatinder Singh
ParticipantAccess Token is essentially a
JWT
and you can parse it using the below code in yourScriptableFilter
import org.forgerock.json.jose.common.JwtReconstruction import org.forgerock.json.jose.jws.SignedJwt import groovy.json.JsonSlurper SignedJwt jwt = new JwtReconstruction().reconstructJwt(accessToken, SignedJwt) claimsSet = new JsonSlurper().parseText(jwt.getClaimsSet.toString()) claimsSet.get("mail")
Hope this helps!
-
This reply was modified 2 years, 1 month ago by
Jatinder Singh.
May 22, 2020 at 3:28 am #27961kian.ting
ParticipantHi,
I am having some issues configuring IG to be the PEP for AM, I am using AM as the PDP. Set up everything as per the forge rock documentation. https://backstage.forgerock.com/docs/ig/6.5/gateway-guide/#chap-pep
But I am still getting the following error, does anyone have any idea ??
[http-nio-8082-exec-6] ERROR o.f.o.h.r.RoutesCollectionProvider @system - An error occurred while trying to create route 151 org.forgerock.openig.tools.authentication.AuthenticationException: Authentication failed at org.forgerock.openig.tools.authentication.chf.DefaultAuthenticationService.lambda$authenticate$0(DefaultAuthenticationService.java:76) Wrapped by: java.lang.IllegalStateException: Unable to start notification service at org.forgerock.openig.tools.am.AmService$Builder.notificationService(AmService.java:662) Wrapped by: org.forgerock.openig.heap.HeapException: Invalid object declaration at org.forgerock.openig.heap.HeapImpl.get(HeapImpl.java:427) Wrapped by: org.forgerock.openig.handler.router.RouterHandlerException: An error occurred while loading the route with the name '151_CDR_Oauth2_Routes' at org.forgerock.openig.handler.router.RouterHandler.load(RouterHandler.java:306)
May 25, 2020 at 12:23 pm #27967violette
ParticipantHello Kian,
The error message you have:Authentication failed
means that the credentials are incorrectly set in your AmService object.Documentation: https://ea.forgerock.com/docs/ig/maintenance-guide/tuning-IG.html#amservice-websocket
https://ea.forgerock.com/docs/ig/reference/AmService.html -
This reply was modified 2 years, 11 months ago by
-
AuthorPosts
You must be logged in to reply to this topic.