Filters
Filter objects intercept requests and responses during processing, and change them as follows:
-
Leave the request, response, and contexts unchanged. For example, the filter can simply can log the context as it passes through the filter.
-
In the request flow, change any aspect of the request (such as the URL, headers, or entity), or replace the request with a new Request object.
-
In the response flow, change any aspect of the response (such as the status, headers, or entity), or return a new Response instance
AllowOnlyFilter
Authorizes a request to continue processing if it satisfies at least one of the configured rules. Otherwise, passes the request to the FailureHandler or returns an HTTP 401 Unauthorized, with an empty response body.
This filter manages requests from the last request sender, otherwise called the request from the last hop, or the request from a direct client.
For debugging, configure the AllowOnlyFilter name, and add the following
logger to logback.xml, replacing filter_name with
the name:
org.forgerock.openig.filter.allow.AllowOnlyFilter.filter_name
For more information, see Managing Logs.
Usage
{
"name": string,
"type": "AllowOnlyFilter",
"config": {
"rules": [ object, ... ],
"failureHandler": Handler reference
}
}Properties
"rules": array of objects, required-
An array of one or more
rulesconfiguration objects to specify criteria for the request.When more than one
rulesconfiguration object is included in the array, the request must match at least one of the configuration objects.When more than one property is specified in the
rulesconfiguration (for example,fromanddestination) the request must match criteria for each property.{ "rules": [ { "name": configuration expression<string>, "from": [ object, ... ], "destination": [ object, ... ], "when": configuration expression<boolean> }, ... ] }"name": configuration expression<string>, optional-
A name for the
rulesconfiguration. When logging is configured for the AllowOnlyFilter, the rule name appears in the logs. "from": array of objects, required-
An array of one or more
fromconfiguration objects to specify criteria about the last request sender (the direct client).When more than one
fromconfiguration object is included in the array, the last request sender must match at least one of the configuration objects.When both
ipandcertificateproperties are included in the configuration, the last request sender must match criteria for both properties."from": [ { "ip": { "list": [configuration expression<string>, ...], "resolver": configuration expression<string> }, "certificate" : { "subjectDNs" : Pattern[] } }, ... ]"ip": object, optional-
Criteria about the IP address of the last request sender.
"list": array of configuration expressions<string>, required:-
An array of IP addresses or IP address ranges, using IPv4 or IPv6, and CIDR notation. The following example includes different formats:
"list": ["127.0.0.1", "::1", "192.168.0.0/16", "1234::/16"]The IP address of the last request sender must match at least one of the specified IP addresses or IP address ranges.
"resolver": configuration expression<string>, optional:-
An expression that returns an IP address as a string. The following example returns an IP address from the first item in
X-Forwarded-For:"resolver": "${request.headers['X-Forwarded-For'][0]}"Default: Resolve the IP address from the following items, in the following order:
-
If there is a
Forwardedheader, use the IP address of the last hop. -
Otherwise, if there is an
X-Forwarded-Forheader, use the IP address of the last hop. -
Otherwise, use the IP address of the connection.
-
"certificate": array of configuration expressions<object>, optional-
An array of
certificateconfiguration objects that specify criteria about the certificate of the last request sender."subjectDNs": array of configuration expressions<pattern>, required:-
An array of regular expressions to represent the expected distinguished name of the certificate subject, the
subjectDN.The
subjectDNof the last request sender must match at least one of the patterns.
"destination": array of objects, optional-
An array of
destinationconfiguration objects to specify criteria about the request destination.When more than one
destinationconfiguration object is included in the array, the request destination must match at least one of the configuration objects.When more than one property is specified in the
destinationconfiguration, for examplehostsandports, the request destination must match criteria for each property."destination": [ { "hosts": [configuration expression<pattern>, ... ], "ports": [configuration expression<string>, ... ], "methods": [configuration expression<string>, ... ], "paths": [configuration expression<pattern>, ... ] }, ... ]"hosts": array of configuration expressions<pattern>, optional-
An array of case-insensitive patterns to match the
request.hostattribute. Patterns are matched with the Java Pattern class.When this property is configured, the request destination must match at least one host pattern in the array.
Default: Any host is allowed.
"ports": array of configuration expressions<string>, optional-
An array of strings to match the
request.portattribute. Specify values in the array as follows:-
Array of single ports, for example
["80", "90"]. -
Array of port ranges, for example
["100:200"]. -
Array of single ports and port ranges, for example
["80", "90", "100:200"].
-
When this property is configured, the destination port must match at least one entry in the array.
Default: Any port is allowed.
"methods": array of configuration expressions<string>, optional-
An array of HTTP methods to match the
request.methodattribute.When this property is configured, the request method must match at least one method in the array.
Default: Any method is allowed.
"paths": array of configuration expressions<pattern>, optional-
An array of case-sensitive patterns to match the
request.url_pathattribute. Patterns are matched with the Java Pattern class.When this property is configured, the destination path must match at least one path in the array.
Default: Any path is allowed.
"when": configuration expression<boolean>, optional-
A condition that the request must meet.
The following condition is met when the first value of h1 is
1:"when": "${request.headers['h1'][0] == '1'}"
"failureHandler": Handler reference, optional-
Handler to treat the request if none of the declared rules are satisfied.
Provide either the name of a Handler object defined in the heap, or an inline Handler configuration object.
Default: HTTP 401 Unauthorized, with an empty response body.
See also Handlers.
Examples
In the following example, a request is authorized if the last request sender satisfies either of the following conditions:
-
Certificate subjectDN matches
.*CN=test$orCN=me, and the IP address is in the range 1.2.3.0/24. -
IP address is 123.43.56.8.
"from": [
{
"certificate": {
"subjectDNs": [".*CN=test$", "CN=me"]
},
"ip": {
"list": ["1.2.3.0/24"]
}
},
{
"ip": {
"list": ["123.43.56.8"]
}
},
]In the following example, a request is authorized if the request destination satisfies all of the following conditions:
-
The host is
myhost1.comorwww.myhost1.com -
The port is
80. -
The method is
POSTorGET -
The path matches
/user/*.
"destination": [
{
"hosts": ["myhost1.com", "www.myhost1.com"],
"ports": ["80"],
"methods": ["POST", "GET"],
"paths": ["/user/*"]
}
]The following example authorizes a request to continue processing if the
requests meets the conditions set by either rule1 or rule2:
{
"type": "AllowOnlyFilter",
"config": {
"rules": [
{
"name": "rule1",
"from": [
{
"certificate": {
"subjectDNs": [".*CN=test$", "CN=me"]
},
"ip": {
"list": ["1.2.3.0/24"]
}
}
],
"destination": [
{
"hosts": ["myhost1.com", "www.myhost1.com"],
"ports": ["80"],
"methods": ["POST", "GET"],
"paths": ["/user/*"]
}
],
"when": "${request.headers['h1'][0] == '1'}"
},
{
"name":"rule2",
"when": "${request.headers['h1'][0] == '2'}"
}
]
}
}AssignmentFilter
Verifies that a specified condition is met. If the condition is met or if no condition is specified, the value is assigned to the target. Values can be assigned before the request is handled and after the response is handled.
Usage
{
"name": string,
"type": "AssignmentFilter",
"config": {
"onRequest": [
{
"condition": runtime expression<boolean>,
"target": lvalue-expression,
"value": runtime expression
}, ...
],
"onResponse": [
{
"condition": runtime expression<boolean>,
"target": lvalue-expression,
"value": runtime expression
}, ...
]
}
}Properties
"onRequest": array of objects, optional-
Defines a list of assignment bindings to evaluate before the request is handled.
"onResponse": array of objects, optional-
Defines a list of assignment bindings to evaluate after the response is handled.
"condition": runtime expression<boolean>, optional-
If the expression evaluates
true, the value is assigned to the target. If no condition is specified, the value is assigned to the target unconditionally.Default: No condition is specified.
See also Expressions.
"target": lvalue-expression, required-
Expression that yields the target object whose value is to be set.
See also Expressions.
"value": runtime expression, optional-
The value to be set in the target. The value can be a string, information from the context, or even a whole map of information.
See also Expressions.
Examples
The following example assigns a value to a session. Add the filter to a route to prevent IG from clearing up empty JWTSession cookies:
{
"type": "AssignmentFilter",
"config": {
"onRequest": [{
"target": "${session.authUsername}",
"value": "I am root"
}]
}
}The following example captures credentials and stores them in the IG session during a login request. Notice that the credentials are captured on the request but are not marked as valid until the response returns a positive 302. The credentials could then be used to log a user in to a different application:
{
"name": "PortalLoginCaptureFilter",
"type": "AssignmentFilter",
"config": {
"onRequest": [
{
"target": "${session.authUsername}",
"value": "${request.queryParams['username'][0]}"
},
{
"target": "${session.authPassword}",
"value": "${request.queryParams['password'][0]}"
},
{
"comment": "Authentication has not yet been confirmed.",
"target": "${session.authConfirmed}",
"value": "${false}"
}
],
"onResponse": [
{
"condition": "${response.status.code == 302}",
"target": "${session.authConfirmed}",
"value": "${true}"
}
]
}
}CapturedUserPasswordFilter
Makes an AM password available to IG in the following steps:
-
Checks for the presence of the SessionInfoContext context, at
${contexts.amSession}.-
If the context is not present, or if
sunIdentityUserPasswordisnull, the CapturedUserPasswordFilter collects session info and properties from AM. -
If the context is present and
sunIdentityUserPasswordis notnull, the CapturedUserPasswordFilter uses that value for the password.
-
-
The CapturedUserPasswordFilter decrypts the password and stores it in the CapturedUserPasswordContext, at
${contexts.capturedPassword}.Supported with AM 5 and later versions, and with AM 6 and later versions when the
AESkeyType is used to decrypt the password.
Usage
{
"name": string,
"type": "CapturedUserPasswordFilter",
"config": {
"amService": AmService reference,
"keySecretId": configuration expression<secret-id>,
"keyType": configuration expression<string>,
"secretsProvider": SecretsProvider reference,
"ssoToken": runtime expression<string>
}
}Properties
"amService": AmService reference, required-
The AmService heap object to use for the password. See also AmService.
This filter is compatible with AM version 5.5 or higher. If
versionis not set, the default version is AM 5 and an error is thrown. "keySecretId": configuration expression<secret-id>, required-
The secret ID for the key required decrypt the AM password.
"keyType": configuration expression<enumeration>, optional-
Algorithm to decrypt the AM password. Use one of the following values:
-
DESfor DES/ECB/NoPadding -
AESAES for JWT-based AES_128_CBC_HMAC_SHA_256 encryption, available from AM 6. For more information, see AES_128_CBC_HMAC_SHA_256 in the IETF JSON Web Algorithms.
Default:
DES -
"secretsProvider": SecretsProvider reference, optional-
The SecretsProvider object to query for the JWT session signing or encryption keys. For more information, see SecretsProvider.
Default: The route’s default secret service. For more information, see Default Secrets Object.
"ssoToken": runtime expression<string>, required-
Location of the AM SSO token.
Default:
${request.cookiesAmService-ssoTokenHeader'][0].value}, whereAmService-ssoTokenHeaderis the name of the header or cookie where the AmService expects to find SSO tokens.
Examples
The following example route is used to get login credentials from AM in Get Login Credentials From AM.
{
"name": "04-replay",
"condition": "${find(request.uri.path, '^/replay')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore"
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"agent": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"url": "http://openam.example.com:8088/openam/"
}
},
{
"name": "CapturedUserPasswordFilter",
"type": "CapturedUserPasswordFilter",
"config": {
"ssoToken": "${contexts.ssoToken.value}",
"keySecretId": "aes.key",
"keyType": "AES",
"secretsProvider": "SystemAndEnvSecretStore-1",
"amService": "AmService-1"
}
}
],
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "SingleSignOnFilter",
"config": {
"amService": "AmService-1"
}
},
{
"type": "PasswordReplayFilter",
"config": {
"loginPage": "${true}",
"credentials": "CapturedUserPasswordFilter",
"request": {
"method": "POST",
"uri": "http://app.example.com:8081/login",
"form": {
"username": [
"${contexts.ssoToken.info.uid}"
],
"password": [
"${contexts.capturedPassword.value}"
]
}
}
}
}
],
"handler": "ReverseProxyHandler"
}
}
}CertificateThumbprintFilter
Extracts a Java certificate from a trusted header or from a TLS connection, computes the SHA-256 thumbprint of that certificate, and makes the thumbprint available for the ConfirmationKeyVerifierAccessTokenResolver. Use this filter to enable verification of certificate-bound access_tokens.
CertificateThumbprintFilter computes and makes available the SHA-256 thumbprint of a client certificate as follows:
-
Evaluates a runtime expression and yields a
java.security.cert.Certificate -
Hashes the certificate using SHA-256
-
Base64url-encodes the result
-
Stores the result in the contexts chain
The runtime expression can access or build a client certificate from any information present at runtime, such as a PEM in a header, or a pre-built certificate.
Use CertificateThumbprintFilter with ConfirmationKeyVerifierAccessTokenResolver when the IG instance is behind the TLS termination point, for example, when IG is running behind a load balancer or other ingress point.
Usage
{
"name": string,
"type": "CertificateThumbprintFilter",
"config": {
"certificate": runtime expression<certificate>,
"failureHandler": Handler reference,
}
}Properties
"certificate": runtime expression<certificate>, required-
An EL expression which, when evaluated, yields an instance of a
java.security.cert.Certificate.Use the following Functions in the expression to define hash, decoding, and certificate format:
-
digestSha256, to calculate the SHA-256 hash of the certificate. -
decodeBase64url, to decode an incoming base64url-encoded string. -
pemCertificate, to convert a PEM representation string into a certificate.
See Examples.
-
"failureHandler": handler reference, optional-
Handler to treat the request on failure.
Provide an inline handler configuration object, or the name of a handler object declared in the heap. See also Handlers.
Default: HTTP 403 Forbidden, the request stops being executed.
Examples
The following example use the certificate associated with the incoming HTTP connection:
{
"name": "CertificateThumbprintFilter-1",
"type": "CertificateThumbprintFilter",
"config": {
"certificate": "${contexts.client.certificates[0]}"
}
}The following example is adapted for a deployment with NGINX as the TLS
termination, where NGINX fronts IG. NGINX provides the client
certificate associated with its own incoming connection in the
x-ssl-client-cert header. The certificate is encoded as PEM, and then
url-encoded:
{
"name": "CertificateThumbprintFilter-2",
"type": "CertificateThumbprintFilter",
"config": {
"certificate": "${pemCertificate(urlDecode(request.headers['x-ssl-client-cert'][0]))}"
}
}ClientCredentialsOAuth2ClientFilter
Authenticates OAuth 2.0 clients by using the client’s OAuth 2.0 credentials to obtain an access_token from an authorization server, and injecting the access_token into the inbound request as a Bearer Authorization header.
The filter obtains the client’s access_token by using the client_credentials
grant type, where the credentials are sent with the client_secret_basic
method. The filter refreshes the access_token as required.
Use this filter in a service-to-service context, where services need to access resources protected by OAuth 2.0.
Usage
{
"name": string,
"type": "ClientCredentialsOAuth2ClientFilter",
"config": {
"clientId": configuration expression<sting>,
"clientSecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference,
"tokenEndpoint": configuration expression<url>,
"scopes": [ configuration expression<string>, ... ],
"handler": Handler reference or inline Handler declaration
}
}Properties
"clientId": configuration expression<string>, required-
The ID of the OAuth 2.0 client registered with the authorization server.
"clientSecretId": configuration expression<secret-id>, required-
The ID to use when querying the
secretsProviderfor the client secret. "secretsProvider": SecretsProvider reference, required-
The SecretsProvider to use to resolve queried secrets, such as passwords and cryptographic keys. Provide either the name of a SecretsProvider object defined in the heap, or specify a SecretsProvider object inline.
"tokenEndpoint": configuration expression<url>, required-
The URL to the authorization server’s OAuth 2.0 token endpoint.
"scopes": array of configuration expression<string>, optional-
Array of scope strings to request from the authorization server.
Default: Empty, request no scopes.
"handler": Handler reference or inline Handler declaration, optional-
The Handler to use to access the authorization server’s OAuth 2.0 token endpoint. Provide either the name of a handler object defined in the heap, or specify a handler object inline.
Default: ClientHandler
Log Level
To facilitate debugging secrets for this filter, in logback.xml add a
logger defined by the fully qualified package name of the secrets API backend.
The following line in logback.xml sets the log level to ALL:
<logger name="org.forgerock.secrets.oauth2" level="ALL">Examples
For an example, see Access Resources By Using OAuth 2.0 Credentials.
ConditionalFilter
Verifies that a specified condition is met. If the condition is met, the request is dispatched to a delegate Filter. Otherwise, the delegate Filter is skipped.
Use ConditionalFilter to easily use or skip a Filter depending on whether a
condition is met. To easily use or skip a set of Filters, use a ChainOfFilters
as the delegate Filter and define a set of Filters. For information, see
ChainOfFilters.
Usage
{
"name": string,
"type": "ConditionalFilter",
"config": {
"condition": runtime expression<boolean>,
"delegate": filter reference
}
}Properties
"condition": runtime expression<boolean>, required-
If the expression evaluates to
true, the request is dispatched to the delegate Filter. Otherwise the delegate Filter is skipped.See also Filters.
"delegate": filter reference, required-
Filter to treat the request if the condition expression evaluates as
true.Provide an inline Filter configuration object, or the name of a Filter object defined in the heap.
See also Filters.
Example
The following example tests whether a request finishes with .js or .jpg:
{
"type": "Chain",
"config": {
"filters": [{
"type": "ConditionalFilter",
"config": {
"condition": "${not (matches(request.uri.path, '.js$') or matches(request.uri.path, '.jpg$'))}",
"delegate": "mySingleSignOnFilter"
}
}],
"handler": "ReverseProxyHandler"
}
}If the request is to access a .js file or .jpg file, it skips the delegate SingleSignOnFilter filter declared in the heap, and passes straight to the ReverseProxyHandler.
If the request is to access another type of resource, it must pass through the delegate SingleSignOnFilter for authentication with AM before it can pass to the ReverseProxyHandler.
ConditionEnforcementFilter
Verifies that a specified condition is met. If the condition is met, the request continues to be executed. Otherwise, the request is referred to a failure handler, or IG returns 403 Forbidden and the request is stopped.
Usage
{
"name": string,
"type": "ConditionEnforcementFilter",
"config": {
"condition": runtime expression<boolean>,
"failureHandler": handler reference
}
}Properties
"condition": runtime expression<boolean>, required-
If the expression evaluates to
true, the request continues to be executed.See also Expressions.
"failureHandler": handler reference, optional-
Handler to treat the request if the condition expression evaluates as
false.Provide an inline handler configuration object, or the name of a handler object declared in the heap. See also Handlers.
Default: HTTP 403 Forbidden, the request stops being executed.
Example
The following example tests whether a request contains a session username. If it
does, the request continues to be executed. Otherwise, the request is dispatched
to the ConditionFailedHandler failure handler.
{
"name": "UsernameEnforcementFilter",
"type": "ConditionEnforcementFilter",
"config": {
"condition": "${not empty (session.username)}",
"failureHandler": "ConditionFailedHandler"
}
}ChainOfFilters
Dispatches a request to an ordered list of filters. Use this filter to assemble a list of filters into a single filter that you can then use in different places in the configuration.
A ChainOfFilters can be placed in a configuration anywhere that a filter can be placed.
Unlike Chain, ChainOfFilters does not finish by dispatching the request to
a handler. For more information, see Chain.
Usage
{
"name": string,
"type": "ChainOfFilters",
"config": {
"filters": [ Filter reference, ... ]
}
}Properties
"filters": array of filter references, required-
An array of names of filter objects defined in the heap, and inline filter configuration objects.
The chain dispatches the request to these filters in the order they appear in the array.
See also Filters.
Example
{
"name": "MyChainOfFilters",
"type": "ChainOfFilters",
"config": {
"filters": [ "Filter1", "Filter2" ]
}
}CookieFilter
Manages, suppresses, and relays cookies as follows:
-
Manage, to store cookies from the protected application in the IG session, and include them in later requests.
For requests with a
Cookieheader, managed cookies are removed so that protected applications don’t see them.For responses with a
Set-Cookieheader, managed cookies are removed and then added in aCookieheader to the next request that goes through that filter.Manage is the default action, and a common choice to manage cookies originating from the protected application.
-
Suppress, to remove cookies from the request and response. Use this option to hide domain cookies, such as the AM session cookie, that are used by IG but are not usually used by protected applications.
-
Relay, to transmit cookies freely from the user agent to the remote server, and vice versa.
If a cookie does not appear in one of the three action parameters, then the
default action is performed, controlled by setting the defaultAction
parameter. If unspecified, the default action is to manage all cookies. In the
event a cookie appears in more than one configuration parameter, then it will
be selected in the order of precedence: managed, suppressed, relayed.
Usage
{
"name": string,
"type": "CookieFilter",
"config": {
"managed": [ string, ... ],
"suppressed": [ string, ... ],
"relayed": [ string, ... ],
"defaultAction": string
}
}Properties
"managed": array of strings, optional-
A list of the names of cookies to be managed.
"suppressed": array of strings, optional-
A list of the names of cookies to be suppressed.
"relayed": array of strings, optional-
A list of the names of cookies to be relayed.
"defaultAction": enumeration, optional-
Action to perform for cookies that do not match an action set. Set to
"MANAGE","RELAY", or"SUPPRESS". Default:"MANAGE".
CorsFilter
Configures policies for cross-origin resource sharing (CORS), to allow cross-domain requests from user agents.
Usage
{
"name": string,
"type": "CorsFilter",
"config": {
"policies": [ configuration expression<object>, ... ],
"failureHandler": Handler reference
}
}Properties
"policies": list of configuration expression<object>, required-
A list of policies to apply to the request. A policy is selected when the origin of the request matches the accepted
originsof the policy.When multiple policies are declared, they are tried in the order that they are declared, and the first matching policy is selected.
When no policy matches during a preflight request, the failure handler is invoked or an HTTP 403 is returned.
{ "acceptedOrigins": [ configuration expression<url>, ... ] or "*", "acceptedMethods": [ configuration expression<string>, ... ] or "*", "acceptedHeaders": [ configuration expression<string>, ... ] or "*", "exposedHeaders": [ configuration expression<string>, ... ], "maxAge": configuration expression<duration>, "allowCredentials": configuration expression<boolean> }"acceptedOrigins": list of configuration expression<url> or"*", required-
A comma-separated list of origins, to match the origin of the CORS request. Alternatively, use
\*to allow requests from any URL.Origins are URLs with a scheme, hostname, and optionally a port number, for example, http://www.example.com. If a port number is not defined, origins with no port number or with the default port number (80 for HTTP, 443 for HTTPS) are accepted.
Examples:
{ "acceptedOrigins": [ "http://www.example.com", "https://example.org:8433" ] }{ "acceptedOrigins": "*" } "acceptedMethods": list of configuration expression<string> or"*", optional-
A comma-separated list of case-sensitive HTTP method names that are allowed when making CORS requests. Alternatively, use
\*to allow requests with any method.The
Access-Control-Request-Methodheader is used by browsers in preflight requests, to let the server know which HTTP method will be used in the actual request. If a method is allowed, it is returned in the preflight response, in theAccess-Control-Allow-Methodsheader.Examples:
{ "acceptedMethods": [ "GET", "POST", "PUT", "MyCustomMethod" ] }{ "acceptedMethods": "*" }Default: All methods are rejected.
"acceptedHeaders": list of configuration expression<string> or"*", optional-
A comma-separated list of case-insensitive request header names that are allowed when making CORS requests. Alternatively, use
\*to allow requests with any header.The
Access-Control-Request-Headersheader is used by browsers in preflight requests, to let the server know which HTTP headers might be used in the actual request. If all requested headers are allowed, they are returned in the preflight response, in theAccess-Control-Allow-Headersheader. If any of the requested headers are not allowed, theAccess-Control-Allow-Headersheader is omitted.Examples:
{ "acceptedHeaders": [ "iPlanetDirectoryPro", "X-OpenAM-Username", "X-OpenAM-Password", "Accept-API-Version", "Content-Type", "If-Match", "If-None-Match" ] }{ "acceptedHeaders": "*" }Default: All requested headers are rejected.
"exposedHeaders": list of configuration expression<string>, optional-
A comma-separated list of case-insensitive response header names that are returned in the
Access-Control-Expose-Headersheader. Only headers in this list, safe headers, and the following simple response headers are exposed to frontend JavaScript code:-
Cache-Control -
Content-Language -
Expires -
Last-Modified -
Pragma -
Content-TypeExample:
{ "exposedHeaders": [ "Access-Control-Allow-Origin", "Access-Control-Allow-Credentials", "Set-Cookie" ] }
Default: No headers are exposed.
-
"maxAge": configuration expression<duration>, optional-
The maximum duration for which a browser is allowed to cache a preflight response. The value is included in the
Access-Control-Max-Ageheader of preflight responses.When this
maxAgeis greater than the browser’s maximum internal value, the browser value takes precedence.Default: 5 seconds
"allowCredentials": configuration expression<boolean>, optional-
Whether to allow requests that use credentials, such as cookies, authorization headers, or TLS client certificates.
Set to
trueto set theAccess-Control-Allow-Credentialsheader totrue, and allow browsers to expose the response to frontend JavaScript code.
Default: False
"failureHandler": handler reference, optional-
Handler to treat the request when no policy matches during a preflight request.
Provide an inline handler configuration object, or the name of a handler object declared in the heap. See also Handlers.
Default: HTTP 403 Forbidden, the request stops being executed.
CrossDomainSingleSignOnFilter
When IG and AM are running in the same domain, the SingleSignOnFilter can be used for SSO. When IG and AM are running in different domains, AM cookies are not visible to IG because of the same-origin policy. The CrossDomainSingleSignOnFilter provides a mechanism to push tokens issued by AM to IG running in a different domain.
When this filter processes a request, it injects the CDSSO token, the session user ID, and the full claims set into the CdSsoContext. If an error occurs during authentication, the error details are captured in a CdSsoFailureContext.
For an example of how to configure CDSSO in AM and IG, and information about the flow of data between AM, IG, and a protected application, see Authenticate With CDSSO.
Supported with AM 5.5 and later versions.
WebSocket Notifications for Sessions
When WebSocket notifications are set up for sessions, IG receives a
notification from AM when a user logs out of AM, or when the
AM session is modified, closed, or times out. IG then evicts
entries that are related to the event from the sessionCache.
For information about setting up WebSocket notifications, using them to clear the session cache, and including them in the server logs, see WebSocket Notifications.
Usage
{
"name": string,
"type": "CrossDomainSingleSignOnFilter",
"config": {
"amService": AmService reference,
"redirectEndpoint": runtime expression<uri string>,
"authenticationService": configuration expression<string>,
"authCookie": object,
"defaultLogoutLandingPage": configuration expression<url>,
"logoutExpression": runtime expression<boolean>,
"failureHandler": Handler reference,
"verificationSecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference
}
}Properties
"amService": AmService reference, required-
The AmService heap object to use. See AmService.
"redirectEndpoint": runtime expression<uri string>, required-
The URI to which AM redirects the browser with the authentication token or an authentication error. The filter checks that the authentication was initiated by IG.
Configure this URI to be the same as that in AM.
To make sure that the redirect is routed back to the CrossDomainSingleSignOnFilter, include the endpoint in the route condition in one of the following ways:
-
As a sub-path of the condition path.
For example, use the following route condition with the following endpoint:
"condition": "${find(request.uri.path, '^/home/cdsso')}""redirectEndpoint": "/home/cdsso/callback" -
To match the route condition.
For example, use the following route condition with the following endpoint:
"condition": "${find(request.uri.path, '^/home/cdsso')}""redirectEndpoint": "/home/cdsso"With this route condition, all POST requests on the condition path are treated as AM CDSSO callbacks. Any POST requests that aren’t the result of an AM CDSSO callback will fail.
-
As a specific path that is not related to the condition path.
To make sure that the redirect is routed back to this filter, include the redirectEndpoint as a path in the filter condition.
For example, use the following route condition with the following endpoint:
"condition": "${find(request.uri.path, '^/home/cdsso/redirect') || matches(request.uri.path, '^/ig/cdssoRedirectUri')}""redirectEndpoint": "/ig/cdssoRedirectUri"
-
"authenticationService": configuration expression<uri string>,optional-
The name of an AM authentication tree or authentication chain to use for authentication.
Default: AM’s default authentication service.
For an example that uses
authenticationService, see Authenticate With SSO Through an AM Authentication Tree.For more information about authentication trees and chains, see Authentication Nodes and Trees and Authentication Modules and Chains in AM’s Authentication and Single Sign-On Guide.
"authCookie": object, optional-
The configuration of the cookie used to store the authentication.
{ "cookie": { "name": configuration expression<string>, "domain": configuration expression<string>, "httpOnly": configuration expression<boolean>, "path": configuration expression<string>, "sameSite": configuration expression<enumeration>, "secure": configuration expression<boolean> } }"name": configuration expression<string>, optional-
Name of the cookie containing the authentication token from AM.
For security, change the default name of cookies.
Default:
ig-token-cookie "domain": configuration expression<string>, optional-
Domain to which the cookie applies.
Set a domain only if the user-agent is able to re-emit cookies on that domain on its next hop. For example, to re-emit a cookie on the domain
example.com, the user-agent must be able to access that domain on its next hop.Default: The fully qualified hostname of the user-agent’s next hop.
"httpOnly": configuration expression<boolean>, optional-
Flag to mitigate the risk of client-side scripts accessing protected cookies.
Default:
true "path": configuration expression<string>, optional-
Path protected by this authentication.
Set a path only if the user-agent is able to re-emit cookies on the path. For example, to re-emit a cookie on the path
/home/cdsso, the user-agent must be able to access that path on its next hop.Default: The path of the request that got the
Set-Cookiein its response. "sameSite": configuration expression<enumeration>, optional-
Options to manage the circumstances in which the cookie is sent to the server. The following values are listed in order of strictness, with most strict first:
-
STRICT: Send the cookie only if the request was initiated from the cookie domain. Not case-sensitive. Use this value to reduce the risk of cross-site request forgery (CSRF) attacks. -
LAX: Send the cookie only with GET requests in a first-party context, where the URL in the address bar matches the cookie domain. Not case-sensitive. Use this value to reduce the risk of cross-site request forgery (CSRF) attacks. -
NONE: Send the cookie whenever a request is made to the cookie domain. With this setting, consider settingsecuretotrueto prevent browsers from rejecting the cookie. For more information, see SameSite cookies.
-
Default:
LAX
For CDSSO with IG in standalone mode, set "sameSite":"none" and
"secure":"true". For security reasons, if "sameSite" is not set many browsers
require the connection to be secure (HTTPS). Therefore, if the connection is not
secure (HTTP), the browser might not supply cookies with "sameSite":"none".
For an example, see
Authenticate With CDSSO for IG in Standalone Mode.
|
"secure": configuration expression<boolean>, optional-
Flag to limit the scope of the cookie to secure channels.
Set this flag only if the user-agent is able to re-emit cookies over HTTPS on its next hop. For example, to re-emit a cookie with the
secureflag, the user-agent must be connected to its next hop by HTTPS.Default:
false
"defaultLogoutLandingPage": configuration expression<url>, optional-
The URL to which a request is redirected if
logoutExpressionis evaluated as true.If this property is not an absolute URL, the request is redirected to the IG domain name.
This parameter is effective only when
logoutExpressionis specified.Default: None, processing continues.
"logoutExpression": runtime expression<boolean>, optional-
An expression to define a condition for logout, based on the request. If the expression evaluates to
true, the AM session token for the end user is revoked.If a
defaultLogoutLandingPageis specified, the request is redirected to that page. Otherwise, the request continues to be processed.The following example expressions can be used to trigger revocation of the end user token:
-
The request URI contains
/logout:${matches(request.uri, '/logout')} -
The request path starts with
/logout:${matches(request.uri.path, '^/logout')} -
The request query includes the
logOff=truequery parameter:${matches(request.uri.query, 'logOff=true')}
Default: Logout is not managed by this filter.
-
"failureHandler": Handler reference, optional-
Handler to treat the request if an error occurs during authentication.
If an error occurs during authentication, a CdSsoFailureContext is populated with details of the error and any associated
Throwable. This is available to the failure handler so that it can respond appropriately.Be aware that the failure handler does not itself play a role in user authentication. It is only invoked if there is a problem that prevents user authentication from taking place.
A number of circumstances may cause the failure handler to be invoked, including:
-
The redirect endpoint is invalid.
-
The redirect endpoint is invoked without a valid CDSSO token.
-
The redirect endpoint is invoked inappropriately.
-
An error was reported by AM during authentication.
If no failure handler is configured, the default failure handler is used.
See also Handlers.
Default: HTTP 200 OK. The response entity contains details of the error.
-
"verificationSecretId": configuration expression<secret-id>, required to verify the signature of signed tokens-
The secret ID for the secret to verify the signature of signed tokens.
If configured, the token must be signed. If not configured, IG does not verify the signature.
For information about how signatures are validated, see Validating the Signature of Signed Tokens. For information about how each type of secret store resolves named secrets, see Secrets.
"secretsProvider": SecretsProvider reference, required to verify the signature of signed JWTs-
The SecretsProvider to use to resolve queried secrets, such as passwords and cryptographic keys. Provide either the name of a SecretsProvider object defined in the heap, or specify a SecretsProvider object inline.
Example
In the following example from Single Sign-On and Cross-Domain Single Sign-On, IG uses authentication from AM on a different domain to process a request:
{
"name": "cdsso",
"baseURI": "http://app.example.com:8081",
"condition": "${find(request.uri.path, '^/home/cdsso')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore"
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"url": "http://openam.example.com:8088/openam",
"realm": "/",
"version": "7.1",
"agent": {
"username": "ig_agent_cdsso",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"sessionCache": {
"enabled": false
}
}
}
],
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"name": "CrossDomainSingleSignOnFilter-1",
"type": "CrossDomainSingleSignOnFilter",
"config": {
"redirectEndpoint": "/home/cdsso/redirect",
"authCookie": {
"path": "/home",
"name": "ig-token-cookie"
},
"amService": "AmService-1",
"verificationSecretId": "verify",
"secretsProvider": {
"type": "JwkSetSecretStore",
"config": {
"jwkUrl": "http://openam.example.com:8088/openam/oauth2/connect/jwk_uri"
}
}
}
}
],
"handler": "ReverseProxyHandler"
}
}
}CryptoHeaderFilter
|
This object is deprecated and likely to be removed in a future release. The CryptoHeaderFilter conveys encrypted data between hosts by using insecure ECB mode ciphers. Consider using a JwtBuilderFilter with a HeaderFilter for a more secure way to pass identity or other runtime information to the protected application. |
Encrypts or decrypts headers in a request or response, using a symmetric or asymmetric key. CryptoHeaderFilter supports key rotation.
Usage
{
"name": string,
"type": "CryptoHeaderFilter",
"config": {
"messageType": configuration expression<enumeration>,
"operation": configuration expression<enumeration>,
"keySecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference,
"algorithm": configuration expression<string>,
"charset": configuration expression<string>,
"headers": [ configuration expression<string>, ... ]
}
}Properties
"messageType": configuration expression<enumeration>, required-
The type of message whose headers to encrypt or decrypt.
Must be one of:
"REQUEST","RESPONSE". "operation": configuration expression<enumeration>, required-
Indication of whether to encrypt or decrypt.
Must be one of:
"ENCRYPT","DECRYPT". "keySecretId": configuration expression<secret-id>, required-
The secret ID of the key to encrypt or decrypt the headers. For more information, see Default Secrets Object.
"secretsProvider": SecretsProvider reference, required-
The SecretsProvider object to query for the key to encrypt or decrypt the headers. For more information, see SecretsProvider.
"algorithm": configuration expression<string>, optional-
The algorithm name, mode, and padding used for encryption and decryption.
CryptoHeaderFilter does not support EC-based encryption. Use other cipher algorithm values given in Java Security Standard Algorithm Names.
Default:
AES/ECB/PKCS5Padding "charset": configuration expression<string>, optional-
The name of the charset used to encrypt or decrypt values, as described in Class Charset.
Default:
UTF-8 "headers": array of configuration expression<string>, optional-
The names of header fields to encrypt or decrypt.
Default: Empty
Example
{
"name": "DecryptReplayPasswordFilter",
"type": "CryptoHeaderFilter",
"config": {
"messageType": "REQUEST",
"operation": "DECRYPT",
"keySecretId": "decryption.secret.id",
"secretsProvider": "KeyStoreSecretStore-1",
"algorithm": "DES/ECB/NoPadding",
"headers": [ "replaypassword" ]
}
}CsrfFilter
Prevent Cross Site Request Forgery (CSRF) attacks when using cookie-based authentication, as follows:
-
When a session is created or updated for a client, generate a CSRF token as a hash of the session cookie.
-
Send the token in a response header to the client, and require the client to provide that header in subsequent requests.
-
In subsequent requests, compare the provided token to the generated token.
-
If the token is not provided or can’t be validated, reject the request and return a valid CSRF token transparently in the response header.
Rogue websites that attempt CSRF attacks operate in a different website domain to the targeted website. Because of same-origin policy, rogue websites can’t access a response from the targeted website, and cannot, therefore, access the CSRF token.
Usage
{
"name": string,
"type": "CsrfFilter",
"config": {
"cookieName": configuration expression<string>,
"headerName": configuration expression<string>,
"excludeSafeMethods": configuration expression<boolean>,
"failureHandler": handler reference
}
}Properties
"cookieName": configuration expression<string>, required-
The name of the cookie used to store the session ID, where iPlanetDirectoryPro is the name of the default AM session cookie. To find the name of your AM session cookie, see Find the Name of Your AM Session Cookie.
"headerName": configuration expression<string>, optional-
The name of the header that carries the CSRF token. The same header is used to create and verify the token.
Default:
X-CSRF-Token "excludeSafeMethods": configuration expression<boolean>, optional-
Whether to exclude GET, HEAD, and OPTION methods from CSRF testing. In most cases, these methods are assumed as safe from CSRF.
Default:
true "failureHandler": handler reference, optional-
Handler to treat the request if the CSRF the token is not provided or can’t be validated. Provide an inline handler declaration, or the name of a handler object defined in the heap.
Although IG returns the CSRF token transparently in the response header, this handler cannot access the CSRF token.
Default: Handler that generates
HTTP 403 Forbidden.
Example
For an example of how to harden protection against CSRF attacks, see Protect Against CSRF Attacks.
{
"name": "CsrfFilter-1",
"type": "CsrfFilter",
"config": {
"cookieName": "openig-jwt-session",
"headerName": "X-CSRF-Token",
"excludeSafeMethods": true
}
}DateHeaderFilter
Inserts the server date in an HTTP Date header on the response, if the Date header is not present.
Example
The following example includes a DateHeaderFilter in a chain:
{
"condition": "...",
"handler": {
"type": "Chain",
"config": {
"filters": [{
...
},
{
"type": "DateHeaderFilter"
}
],
"handler": {
"name": "StaticResponseHandler-1",
...
}
}
}
}More Information
For information about Date format, see rfc7231 - Date.
This filter is also available to support Financial-Grade API, for information, see Financial-grade API - Part 1: Read-Only API Security Profile
EntityExtractFilter
Extracts regular expression patterns from a message entity, and stores their
values in a target object. Use this object in password replay, to find a login
path or extract a nonce.
If the message type is REQUEST, the pattern is extracted before the request
is handled. If the message type is RESPONSE, the pattern is extracted out of
the response body.
Each pattern can have an associated template, which is applied to its match result.
For information, see Patterns.
Usage
{
"name": string,
"type": "EntityExtractFilter",
"config": {
"messageType": string,
"charset": string,
"target": lvalue-expression,
"bindings": [
{
"key": string,
"pattern": pattern,
"template": pattern-template
}, ...
]
}
}Properties
"messageType": enumeration, required-
The message type to extract patterns from.
Must be
REQUESTorRESPONSE. "charset": string, optional-
Overrides the character set encoding specified in message.
Default: The message encoding is used.
"target": lvalue-expression, required-
Expression that yields the target object that contains the extraction results.
The bindings determine what type of object is stored in the target location.
The object stored in the target location is a Map<String, String>. You can then access its content with
${target.key}or${target['key']}.See also Expressions.
"key": string, required-
Name of the element in the target object to contain an extraction result.
"pattern": pattern, required-
The regular expression pattern to find in the entity.
See also Patterns.
"template": pattern-template, optional-
The template to apply to the pattern, and store in the named target element.
Default: store the match result itself.
See also Patterns.
Examples
Extracts a nonce from the response, which is typically a login page, and sets
its value in the attributes context to be used by the downstream filter posting
the login form. The nonce value would be accessed using the following
expression: ${attributes.extract.wpLoginToken}.
The pattern finds all matches in the HTTP body of the form
wpLogintokenvalue="abc". Setting the template to $1 assigns the value
abc to attributes.extract.wpLoginToken:
{
"name": "WikiNoncePageExtract",
"type": "EntityExtractFilter",
"config": {
"messageType": "response",
"target": "${attributes.extract}",
"bindings": [
{
"key": "wpLoginToken",
"pattern": "wpLoginToken\"\\s.*value=\"(.*)\"",
"template": "$1"
}
]
}
}The following example reads the response looking for the AM login page.
When found, it sets isLoginPage = true to be used in a SwitchFilter to post
the login credentials:
{
"name": "FindLoginPage",
"type": "EntityExtractFilter",
"config": {
"messageType": "response",
"target": "${attributes.extract}",
"bindings": [
{
"key": "isLoginPage",
"pattern": "OpenAM\s\(Login\)",
"template": "true"
}
]
}
}FapiInteractionIdFilter
Tracks the interaction ID of requests, according to the Financial-grade API (FAPI) WG, as follows:
-
If a FAPI header is provided in a client request, includes the interaction ID in the
x-fapi-interaction-idproperty of the response header. -
If a FAPI header is not provided in the request, includes a new Universally Unique Identifier (UUID) in the
x-fapi-interaction-idproperty of the response header. -
Adds the value of
x-fapi-interaction-idto the log.
Example
The following example, based on Validate Certificate-Bound Access Tokens, adds a FapiInteractionIdFilter to the end of the chain:
{
"name": "mtls",
"condition": "${find(request.uri.path, '/mtls')}",
"handler": {
"type": "Chain",
"config": {
"filters": [ {
"name": "OAuth2ResourceServerFilter-1",
...
},
{
"type": "FapiInteractionIdFilter"
}
],
"handler": {
"name": "StaticResponseHandler-1",
...
}
}
}
}FragmentFilter
Tracks the fragment part of a URI when a request triggers a login redirect.
-
Before authentication, the filter captures the URI fragment information and stores it in a cookie.
-
After authentication, when the request is issued again to the original URI, the filter redirects the browser to the original URI, including any URI fragment.
Use this filter with SingleSignOnFilter, CrossDomainSingleSignOnFilter, OAuth2ClientFilter, and PolicyEnforcementFilter. This filter is not required for SAML because the final redirect is done with a DispatchHandler and a StaticResponseFilter.
Usage
{
"name": string,
"type": "FragmentFilter",
"config": {
"fragmentCaptureEndpoint": configuration expression<uri_string>,
"noJavaScriptMessage": configuration expression<string>,
"cookie": object
}
}"fragmentCaptureEndpoint": configuration expression<uri_string>, required-
The IG endpoint used to capture the fragment form data.
Configure the endpoint to match the condition of the route in which the filter is used.
"noJavaScriptMessage": configuration expression<string>, optional-
A message to display on the fragment form when JavaScript is not enabled.
Default: No message
"cookie": object, optional-
The configuration of the cookie used to store the fragment information.
{ "cookie": { "name": configuration expression<string>, "domain": configuration expression<string>, "httpOnly": configuration expression<boolean>, "path": configuration expression<string>, "sameSite": configuration expression<enumeration>, "secure": configuration expression<boolean>, "maxAge": configuration expression<duaration> } }"name": configuration expression<string>, optional-
Cookie name.
Default:
ig-fragment-cookie "domain": configuration expression<string>, optional-
Domain to which the cookie applies.
Default: The fully qualified hostname of the IG host.
"httpOnly": configuration expression<boolean>, optional-
Flag to mitigate the risk of client-side scripts accessing protected cookies.
Default:
true "path": configuration expression<string>, optional-
Path protected by this authentication.
Default:
/ "sameSite": configuration expression<enumeration>, optional-
Options to manage the circumstances in which the cookie is sent to the server. The following values are listed in order of strictness, with most strict first:
-
STRICT: Send the cookie only if the request was initiated from the cookie domain. Not case-sensitive. Use this value to reduce the risk of cross-site request forgery (CSRF) attacks. -
LAX: Send the cookie only with GET requests in a first-party context, where the URL in the address bar matches the cookie domain. Not case-sensitive. Use this value to reduce the risk of cross-site request forgery (CSRF) attacks. -
NONE: Send the cookie whenever a request is made to the cookie domain. With this setting, consider settingsecuretotrueto prevent browsers from rejecting the cookie. For more information, see SameSite cookies.
-
Default:
LAX"secure": configuration expression<boolean>, optional-
Flag to limit the scope of the cookie to secure channels.
Default:
false "maxAge": configuration expression<duration>, optional-
The maximum duration for which the FragmentFilter cookie can be valid.
When this
maxAgeis greater than the browser’s maximum internal value, the browser value takes precedence.Default: 1 hour
Example
For an example of how the FragmentFilter is used in an SSO flow, see Persist URI Fragments in Login Redirects.
FileAttributesFilter
Retrieves and exposes a record from a delimiter-separated file. Lookup of the
record is performed using a specified key, whose value is derived from an
expression. The resulting record is exposed in an object whose location is
specified by the target expression. If a matching record cannot be found,
then the resulting object is empty.
The retrieval of the record is performed lazily; it does not occur until the
first attempt to access a value in the target. This defers the overhead of
file operations and text processing until a value is first required. This also
means that the value expression is not evaluated until the object is first
accessed.
Usage
{
"name": string,
"type": "FileAttributesFilter",
"config": {
"file": expression,
"charset": string,
"separator": string,
"header": boolean,
"fields": [ string, ... ],
"target": lvalue-expression,
"key": string,
"value": runtime expression<string>
}
}For an example see Log In With Credentials From a File.
Properties
"file": expression, required-
The file containing the record to be read.
See also Expressions.
"charset": string, optional-
The character set in which the file is encoded.
Default:
"UTF-8". "separator": separator identifier string, optional-
The separator character, which is one of the following:
COLON-
Unix-style colon-separated values, with backslash as the escape character.
COMMA-
Comma-separated values, with support for quoted literal strings.
TAB-
Tab separated values, with support for quoted literal strings.
Default:
COMMA "header": boolean, optional-
The setting to treat or not treat the first row of the file as a header row.
When the first row of the file is treated as a header row, the data in that row is disregarded and cannot be returned by a lookup operation.
Default:
true. "fields": array of strings, optional-
A list of keys in the order they appear in a record.
If
fieldsis not set, the keys are assigned automatically by the column numbers of the file. "target": lvalue-expression, required-
Expression that yields the target object to contain the record.
The target object is a
Map<String, String>, where the fields are the keys. For example, if the target is${attributes.file}and the record has ausernamefield and apasswordfield mentioned in the fields list, Then you can access the user name as${attributes.file.username}and the password as${attributes.file.password}.See also Expressions.
"key": string, required-
The key used for the lookup operation.
"value": runtime expression<string>, required-
The value to be looked-up in the file.
See also Expressions.
ForwardedRequestFilter
Rebase the request URI to a computed scheme, host name, and port.
Use this filter to configure redirects when a request is forwarded by an upstream application such as a TLS offloader.
Usage
{
"name": string,
"type": "ForwardedRequestFilter",
"config": {
"scheme": runtime expression<string>,
"host": runtime expression<string>,
"port": runtime expression<number>
}
}Properties
At least one of scheme, host, or port must be configured.
"scheme": runtime expression<string>, optional-
The scheme to which the request is rebased, for example,
https.Default: Not rebased to a different scheme
"host": runtime expression<string>, optional-
The host to which the request is rebased.
Default: Not rebased to a different host
"port": runtime expression<number>, optional-
The port to which the request is rebased.
Default: Not rebased to a different port
Example
In the following configuration, IG runs behind an AWS load balancer, to perform a login page redirect to an authentication party, using the original URI requested by the client.
IG can access the URI used by the load balancer to reach IG, but can’t access the original request URI.
The load balancer breaks the original request URI into the following headers, and adds them to the incoming request:
-
X-Forwarded-Proto: Scheme -
X-Forwarded-Port: Port -
Host: Original host name, and possibly the port.
{
"type": "ForwardedRequestFilter",
"config": {
"scheme": "${request.headers['X-Forwarded-Proto'][0]}",
"host": "${split(request.headers['Host'][0], ':')[0]}",
"port": "${integer(request.headers['X-Forwarded-Port'][0])}"
}
}HeaderFilter
Removes headers from and adds headers to request and response messages. Headers are added to any existing headers in the message. To replace a header, remove the header and then add it again.
Usage
{
"name": string,
"type": "HeaderFilter",
"config": {
"messageType": enumeration,
"remove": [ string, ... ],
"add": {
name: [ runtime expression<string>, ... ], ...
}
}
}Properties
"messageType": enumeration, required-
Indicates the type of message to filter headers for. Must be one of
"REQUEST","RESPONSE". "remove": array of strings, optional-
The names of header fields to remove from the message.
"add": object, optional-
Header fields to add to the message. The header name is specified by
name. The header values are specified by an array of runtime expressions that evaluate to strings.
Examples
The following example replaces the host header on the incoming request with the
value myhost.com:
{
"name": "ReplaceHostFilter",
"type": "HeaderFilter",
"config": {
"messageType": "REQUEST",
"remove": [ "host" ],
"add": {
"host": [ "myhost.com" ]
}
}
}The following example adds the headers custom1 and custom2 to the request:
{
"name": "SetCustomHeaders",
"type": "HeaderFilter",
"config": {
"messageType": "REQUEST",
"add": {
"custom1": [ "12345", "6789" ],
"custom2": [ "abcd" ]
}
}
}The following example adds the value of session’s policy enforcement token to
the pef_sso_token header in the response:
{
"type": "HeaderFilter",
"config": {
"messageType": "RESPONSE",
"add": {
"pef_sso_token": ["${session.pef_token}"]
}
}
}The following example adds a message to the request and response as it passes
through the Chain, and the capture on the ReverseProxyHandler logs the
result. With IG and the sample application set up as described in
the Getting Started, access this route on
http://openig.example.com:8080/home/chain.
{
"condition": "${find(request.uri.path, '^/home/chain')}",
"handler": {
"type": "Chain",
"comment": "Base configuration defines the capture decorator",
"config": {
"filters": [
{
"type": "HeaderFilter",
"comment": "Add a header to all requests",
"config": {
"messageType": "REQUEST",
"add": {
"MyHeaderFilter_request": [
"Added by HeaderFilter to request"
]
}
}
},
{
"type": "HeaderFilter",
"comment": "Add a header to all responses",
"config": {
"messageType": "RESPONSE",
"add": {
"MyHeaderFilter_response": [
"Added by HeaderFilter to response"
]
}
}
}
],
"handler": {
"type": "ReverseProxyHandler",
"comment": "Log request, pass it to the sample app, log response",
"capture": "all",
"baseURI": "http://app.example.com:8081"
}
}
}
}The chain receives the request and context and processes it as follows:
-
The first
HeaderFilteradds a header to the incoming request. -
The second
HeaderFiltermanages responses not requests, so it simply passes the request and context to the handler. -
The
ReverseProxyHandlercaptures (logs) the request. -
The
ReverseProxyHandlerforwards the transformed request to the protected application. -
The protected application passes a response to the
ReverseProxyHandler. -
The
ReverseProxyHandlercaptures (logs) the response. -
The second
HeaderFilteradds a header added to the response. -
The first
HeaderFilteris configured to manage requests, not responses, so it simply passes the response back to IG.
The following example lists some of the HTTP requests and responses captured
as they flow through the chain. You can search the log files for
MyHeaderFilter_request and MyHeaderFilter_response.
# Original request from user-agent
GET http://openig.example.com:8080/home/chain HTTP/1.1
Accept: /
Host: openig.example.com:8080
# Add a header to the request (inside IG) and direct it to the protected application
GET http://app.example.com:8081/home/chain HTTP/1.1
Accept: /
Host: openig.example.com:8080
MyHeaderFilter_request: Added by HeaderFilter to request
# Return the response to the user-agent
HTTP/1.1 200 OK
Content-Length: 1809
Content-Type: text/html; charset=ISO-8859-1
# Add a header to the response (inside IG)
HTTP/1.1 200 OK
Content-Length: 1809
MyHeaderFilter_response: Added by HeaderFilter to responseHttpBasicAuthenticationClientFilter
Authenticate clients according to HTTP Basic Authentication protocol, using the client’s credentials.
Use this filter in a service-to-service context, where services need to access resources protected by HTTP Basic Authentication.
Usage
{
"name": string,
"type": "HttpBasicAuthenticationClientFilter",
"config": {
"username": configuration expression<string>,
"passwordSecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference,
"urlEncodeCredentials": configuration expression<boolean>
}
}Properties
"username": configuration expression<string>, required-
The username of the client to authenticate.
"passwordSecretId": configuration expression<string>, required-
The secret ID required to obtain the client password.
"secretsProvider": SecretsProvider reference, required-
The SecretsProvider to use to obtain the
passwordSecretId. Provide either the name of a SecretsProvider object defined in the heap, or specify a SecretsProvider object inline. "urlEncodeCredentials": configuration expression<boolean>, optional-
Set to
trueto URL-encoded credentials before base64-encoding them.Default:
false
Example
The following example shows the flow of information when a client service accesses a resource protected by HTTP Basic Authentication:
-
Add the following script to the IG configuration as
$HOME/.openig/scripts/groovy/BasicAuthResourceServerFilter.groovy(on Windows,appdata\OpenIG\scripts\groovy\BasicAuthResourceServerFilter.groovy):/* * Copyright 2020 ForgeRock AS. All Rights Reserved * * Use of this code requires a commercial software license with ForgeRock AS. * or with one of its affiliates. All use shall be exclusively subject * to such license between the licensee and ForgeRock AS. */ /** * This script is a simple implementation of HTTP Basic Authentication on * server side. * It expects the following arguments: * - realm: the realm to display when the user-agent prompts for * username and password if none were provided. * - username: the expected username * - password: the expected password */ import static org.forgerock.util.promise.Promises.newResultPromise; import java.nio.charset.Charset; import org.forgerock.util.encode.Base64; String authorizationHeader = request.getHeaders().getFirst("Authorization"); if (authorizationHeader == null) { // No credentials provided, reply that they are needed. Response response = new Response(Status.UNAUTHORIZED); response.getHeaders().put("WWW-Authenticate", "Basic realm=\"" + realm + "\""); return newResultPromise(response); } String expectedAuthorization = "Basic " + Base64.encode((username + ":" + password).getBytes(Charset.defaultCharset())) if (!expectedAuthorization.equals(authorizationHeader)) { return newResultPromise(new Response(Status.FORBIDDEN)); } // Credentials are as expected, let's continue return next.handle(context, request);The script is a simple implementation of the HTTP Basic Authentication mechanism.
For information about scripting filters and handlers, see Extend IG.
-
Add the following route to IG:
$HOME/.openig/config/routes/http-basic-access.json
appdata\OpenIG\config\routes\http-basic-access.json
{ "name": "http-basic-access", "baseURI": "http://openig.example.com:8080", "condition" : "${matches(request.uri.path, '^/http-basic-access')}", "heap": [ { "name": "httpBasicAuthEnabledClientHandler", "type": "Chain", "capture": "all", "config": { "filters": [ { "type": "HttpBasicAuthenticationClientFilter", "config": { "username": "myclient", "passwordSecretId": "password.secret.id", "secretsProvider": { "type": "Base64EncodedSecretStore", "config": { "secrets": { "password.secret.id": "cGFzc3dvcmQ=" } } } } } ], "handler": "ForgeRockClientHandler" } } ], "handler": { "type": "ScriptableHandler", "config": { "type": "application/x-groovy", "clientHandler": "httpBasicAuthEnabledClientHandler", "source": [ "request.uri.path = '/http-basic-protected-resource'", "return http.send(context, request);" ] } } }Note the following features of the route:
-
The route matches requests to
/http-basic-access. -
The ScriptableHandler rewrites the request to target it to
/http-basic-protected-resource, and then calls the HTTP client, that has been redefined to use the httpBasicAuthEnabledClientHandler. -
The httpBasicAuthEnabledClientHandler calls the HttpBasicAuthenticationClientFilter to authenticate the client, using the client’s credentials.
-
-
Add the following route to IG:
$HOME/.openig/config/routes/http-basic-protected-resource.json
appdata\OpenIG\config\routes\http-basic-protected-resource.json
{ "name": "http-basic-protected-resource", "condition": "${find(request.uri.path, '^/http-basic-protected-resource')}", "handler": { "type": "Chain", "config": { "filters": [ { "name": "HttpBasicAuthResourceServerFilter", "type": "ScriptableFilter", "config": { "type": "application/x-groovy", "file": "BasicAuthResourceServerFilter.groovy", "args": { "realm": "IG Protected Area", "username": "myclient", "password": "password" } } } ], "handler": { "type": "StaticResponseHandler", "config": { "status": 200, "headers": { "Content-Type": ["text/html"] }, "entity": "<html><body><h2>Access Granted</h2></body></html>" } } } } }Notice the following features of the route:
-
The route matches requests to
/http-basic-protected-resource. -
The ScriptableFilter provides a script to implement a simple HTTP Basic Authentication mechanism, that compares the provided credentials with the expected credentials.
-
When the client is authenticated, the StaticResponseHandler returns a message that access is granted.
-
-
Access the route on http://openig.example.com:8080/http-basic-access.
Because the expected credentials were provided in the request, a message shows that access is granted.
HttpBasicAuthFilter
Authenticate clients by providing the client credentials as a basic authorization header in the request. The credentials are base64-encoded.
This filter performs authentication through the HTTP Basic authentication scheme, described in RFC 2617.
Use this filter primarily for password replay scenarios, where the password is stored externally in clear text.
If challenged for authentication via a 401 Unauthorized status code by the
server, this filter retries the request with credentials attached. After an HTTP
authentication challenge is issued from the remote server, all subsequent
requests to that remote server that pass through the filter include the user
credentials.
If authentication fails (including the case where no credentials are yielded from expressions), then processing is diverted to the specified authentication failure handler.
Usage
{
"name": string,
"type": "HttpBasicAuthFilter",
"config": {
"username": runtime expression<string>,
"password": runtime expression<string>,
"failureHandler": Handler reference,
"cacheHeader": boolean
}
}Properties
"username": runtime expression<string>, required-
The username to supply during authentication.
See also Expressions.
"password": runtime expression<string>, required-
The password to supply during authentication.
See also Expressions.
"failureHandler": Handler reference, required-
Dispatch to this Handler if authentication fails.
Provide either the name of a Handler object defined in the heap, or an inline Handler configuration object.
See also Handlers.
"cacheHeader": boolean, optional-
Whether or not to cache credentials in the session after the first successful authentication, and then replay those credentials for subsequent authentications in the same session.
With
"cacheHeader": false, the filter generates the header for each request. This is useful, for example, when users change their passwords during a browser session.Default:
true
Example
{
"name": "TomcatAuthenticator",
"type": "HttpBasicAuthFilter",
"config": {
"username": "tomcat",
"password": "tomcat",
"failureHandler": "TomcatAuthFailureHandler",
"cacheHeader": false
}
}IdTokenValidationFilter
Validates an ID token by checking the standard claims, aud, exp, and
iat. If specified in the configuration, this filter also checks the
ID token issuer and signature.
This filter passes data into the context as follows:
-
If the JWT is validated, the request continues down the chain. The data is provided in the JwtValidationContext.
-
If the JWT is not validated, data is provided in the JwtValidationErrorContext.
If a failure handler is configured, the request passes to the failure handler. Otherwise, an HTTP 403 Forbidden is returned.
The iat claim is required, and the iat minus the skewAllowance must be
before the current time on the IG clock. For information, see
OpenID Connect Core 1.0 incorporating errata set 1.
Usage
{
"name": string,
"type": "IdTokenValidationFilter",
"config": {
"idToken": runtime expression<string>,
"audience": configuration expression<string>,
"issuer": configuration expression<string>,
"skewAllowance": configuration expression<duration>,
"verificationSecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference,
"customizer": JwtValidatorCustomizer reference,
"failureHandler": handler reference
}
}Properties
"idToken": runtime expression<string>, required-
The ID token as an expression representing the JWT or signed JWT in the request. Cannot be null.
"audience": configuration expression<string>, required-
The
audclaim to check on the JWT. Cannot be null. "issuer": configuration expression<string>, optional-
The
issclaim to check on the JWT. Can be null.
"skewAllowance": configuration expression<duration>, optional-
The duration to add to the validity period of a JWT to allow for clock skew between different servers. To support a zero-trust policy, the skew allowance is by default zero.
A
skewAllowanceof 2 minutes affects the validity period as follows:-
A JWT with an
iatof 12:00 is valid from 11:58 on the IG clock. -
A JWT with an
exp13:00 is expired after 13:02 on the IG clock.
Default:
zero -
"verificationSecretId": configuration expression<secret-id>, required to verify the signature of signed tokens-
The secret ID for the secret to verify the signature of signed tokens.
If configured, the token must be signed. If not configured, IG does not verify the signature.
For information about how signatures are validated, see Validating the Signature of Signed Tokens. For information about how each type of secret store resolves named secrets, see Secrets.
"secretsProvider": SecretsProvider reference, required to verify the signature of signed JWTs-
The SecretsProvider to use to resolve queried secrets, such as passwords and cryptographic keys. Provide either the name of a SecretsProvider object defined in the heap, or specify a SecretsProvider object inline.
"customizer": JwtValidatorCustomizer reference, optional-
Defines a set of validation constraints for JWT claims and sub-claims. If a claim is not validated against the constraint, the JWT is not validated.
The customizer does not override existing constraints, such as
aud,iss,exp, andiat, which are predefined in the IdTokenValidationFilter, Defining a new constraint on an already constrained claim has an impact only if the new constraint is more restrictive.JwtValidatorCustomizer provides a ScriptableJwtValidatorCustomizer to enrich a
builderobject by using its methods. Get more information about the following items:-
The
builderobject, at Available Objects. -
Transformer methods, to enrich the builder object, at org.forgerock.openig.util.JsonValues.
-
Constraints, at org.forgerock.openig.tools.jwt.Constraints.
-
Other properties for ScriptableJwtValidatorCustomizer, at Scripts.
The following examples provide checks:
- Check that the value of the claim '/greaterThan5' is greater than 5
-
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('/greaterThan5', JsonValue::asInteger, isGreaterThan(5))" ] } } - Check that the value of the claim
subisgeorge -
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('subname', JsonValue::asString, isEqualTo('george'))" ] } } - Check that the value of the custom sub-claim is
ForgeRock -
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('customclaim/subclaim', JsonValue::asString, isEqualTo('ForgeRock'));" ] } } - Check the value of multiple claims
-
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('aud', listOf(JsonValue::asString), contains('My App'))", " .claim('iat', instant(), isInThePast())", " .claim('exp', instant(), isInTheFuture());", "builder.claim('iss', JsonValue::asString, isEqualTo('ForgeRock AM'));" ] } } - Check that the value of
/val1is greater than the value of/val2 -
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('/val1', JsonValue::asInteger, isGreaterThan(claim('/val2').asInteger()))" ] } } - Check that the claim issuer matches the regex pattern
-
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('iss', JsonValue::asString, matches(~/.*am\.example\.(com|org)/))" ] } }
-
Default: Claims are not validated
"failureHandler": handler reference, optional-
Handler to treat the request on failure.
Provide an inline handler configuration object, or the name of a handler object declared in the heap. See also Handlers.
Default: HTTP 403 Forbidden, the request stops being executed.
Example
-
Set up AM:
-
Set up AM as described in Validate Access_Tokens Through the Introspection Endpoint.
-
Select Applications > OAuth 2.0 > Clients, and add the additional scope
openidtoclient-application.
-
-
Set up IG:
-
Add the following route to IG:
$HOME/.openig/config/routes/idtokenvalidation.json
appdata\OpenIG\config\routes\idtokenvalidation.json
{ "name": "idtokenvalidation", "condition": "${find(request.uri.path, '^/idtokenvalidation')}", "capture": "all", "handler": { "type": "Chain", "config": { "filters": [{ "type": "IdTokenValidationFilter", "config": { "idToken": "<id_token_value>", "audience": "client-application", "issuer": "http://openam.example.com:8088/openam/oauth2", "failureHandler": { "type": "ScriptableHandler", "config": { "type": "application/x-groovy", "source": [ "def response = new Response(Status.FORBIDDEN)", "response.headers['Content-Type'] = 'text/html; charset=utf-8'", "def errors = contexts.jwtValidationError.violations.collect{it.description}", "def display = \"<html>Can't validate id_token:<br> ${contexts.jwtValidationError.jwt} \"", "display <<=\"<br><br>For the following errors:<br> ${errors.join(\"<br>\")}</html>\"", "response.entity=display as String", "return response" ] } }, "verificationSecretId": "verify", "secretsProvider": { "type": "JwkSetSecretStore", "config": { "jwkUrl": "http://openam.example.com:8088/openam/oauth2/connect/jwk_uri" } } } }], "handler": { "type": "StaticResponseHandler", "config": { "status": 200, "headers": { "Content-Type": [ "text/html" ] }, "entity": "<html><body>Validated id_token:<br> ${contexts.jwtValidation.value}</body></html>" } } } } }Notice the following features of the route:
-
The route matches requests to
/idtokenvalidation. -
A SecretsProvider declares a JwkSetSecretStore to validate secrets for signed JWTs, which specifies the URL to a JWK set on AM that contains the signing keys.
-
The property
verificationSecretIdis configured with a value. If this property is not configured, the filter does not verify the signature of tokens. -
The JwkSetSecretStore specifies the URL to a JWK set on AM, that contains signing keys identified by a
kid. The signature of the token is verified as follows:-
If the value of a
kidin the JWK set matches akidin the the signed JWT, the JwkSetSecretStore verifies the signature. -
If the JWT doesn’t have a
kid, or if the JWK set doesn’t contain a key with the same value, the JwkSetSecretStore looks for valid secrets with the same purpose as the value ofverificationSecretId.
-
-
If the filter validates the token, the StaticResponseHandler displays the token value from the context
${contexts.jwtValidation.value}. Otherwise, the ScriptableHandler displays the token value and a list of violations from the context${contexts.jwtValidationError.violations}
-
-
-
Test the setup:
-
In a terminal window, use a
curlcommand similar to the following to retrieve an id_token:$ curl -s \ --user "client-application:password" \ --data "grant_type=password&username=demo&password=Ch4ng31t&scope=openid" \ http://openam.example.com:8088/openam/oauth2/access_token { "access_token":"...", "scope":"openid", "id_token":"...", "token_type":"Bearer", "expires_in":3599 }-
In the route, replace
<id_token_value>with the value of theid_tokenreturned in the previous step.
-
-
Access the route on http://openig.example.com:8080/idtokenvalidation.
The validated token is displayed.
-
In the route, invalidate the token by changing the value of the audience or issuer, and then access the route again.
The value of the token, and the reasons that the token is invalid, are displayed.
-
-
JwtBuilderFilter
Collects data at runtime, packs it in a JSON Web Token (JWT), and places the resulting JWT into the JwtBuilderContext.
Configure JwtBuilderFilter to create an unsigned JWT, a signed JWT, or a signed then encrypted JWT:
-
Sign the JWT so that an application can validate the authenticity of the claims/data. The JWT can be signed with a shared secret or private key, and verified with a shared secret or corresponding public key.
-
Encrypt the JWT to reduce the risk of a data breach.
For a flexible way to pass identity or other runtime information to the protected application, use this filter with a HeaderFilter.
To enable downstream filters and handlers to verify signed and/or encrypted JWTs built by this filter, use this filter with a JwkSetHandler.
Usage
{
"name": string,
"type": "JwtBuilderFilter",
"config": {
"template": map or runtime expression<map>,
"secretsProvider": SecretsProvider reference,
"signature": object
}
}Properties
"template": map or runtime expression<map>, required-
A map of information taken from the request or associated contexts in IG.
If this property is a map, the structure must have the format
Map<String, Object>. For example,"template": { "name": "${contexts.userProfile.commonName}", "email": "${contexts.userProfile.rawInfo.mail[0]}", "address": "${contexts.userProfile.rawInfo.postalAddress[0]}", "phone": "${contexts.userProfile.rawInfo.telephoneNumber[0]}" }If this property is an expression, its evaluation must give an object of type
Map<String, Object>. For example,"template": "${contexts.attributes}"See also Expressions.
"secretsProvider": SecretsProvider reference, optional-
The SecretsProvider object to query for JWT signing or encryption keys. For more information, see SecretsProvider.
Default: The route’s default secret service. For more information, see Default Secrets Object.
"signature": object, optional-
A JWT signature to allow the authenticity of the claims/data to be validated. A signed JWT can be encrypted.
{ "signature": { "secretId": configuration expression<secret-id>, "algorithm": configuration expression<string>, "encryption": object } }"secretId": configuration expression<secret-id>, required ifsignatureis used-
The secret ID of the key used to sign the JWT.
"algorithm": expression<string>, optional-
The algorithm with which to sign the JWT.
The following algorithms are supported but not necessarily tested in IG:
-
Algorithms described in Cryptographic Algorithms for Digital Signatures and MACs.
For RSASSA-PSS, you must install Bouncy Castle. For information, see The Legion of the Bouncy Castle.
-
From IG 6.1,
Ed25519described in CFRG Elliptic Curve Diffie-Hellman (ECDH) and Signatures.
Default: RS256
-
"encryption": object, optional-
Encrypt the JWT.
{ "encryption": { "secretId": configuration expression<secret-id>, "algorithm": configuration expression<string>, "method": configuration expression<enumeration> } }"secretId": configuration expression<secret-id>, optional-
The secret ID of the key used to encrypt the JWT. The value is mapped to key
aliasesin KeyStoreSecretStore.
For information about supported formats for secret-id, see
secret-id.
"algorithm": expression<string>, required-
The algorithm used to encrypt the JWT.
For information about available algorithms, see "alg" (Algorithm) Header Parameter Values for JWE.
"method": configuration expression<enumeration>, required-
The method used to encrypt the JWT.
For information about available methods, see "enc" (Encryption Algorithm) Header Parameter Values for JWE.
Examples
For examples, see Pass Identity and Other Runtime Data Downstream
JwtValidationFilter
Validates an unsigned, signed, encrypted, or signed and encrypted JWT. The order of signing and encryption is not important; a JWT can be signed and then encrypted, or encrypted and then signed.
If the JWT is validated, the request continues down the chain. The data is provided in the JwtValidationContext.
If the JWT is not validated, data is provided in the JwtValidationErrorContext. If a failure handler is configured, the request passes to the failure handler. Otherwise, an HTTP 403 Forbidden is returned.
Usage
{
"name": string,
"type": "JwtValidationFilter",
"config": {
"jwt": runtime expression<string>,
"verificationSecretId": configuration expression<secret-id>,
"decryptionSecretId": configuration expression<secret-id>,
"secretsProvider": SecretsProvider reference,
"skewAllowance": configuration expression<duration>,
"customizer": JwtValidatorCustomizer reference,
"failureHandler": handler reference
}
}Properties
"jwt": runtime expression<string>, required-
The value of the JWT in the request. Cannot be null.
"verificationSecretId": configuration expression<secret-id>, required to verify the signature of signed tokens-
The secret ID for the secret to verify the signature of signed tokens.
If configured, the token must be signed. If not configured, IG does not verify the signature.
For information about how signatures are validated, see Validating the Signature of Signed Tokens. For information about how each type of secret store resolves named secrets, see Secrets.
"decryptionSecretId": configuration expression<secret-id>, required if AM secures access_tokens with encryption-
The secret ID for the secret to verify the encryption of tokens.
If configured, the token must be encrypted. If not configured, IG does not verify the encryption.
For information about how each type of secret store resolves named secrets, see Secrets.
"secretsProvider": SecretsProvider reference, required to verify the signature of signed JWTs-
The SecretsProvider to use to resolve queried secrets, such as passwords and cryptographic keys. Provide either the name of a SecretsProvider object defined in the heap, or specify a SecretsProvider object inline.
"customizer": JwtValidatorCustomizer reference, optional-
Defines a set of validation constraints for JWT claims and sub-claims. If a claim is not validated against the constraint, the JWT is not validated.
The customizer does not override existing constraints, such as
aud,iss,exp, andiat, which are predefined in the IdTokenValidationFilter, Defining a new constraint on an already constrained claim has an impact only if the new constraint is more restrictive.JwtValidatorCustomizer provides a ScriptableJwtValidatorCustomizer to enrich a
builderobject by using its methods. Get more information about the following items:-
The
builderobject, at Available Objects. -
Transformer methods, to enrich the builder object, at org.forgerock.openig.util.JsonValues.
-
Constraints, at org.forgerock.openig.tools.jwt.Constraints.
-
Other properties for ScriptableJwtValidatorCustomizer, at Scripts.
The following examples provide checks:
- Check that the value of the claim '/greaterThan5' is greater than 5
-
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('/greaterThan5', JsonValue::asInteger, isGreaterThan(5))" ] } } - Check that the value of the claim
subisgeorge -
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('subname', JsonValue::asString, isEqualTo('george'))" ] } } - Check that the value of the custom sub-claim is
ForgeRock -
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('customclaim/subclaim', JsonValue::asString, isEqualTo('ForgeRock'));" ] } } - Check the value of multiple claims
-
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('aud', listOf(JsonValue::asString), contains('My App'))", " .claim('iat', instant(), isInThePast())", " .claim('exp', instant(), isInTheFuture());", "builder.claim('iss', JsonValue::asString, isEqualTo('ForgeRock AM'));" ] } } - Check that the value of
/val1is greater than the value of/val2 -
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('/val1', JsonValue::asInteger, isGreaterThan(claim('/val2').asInteger()))" ] } } - Check that the claim issuer matches the regex pattern
-
"customizer": { "type": "ScriptableJwtValidatorCustomizer", "config": { "type": "application/x-groovy", "source": [ "builder.claim('iss', JsonValue::asString, matches(~/.*am\.example\.(com|org)/))" ] } }
-
Default: Claims are not validated
"skewAllowance": configuration expression<duration>, optional-
The duration to add to the validity period of a JWT to allow for clock skew between different servers. To support a zero-trust policy, the skew allowance is by default zero.
A
skewAllowanceof 2 minutes affects the validity period as follows:-
A JWT with an
iatof 12:00 is valid from 11:58 on the IG clock. -
A JWT with an
exp13:00 is expired after 13:02 on the IG clock.
Default:
zero -
"failureHandler": handler reference, optional-
Handler to treat the request on failure.
Provide an inline handler configuration object, or the name of a handler object declared in the heap. See also Handlers.
Default: HTTP 403 Forbidden, the request stops being executed.
Example
-
Set up AM as described in Validate Access_Tokens Through the Introspection Endpoint, and add the additional scope
openidto the OAuth 2.0 Client. -
In a terminal window, use a
curlcommand similar to the following to retrieve a JWT:$ curl -s \ --user "client-application:password" \ --data "grant_type=password&username=demo&password=Ch4ng31t&scope=openid" \ http://openam.example.com:8088/openam/oauth2/access_token | jq . { "access_token":"...", "scope":"openid", "id_token":"...", "token_type":"Bearer", "expires_in":3599 } -
Add the following route to IG, and replace
<jwt_value>with the value of theid_tokenreturned in the previous step:$HOME/.openig/config/routes/jwtvalidation.json
appdata\OpenIG\config\routes\jwtvalidation.json
{ "name": "jwtvalidation", "condition": "${find(request.uri.path, '^/jwtvalidation')}", "capture": "all", "handler": { "type": "Chain", "config": { "filters": [{ "type": "JwtValidationFilter", "config": { "jwt": "<jwt_value>", "failureHandler": { "type": "ScriptableHandler", "config": { "type": "application/x-groovy", "source": [ "def response = new Response(Status.FORBIDDEN)", "response.headers['Content-Type'] = 'text/html; charset=utf-8'", "def errors = contexts.jwtValidationError.violations.collect{it.description}", "def display = \"<html>Can't validate JWT:<br> ${contexts.jwtValidationError.jwt} \"", "display <<=\"<br><br>For the following errors:<br> ${errors.join(\"<br>\")}</html>\"", "response.entity=display as String", "return response" ] } }, "verificationSecretId": "verify", "secretsProvider": { "type": "JwkSetSecretStore", "config": { "jwkUrl": "http://openam.example.com:8088/openam/oauth2/connect/jwk_uri" } } } }], "handler": { "type": "StaticResponseHandler", "config": { "status": 200, "headers": { "Content-Type": [ "text/html" ] }, "entity": "<html><body>Validated JWT:<br> ${contexts.jwtValidation.value}</body></html>" } } } } }Notice the following features of the route:
-
The route matches requests to
/jwtvalidation. -
The property
secretsProviderdeclares a JwkSetSecretStore to validate secrets for signed JWTs, specifying the URL to a JWK set on AM that contains the signing keys. -
If the filter validates the token, the StaticResponseHandler displays the JWT value from the context
${contexts.jwtValidation.value}. Otherwise, the ScriptableHandler displays the JWT value and a list of violations from the context${contexts.jwtValidationError.violations}
-
-
Test the setup:
-
Access the route on http://openig.example.com:8080/jwtvalidation.
The JWT is displayed.
-
In the route, invalidate the JWT by changing its value, and then access the route again.
The value of the JWT, and the reasons that the JWT is invalid, are displayed.
-
-
Set up keys and AM as described in Validating Encrypted Access_Tokens With the StatelessAccessTokenResolver and KeyStoreSecretStore.
-
In a terminal window, use a
curlcommand similar to the following to retrieve a JWT:$ curl -s \ --user "client-application:password" \ --data "grant_type=password&username=demo&password=Ch4ng31t&scope=myscope" \ http://openam.example.com:8088/openam/oauth2/access_token | jq . { "access_token": "eyJ...pvw", "scope": "myscope", "token_type": "Bearer", "expires_in": 3598 } -
Add the following route to IG, and replace
<jwt_value>with the value of the access_token returned in the previous step, and ig_keystore_directory with your directory:$HOME/.openig/config/routes/jwtvalidation-encrypted
appdata\OpenIG\config\routes\jwtvalidation-encrypted
{ "name": "jwtvalidation-encrypted", "condition": "${find(request.uri.path, '^/jwtvalidation-encrypted')}", "capture": "all", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "KeyStoreSecretStore-1", "type": "KeyStoreSecretStore", "config": { "file": "<ig_keystore_directory>/IG_keystore.p12", "storeType": "PKCS12", "storePassword": "keystore.secret.id", "keyEntryPassword": "keystore.secret.id", "secretsProvider": "SystemAndEnvSecretStore-1", "mappings": [ { "secretId": "stateless.access.token.decryption.key", "aliases": [ "decryption-key" ] } ] } } ], "handler": { "type": "Chain", "config": { "filters": [{ "type": "JwtValidationFilter", "config": { "jwt": "<jwt_value>", "failureHandler": { "type": "ScriptableHandler", "config": { "type": "application/x-groovy", "source": [ "def response = new Response(Status.FORBIDDEN)", "response.headers['Content-Type'] = 'text/html; charset=utf-8'", "def errors = contexts.jwtValidationError.violations.collect{it.description}", "def display = \"<html>Can't validate JWT:<br> ${contexts.jwtValidationError.jwt} \"", "display <<=\"<br><br>For the following errors:<br> ${errors.join(\"<br>\")}</html>\"", "response.entity=display as String", "return response" ] } }, "secretsProvider": "KeyStoreSecretStore-1", "decryptionSecretId": "stateless.access.token.decryption.key" } }], "handler": { "type": "StaticResponseHandler", "config": { "status": 200, "headers": { "Content-Type": [ "text/html" ] }, "entity": "<html>Validated JWT:<br> ${contexts.jwtValidation.value}</html>" } } } } }Notice the following features of the route compared to
jwtvalidation.json:-
The route matches requests to
/jwtvalidation-encrypted. -
The JwtValidationFilter uses the KeyStoreSecretStore in the heap to provide secrets for verification and decryption of the access_token. The secrets IDs are mapped in the KeyStoreSecretStore.
-
The KeyStoreSecretStore password is provided by the SystemAndEnvSecretStore in the heap.
-
-
Test the setup:
-
Access the route on http://openig.example.com:8080/jwtvalidation-encrypted.
The JWT is displayed.
-
In the route, invalidate the JWT by changing its value, and then access the route again.
The value of the JWT, and the reasons that the JWT is invalid, are displayed.
-
LocationHeaderFilter
For a response that generates a redirect to the proxied application, this filter rewrites the Location header on the response to redirect the user to IG.
Usage
{
"name": string,
"type": "LocationHeaderFilter",
"config": {
"baseURI": runtime expression<uri string>
}
}An alternative value for type is RedirectFilter.
Properties
"baseURI": runtime expression<uri string>, optional-
The base URI of the IG instance. This is used to rewrite the Location header on the response.
The result of the expression must be a string that represents a valid URI, but is not a real
java.net.URIobject. For example, it would be incorrect to use${request.uri}, which is not a String but a MutableUri.Default: Redirect to the original URI specified in the request.
See also Expressions.
Example
In the following example, IG listens on https://openig.example.com:443
and the application it protects listens on http://app.example.com:8081. The
filter rewrites redirects that would normally take the user to locations under
http://app.example.com:8081 to go instead to locations under
https://openig.example.com:443.
{
"name": "LocationRewriter",
"type": "LocationHeaderFilter",
"config": {
"baseURI": "https://openig.example.com:443/"
}
}OAuth2ClientFilter
The OAuth2ClientFilter uses OAuth 2.0 delegated authorization to authenticate end users. The filter can act as an OpenID Connect relying party or as an OAuth 2.0 client.
OAuth2ClientFilter performs the following tasks:
-
Allows the user to select an authorization server from one or more static client registrations, or by discovery and dynamic registration.
In static client registration, authorization servers are provided by Issuer, and registrations are provided by ClientRegistration.
-
Redirects the user through the authentication and authorization steps of an OAuth 2.0 authorization code grant, which results in the authorization server returning an access_token to the filter.
-
When an authorization grant succeeds, injects the access_token data into a configurable target in the context so that subsequent filters and handlers can access the access_token. Subsequent requests can use the access_token without authenticating again.
-
When an authorization grant fails, invokes a failureHandler.
Service URIs
Service URIs are constructed from the clientEndpoint, as follows:
clientEndpoint/login/?discovery=user-input&goto=url-
Discover and register dynamically with the end user’s OpenID Provider or with the client registration endpoint as described in RFC 7591, using the value of user-input.
After successful registration, redirect the end user to the provider for authentication and authorization consent. Then redirect the user-agent back to the callback client endpoint, and then the goto URI.
The goto URL must use the same scheme, host, and port as the original URI, or be a relative URI (just the path). Otherwise, the request fails with an error.
To redirect a request to a site that does not meet the goto URL criteria, change the original URI by using a ForwardedRequestFilter.
Supported with OpenAM 13 and later versions, and AM 5 and later versions.
clientEndpoint/login?registration=clientId&issuer=issuerName&goto=url-
Redirect the end user for authorization with the specified registration, defined by the ClientRegistration’s
clientIdandissuerName. For information, see ClientRegistration.The provider corresponding to the registration then authenticates the end user and obtains authorization consent before redirecting the user-agent back to the callback client endpoint.
If successful, the filter saves the authorization state in the session and redirects the user-agent to the goto URL.
The goto URL must use the same scheme, host, and port as the original URI, or be a relative URI (just the path). Otherwise, the request fails with an error.
To redirect a request to a site that does not meet the goto URL criteria, change the original URI by using a ForwardedRequestFilter.
clientEndpoint/logout?goto=url-
Remove the authorization state for the end user, and redirect the request to the goto URL.
The goto URL must use the same scheme, host, and port as the original URI, or be a relative URI (just the path). Otherwise, the request fails with an error.
To redirect a request to a site that does not meet the goto URL criteria, change the original URI by using a ForwardedRequestFilter.
If no goto URL is specified in the request, use
defaultLogoutGoto. clientEndpoint/callback-
Handle the callback from the OAuth 2.0 authorization server, that occurs as part of the authorization process.
If the callback is handled successfully, the filter saves the authorization state in the context at the specified target location and redirects to the URL provided to the login endpoint during login.
- Other request URIs
-
Restore the authorization state in the specified target location, and call the next filter or handler in the chain.
Usage
{
"name": string,
"type": "OAuth2ClientFilter",
"config": {
"clientEndpoint": runtime expression<uri string>,
"failureHandler": Handler reference,
"loginHandler": Handler reference,
"registrations": [ ClientRegistration reference, ... ],
"metadata": dynamic registration client metadata object,
"cacheExpiration": configuration expression<duration>,
"executor": executor service reference,
"target": configuration expression<lvalue-expression>,
"defaultLoginGoto": runtime expression<uri string>,
"defaultLogoutGoto": runtime expression<uri string>,
"requireHttps": configuration expression<boolean>,
"requireLogin": configuration expression<boolean>,
"issuerRepository": Issuer repository reference,
"discoveryHandler": Handler reference,
"discoverySecretId": configuration expression<secret-id>,
"tokenEndpointAuthMethod": configuration expression<enumeration>,
"tokenEndpointAuthSigningAlg": configuration expression<string>,
"secretsProvider": SecretsProvider reference
}
}Properties
"clientEndpoint": runtime expression<uri string>, required-
The URI to the client endpoint.
So that routes can accept redirects from the authorization server to the callback endpoint, the
clientEndpointmust be the same as the route condition or a sub path of the route condition. For example:-
The same as the route condition:
"condition": "${find(request.uri.path, '^/discovery')}""clientEndpoint": "/discovery" -
As a sub path of the route condition:
"condition": "${find(request.uri.path, '^/home/id_token')}""clientEndpoint": "/home/id_token/sub-path"Service URIs are constructed from the
clientEndpoint. For example, whenclientEndpointisopenid, the service URIs are/openid/login,/openid/logout, and/openid/callback. These endpoints are implicitly reserved, and attempts to access them directly can cause undefined errors.The result of the expression must be a string that represents a valid URI, but is not a real
java.net.URIobject. For example, it would be incorrect to use${request.uri}, which is not a String but a MutableUri.See also Expressions.
-
"failureHandler": handler reference, required-
An inline handler configuration object, or the name of a handler object that is defined in the heap.
When the OAuth 2.0 Resource Server denies access to a resource, the failure handler can be invoked only if the error response contains a WWW-Authenticate header (meaning that there was a problem with the OAuth 2.0 exchange). All other responses are forwarded to the user-agent without invoking the failure handler.
If the value of the WWW-Authenticate header is
invalid_token, the OAuth2ClientFilter tries to refresh the access_token:-
If the token is refreshed, the OAuth2ClientFilter tries again to access the protected resource.
-
If the token is not refreshed, or if the second attempt to access the protected resource fails, the OAuth2ClientFilter invokes the failure handler.
When the failure handler is invoked, the target in the context can be populated with information such as the exception, client registration, and error. The failure object in the target is a simple map, similar to the following example:
{ "client_registration": "ClientRegistration name string", "error": { "realm": "optional string", "scope": [ "optional scope string (required by the client)", ... ], "error": "optional string", "error_description": "optional string", "error_uri": "optional string" }, "access_token": "string", "id_token": "string", "token_type": "Bearer", "expires_in": "number", "scope": [ "optional scope string", ... ], "client_endpoint": "URL string", "exception": exception }In the failure object, the following fields are not always present. Their presence depends on when the failure occurs:
-
"access_token"
-
"id_token"
-
"token_type"
-
"expires_in"
-
"scope"
-
"client_endpoint"
See also Handlers.
-
-
"loginHandler": Handler reference, required if there are zero or multiple client registrations, optional if there is one client registration-
Use this Handler when the user must choose an authorization server. When
registrationscontains only one client registration, this Handler is optional but is displayed if specified.Provide either the name of a Handler object defined in the heap, or an inline Handler configuration object.
See also Handlers.
"registrations": Array of ClientRegistration references or inline ClientRegistration declarations, optional-
List of client registrations that authenticate IG to the authorization server. The list must contain all client registrations that are to be used by the client filter.
The value represents a static client registration with an authorization server, as described in ClientRegistration.
"metadata": client metadata object, required for dynamic client registration and ignored otherwise-
This object holds client metadata as described in OpenID Connect Dynamic Client Registration 1.0, and optionally a list of scopes. See that document for additional details and a full list of fields.
This object can also hold client metadata as described in RFC 7591, OAuth 2.0 Dynamic Client Registration Protocol. See that RFC for additional details.
The following partial list of metadata fields is not exhaustive, but includes metadata that is useful with AM as OpenID Provider:
"redirect_uris": array of URI strings, required-
The array of redirection URIs to use when dynamically registering this client.
One of the registered values must match the
clientEndpoint. "client_name": string, optional-
Name of the client to present to the end user.
"scope": space separated string, optional-
Space separated string of scopes to request of the OpenID Provider, for example:
"scope": "openid profile"This property is available for dynamic client registration with AM 5.5 and later versions, or with authorization servers that support RFC 7591, OAuth 2.0 Dynamic Client Registration Protocol
Use both
scopeandscopesto dynamically register with a wider range of identity providers. "scopes": array of strings, optional-
Array of scope strings to request of the OpenID Provider, for example:
"scopes": [ "openid", "profile", "email" ]This property is available for dynamic client registration with AM 5.5 and earlier versions only.
Use both
scopeandscopesto dynamically register with a wider range of identity providers.
"cacheExpiration": configuration expression<duration>, optional-
Duration for which to cache user-info resources.
IG lazily fetches user info from the OpenID provider. In other words, IG only fetches the information when a downstream Filter or Handler uses the user info. Caching allows IG to avoid repeated calls to OpenID providers when reusing the information over a short period.
Default: 10 minutes
Set this to disabled or zero to disable caching. When caching is disabled, user info is still lazily fetched.
"executor": executor service reference, optional-
An executor service to schedule the execution of tasks, such as the eviction of entries in the OpenID Connect user information cache.
Default:
ScheduledExecutorServiceSee also ScheduledExecutorService.
"target": configuration expression<lvalue-expression>, optional-
An expression that yields the target object. Downstream filters and handlers can use data in the target to enrich the existing request or create a new request.
When the
targetisopenid, the following information can be provided in${attributes.openid}:-
access_token: The value of the OAuth 2.0 access_token -
client_endpoint: The URL to the client endpoint -
client_registration: The client ID of the OAuth 2.0 client that enables IG to communicate as an OAuth 2.0 client with an authorization server -
expires_in: Number of milliseconds until the token expires -
id_token_claims: The claims used in the token -
scope: The scopes associated with the token -
token_type: The type or authentication token -
user_info: The profile attributes of an authenticated user
Data is provided to the target as follows:
-
If the authorization process completes successfully, the OAuth2ClientFilter injects the authorization state data into the target. In the following example, a downstream StaticRequestFilter retrieves the username and password from the target to log the user in to the sample application.
{ "type": "StaticRequestFilter", "config": { "method": "POST", "uri": "http://app.example.com:8081/login", "form": { "username": [ "${attributes.openid.user_info.sub}" ], "password": [ "${attributes.openid.user_info.family_name}" ] } } }For information about setting up this example, see Authenticate Automatically to the Sample Application.
-
If the failure handler is invoked, the target can be populated with information such as the exception, client registration, and error, as described in "failureHandler" in this reference page.
Default:
${attributes.openid}See also Expressions.
-
"defaultLoginGoto": runtime expression<uri string>, optional-
After successful authentication and authorization, if the user accesses the
clientEndpoint/loginendpoint without providing a landing page URL in thegotoparameter, the request is redirected to this URI.The goto URL must use the same scheme, host, and port as the original URI, or be a relative URI (just the path). Otherwise, the request fails with an error.
To redirect a request to a site that does not meet the goto URL criteria, change the original URI by using a ForwardedRequestFilter.
The result of the expression must be a string that represents a valid URI, but is not a real
java.net.URIobject. For example, it would be incorrect to use${request.uri}, which is not a String but a MutableUri.Default: return an empty page.
"defaultLogoutGoto": runtime expression<uri string>, optional-
If the user accesses the
clientEndpoint/logoutendpoint without providing a goto URL, the request is redirected to this URI.The goto URL must use the same scheme, host, and port as the original URI, or be a relative URI (just the path). Otherwise, the request fails with an error.
To redirect a request to a site that does not meet the goto URL criteria, change the original URI by using a ForwardedRequestFilter.
The result of the expression must be a string that represents a valid URI, but is not a real
java.net.URIobject. For example, it would be incorrect to use${request.uri}, which is not a String but a MutableUri.Default: return an empty page.
"requireHttps": configuration expression<boolean>, optional-
Whether to require that original target URI of the request (
originalUriin UriRouterContext) uses the HTTPS scheme.If the request received by the web container is not using HTTPS, the request is rejected.
Default: true.
"requireLogin": configuration expression<boolean>, optional-
Whether to require authentication for all incoming requests.
Default: true.
"issuerRepository": Issuer repository reference, optional-
A repository of OAuth 2.0 issuers, built from discovered issuers and the IG configuration.
Provide the name of an IssuerRepository object defined in the heap.
Default: Look up an issuer repository named
IssuerRepositoryin the heap. If none is explicitly defined, then a default one namedIssuerRepositoryis created in the current route.See also IssuerRepository.
"discoveryHandler": Handler reference, optional-
Use this property for discovery and dynamic registration of OpenID Connect clients.
Provide either the name of a Handler object defined in the heap, or an inline Handler configuration object. Usually set this to the name of a ClientHandler configured in the heap, or a chain that ends in a ClientHandler.
Default: The default ClientHandler.
See also Handlers, ClientHandler.
"discoverySecretId": configuration expression<secret-id>, required for discovery and dynamic registration-
Use this property for discovery and dynamic registration of OAuth 2.0 clients.
Specifies the secret ID of the secret that is used to sign a JWT before the JWT is sent to the authorization server.
If
discoverySecretIdis used, then thetokenEndpointAuthMethodis alwaysprivate_key_jwt. "tokenEndpointAuthMethod": configuration expression<enumeration>, optional-
Use this property for discovery and dynamic registration of OAuth 2.0 clients.
The authentication method with which a client authenticates to the authorization server or OpenID provider at the token endpoint. For information about client authentication methods, see OpenID Client Authentication. The following client authentication methods are allowed:
-
client_secret_basic: Clients that have received aclient_secretvalue from the authorization server authenticate with the authorization server by using the HTTP Basic authentication scheme, as in the following example:POST /oauth2/token HTTP/1.1 Host: as.example.com Authorization: Basic .... Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=... -
client_secret_post: Clients that have received aclient_secretvalue from the authorization server authenticate with the authorization server by including the client credentials in the request body, as in the following example:POST /oauth2/token HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code&; client_id=...& client_secret=...& code=... -
private_key_jwt: Clients send a signed JSON Web Token (JWT) to the authorization server. IG builds and signs the JWT, and prepares the request as in the following example:POST /token HTTP/1.1 Host: as.example.com Content-Type: application/x-www-form-urlencoded grant_type=authorization_code& code=...& client_id=<clientregistration_id>& client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer& client_assertion=PHNhbWxwOl ... ZTIf the authorization server doesn’t support
private_key_jwt, a dynamic registration falls back on the method returned by the authorization server, for example,client_secret_basicorclient_secret_post.If
tokenEndpointAuthSigningAlgis not configured, theRS256signing algorithm is used forprivate_key_jwt.Consider these points for identity providers:
-
Some providers accept more than one authentication method.
-
If a provider strictly enforces how the client must authenticate, align the authentication method with the provider.
-
If a provider doesn’t support the authentication method, the provider sends an HTTP 400 Bad Request response with an
invalid_clienterror message, according to RFC 6749 The OAuth 2.0 Authorization Framework, section 5.2 . -
If the authentication method is invalid, the provider sends an
IllegalArgumentException.
Default: If
discoverySecretIdis used, then thetokenEndpointAuthMethodis alwaysprivate_key_jwt. Otherwise, it isclient_secret_basic."tokenEndpointAuthSigningAlg": configuration expression<string>, optional-
The JSON Web Algorithm (JWA) used to sign the JWT that is used to authenticate the client at the token endpoint. The property is used when
private_key_jwtis used for authentication.If the authorization server sends a notification to use a different algorithm to sign the JWT, that algorithm is used.
Default: If
discoverySecretIdis used, then thetokenEndpointAuthSigningAlgisRS256. Otherwise, it is not used. "secretsProvider": SecretsProvider reference, required-
The SecretsProvider to use to resolve queried secrets, such as passwords and cryptographic keys. Provide either the name of a SecretsProvider object defined in the heap, or specify a SecretsProvider object inline.
-
More Information
OpenID Connect site, in particular the list of standard OpenID Connect 1.0 scope values
OAuth2ResourceServerFilter
Validates a request containing an OAuth 2.0 access_token. The filter expects an
OAuth 2.0 token from the HTTP Authorization header of the request, such as the
following example header, where the OAuth 2.0 access_token is 1fc…ec9:
Authorization: Bearer 1fc...ec9The filter performs the following tasks:
-
Extracts the access_token from the request header.
-
Uses the configured access_token resolver to resolve the access_token against an authorization server, and validate the token claims.
-
Checks that the token has the scopes required by the filter configuration.
-
Injects the access_token info into the OAuth2Context.
The following errors can occur during access_token validation:
| Error | Response from the filter to the user-agent |
|---|---|
Combination of the filter configuration and access_token result in an invalid request to the authorization server. |
|
There is no access_token in the request header. |
|
The access_token isn’t valid, for example, because it has expired. |
|
The access_token doesn’t have all of the scopes required in the OAuth2ResourceServerFilter configuration. |
|
Usage
{
"name": string,
"type": "OAuth2ResourceServerFilter",
"config": {
"accessTokenResolver": AccessTokenResolver reference,
"cache": object,
"executor": executor,
"requireHttps": configuration expression<boolean>,
"realm": string,
"scopes": [ runtime expression<string>, ... ] or object
}
}An alternative value for type is OAuth2RSFilter.
Properties
"accessTokenResolver": AccessTokenResolver reference, required-
Resolves an access_token against an authorization server. Configure one of the following access_token resolvers:
To decorate an AccessTokenResolver, add the decoration at the
accessTokenResolver level. The following example uses the default timer
decorator to record the time that a TokenIntrospectionAccessTokenResolver takes
to process a request:
{
"accessTokenResolver": {
"type": "TokenIntrospectionAccessTokenResolver",
"config": {
...
},
"timer": true
}
}"cache": object, optional-
Configuration of caching for OAuth 2.0 access_tokens. By default, access_tokens are not cached. For an alternative way of caching of OAuth 2.0 access_tokens, configure CacheAccessTokenResolver.
When an access_token is cached, IG can reuse the token information without repeatedly asking the authorization server to verify the access_token. When caching is disabled, IG must ask the authorization server to verify the access_token for each request.
(From AM 6.5.3.) When an access_token is revoked on AM, the CacheAccessTokenResolver can delete the token from the cache when both of the following conditions are true:
-
The
notificationproperty of AmService is enabled. -
The delegate AccessTokenResolver provides the token metadata required to update the cache.
When a refresh_token is revoked on AM, all associated access_tokens are automatically and immediately revoked.
"cache": { "enabled": configuration expression<boolean>, "defaultTimeout": configuration expression<duration>, "maxTimeout": configuration expression<duration>, "amService": AmService reference, "onNotificationDisconnection": configuration expression<enumeration> }enabled: configuration expression<boolean>, optional-
Enable or disable caching.
Default:
false defaultTimeout: configuration expression<duration>, optional-
The duration for which to cache an OAuth 2.0 access_token if it doesn’t provide a valid expiry value.
If an access_token provides an expiry value that falls before the current time plus the
maxTimeout, IG uses the token expiry value.The following example caches access_tokens for these times:
-
One hour, if the access_token doesn’t provide a valid expiry value.
-
The duration specified by the token expiry value, when the token expiry value is shorter than one day.
-
One day, when the token expiry value is longer than one day.
"cache": { "enabled": true, "defaultTimeout": "1 hour", "maxTimeout": "1 day" }Default:
1 minute
-
maxTimeout: configuration expression<duration>, optional-
The maximum duration for which to cache OAuth 2.0 access_tokens.
If an access_token provides an expiry value that falls after the current time plus the
maxTimeout, IG uses themaxTimeout.The duration cannot be
zeroorunlimited. "amService": AmService reference, optional-
(From AM 6.5.3.) The AmService to use for the WebSocket notification service. To evict revoked access_tokens from the cache, enable the
notificationsproperty of AmService.See also AmService.
-
onNotificationDisconnection: configuration expression<enumeration>, optional-
The strategy to manage the cache when the WebSocket notification service is disconnected, and IG receives no notifications for AM events. If the cache is not cleared it can become outdated, and IG can allow requests on revoked sessions or tokens.
Cached entries that expire naturally while the notification service is disconnected are removed from the cache.
Use one of the following values:
-
NEVER_CLEAR-
When the notification service is disconnected:
-
Continue to use the existing cache.
-
Deny access for requests that are not cached, but do not update the cache with these requests.
-
-
When the notification service is reconnected:
-
Continue to use the existing cache.
-
Query AM for incoming requests that are not found in the cache, and update the cache with these requests.
-
-
-
CLEAR_ON_DISCONNECT-
When the notification service is disconnected:
-
Clear the cache.
-
Deny access to all requests, but do not update the cache with these requests.
-
-
When the notification service is reconnected:
-
Query AM for all requests that are not found in the cache. (Because the cache was cleared, the cache is empty after reconnection.)
-
Update the cache with these requests.
-
-
-
CLEAR_ON_RECONNECT-
When the notification service is disconnected:
-
Continue to use the existing cache.
-
Deny access for requests that are not cached, but do not update the cache with these requests.
-
-
When the notification service is reconnected:
-
Query AM for all requests that are not found in the cache. (Because the cache was cleared, the cache is empty after reconnection.)
-
Update the cache with these requests.
-
-
Default:
CLEAR_ON_DISCONNECT -
"executor": executor, optional-
An executor service to schedule the execution of tasks, such as the eviction of entries in the access_token cache.
Default:
ScheduledExecutorServiceSee also ScheduledExecutorService.
"requireHttps": configuration expression<boolean>, optional-
Whether to require that original target URI of the request (
originalUriin UriRouterContext) uses the HTTPS scheme.If the request received by the web container is not using HTTPS, the request is rejected.
Default: true.
"realm": string, optional-
HTTP authentication realm to include in the WWW-Authenticate response header field when returning an HTTP 401 Unauthorized status to a user-agent that need to authenticate.
Default: IG
"scopes": array of runtime expression<string> or ScriptableResourceAccess object, required-
A list of one of more scopes that the OAuth 2.0 access_token must have.
- array of runtime expression<string>, required if ScriptableResourceAccess is not used
-
A string, array of strings, runtime expression<string>, or array of runtime expression<string> to represent one or more scopes; mutually exclusive with
ScriptableResourceAccess. - ScriptableResourceAccess, required if "array of runtime expression<string>" is not used
-
A script that produces a list of one or more required scopes; mutually exclusive with "array of runtime expression<string>".
The script evaluates each request dynamically and returns the scopes that request needs to access the protected resource. The script must return a Promise<Set, ResponseException> or a Set<String>.
For information about the properties of ScriptableResourceAccess, see Scripts. For an example of how to use this property, see the examples section on this page.
{ "name": string, "type": "ScriptableResourceAccess", "config": { "type": string, "file": expression, // Use either "file" "source": string or array of strings, // or "source", but not both. "args": object, "clientHandler": Handler reference } }
Examples
For examples using OAuth2ResourceServerFilter, see Act As an OAuth 2.0 Resource Server.
The following example uses a ScriptableResourceAccess object to define the scopes required in a request:
-
If the request path is
/rs-tokeninfo, only the scopesmailis required. -
If the request path is
/rs-tokeninfo/employee, the scopesmailandemployeenumberare required.
-
Set up and test the example in Validate Access_Tokens Through the Introspection Endpoint.
-
Add the following route to IG:
{ "name": "rs-dynamicscope", "baseURI": "http://app.example.com:8081", "condition": "${find(request.uri.path, '^/rs-dynamicscope')}", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "agent": { "username": "ig_agent", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "url": "http://openam.example.com:8088/openam/", "version": "7.1" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "OAuth2ResourceServerFilter-1", "type": "OAuth2ResourceServerFilter", "config": { "scopes": { "name": "myscript", "type": "ScriptableResourceAccess", "config": { "type": "application/x-groovy", "source": [ "// Minimal set of required scopes", "def scopes = [ 'mail' ] as Set", "if (request.uri.path =~ /employee$/) {", " // Require another scope to access this resource", " scopes += 'employeenumber'", "}", "return scopes" ] } }, "requireHttps": false, "realm": "OpenIG", "accessTokenResolver": { "name": "token-resolver-1", "type": "TokenIntrospectionAccessTokenResolver", "config": { "amService": "AmService-1", "providerHandler": { "type": "Chain", "config": { "filters": [ { "type": "HttpBasicAuthenticationClientFilter", "config": { "username": "ig_agent", "passwordSecretId": "agent.secret.id", "secretsProvider": "SystemAndEnvSecretStore-1" } } ], "handler": "ForgeRockClientHandler" } } } } } } ], "handler": { "type": "StaticResponseHandler", "config": { "status": 200, "headers": { "Content-Type": [ "text/html" ] }, "entity": "<html><body><h2>Decoded access_token: ${contexts.oauth2.accessToken.info}</h2></body></html>" } } } } } -
Test the setup with the
mailscope only:-
In a terminal, use a
curlcommand to retrieve an access_token:$ mytoken=$(curl -s \ --user "client-application:password" \ --data "grant_type=password&username=demo&password=Ch4ng31t&scope=mail" \ http://openam.example.com:8088/openam/oauth2/access_token | jq -r ".access_token" -
Confirm that the access_token is returned for the
/rs-dynamicscopepath:$ curl -v http://openig.example.com:8080/rs-dynamicscope --header "Authorization: Bearer ${mytoken}" { active = true, scope = mail, client_id = client-application, user_id = demo, token_type = Bearer, exp = 158...907, sub = demo, iss = http://openam.example.com:8088/openam/oauth2, ... ... }-
Confirm that the access_token is not returned for the
/rs-dynamicscope/employeepath:$ curl -v http://openig.example.com:8080/rs-dynamicscope/employee --header "Authorization: Bearer ${mytoken}"
-
-
-
Test the setup with the scopes
mailandemployeenumber:-
In a terminal window, use a
curlcommand similar to the following to retrieve an access_token:$ mytoken=$(curl -s \ --user "client-application:password" \ --data "grant_type=password&username=demo&password=Ch4ng31t&scope=mail%20employeenumber" \ http://openam.example.com:8088/openam/oauth2/access_token | jq -r ".access_token") -
Confirm that the access_token is returned for the
/rs-dynamicscope/employeepath:$ curl -v http://openig.example.com:8080/rs-dynamicscope/employee --header "Authorization: Bearer ${mytoken}"
-
PasswordReplayFilter
For requests directed to a login page, this filter extracts credentials, and replays them.
Requests that are not directed to the login page are passed along to the next filter or handler in the chain.
The PasswordReplayFilter does not retry failed authentication attempts.
Usage
{
"name": string,
"type": "PasswordReplayFilter",
"config": {
"request": request configuration object,
"loginPage": runtime expression<boolean>,
"loginPageContentMarker": pattern,
"credentials": Filter reference,
"headerDecryption": crypto configuration object,
"loginPageExtractions": [ extract configuration object, ... ]
}
}Properties
"request": request configuration object, required-
The request that replays the credentials. The JSON object of
requestis theconfigcontent of a StaticRequestFilter."method": string, required-
The HTTP method to be performed on the resource such as
GETorPOST. "uri": uri string, required-
The fully qualified URI of the resource to access, such as
http://www.example.com/login. "entity": expression, optional-
The entity body to include in the request.
When the
methodis set toPOST, this setting is mutually exclusive withform.See also Expressions.
"form": object, optional-
A form to include in the request.
The
paramspecifies the form parameter name. Its value is an array of expressions to evaluate as form field values.When the
methodis set toPOST, this setting is mutually exclusive withentity. "headers": object, optional-
Header fields to set in the request.
The
namespecifies the header name. Its value is an array of expressions to evaluate as header values. "version": string, optional-
The HTTP protocol version.
Default:
"HTTP/1.1".
"loginPage": runtime expression<boolean>, required unlessloginPageContentMarkeris defined-
When the expression evaluates to
true, direct the request to a login page, extract credentials, and replay them.When
false, pass the request unchanged to the next filter or handler in the chain.The following example expression resolves to
truewhen the request is an HTTP GET, and the request URI path is/login:${matches(request.uri.path, '/login') and (request.method == 'GET')} "loginPageContentMarker": pattern, required unlessloginPageis defined-
A pattern that matches when a response entity is that of a login page.
For an example route that uses this property, see Login Form With Password Replay and Cookie Filters.
See also Patterns.
"credentials": Filter reference, optional-
Filter that injects credentials, making them available for replay. Consider using a
FileAttributesFilteror anSqlAttributesFilter.When this is not specified, credentials must be made available to the request by other means.
See also Filters.
"headerDecryption": crypto configuration object, optional-
Object to decrypt request headers that contain credentials to replay.
The crypto configuration object has the following fields:
"key": expression, required-
Base64 encoded key value.
See also Expressions.
"algorithm": string, optional-
Algorithm used for decryption.
Use the same algorithm that is used to send the encrypted credentials.
Default:
AES/ECB/PKCS5Padding "keyType": string, optional-
Algorithm name for the secret key.
Default:
AES "headers": array of strings, optional-
The names of header fields to decrypt.
Default: Do not decrypt any headers.
"loginPageExtractions": extract configuration array, optional-
Object to extract values from the login page entity.
For an example route that uses this property, see Login Which Requires a Hidden Value From the Login Page.
The extract configuration array is a series of configuration objects. To extract multiple values, use multiple extract configuration objects. Each object has the following fields:
"name": string, required-
Name of the field where the extracted value is put.
The names are mapped into
attributes.extracted.For example, if the name is
nonce, the value can be obtained with the expression${attributes.extracted.nonce}.The name
isLoginPageis reserved to hold a boolean that indicates whether the response entity is a login page. "pattern": pattern, required-
The regular expression pattern to find in the entity.
The pattern must contain one capturing group. (If it contains more than one, only the value matching the first group is placed into
attributes.extracted.)For example, suppose the login page entity contains a nonce required to authenticate, and the nonce in the page looks like
nonce='n-0S6_WzA2Mj'. To extractn-0S6_WzA2Mj, set"pattern": " nonce='(.*)'".See also Patterns.
Example
The following example authenticates requests using static credentials when the
request URI path is /login. This PasswordReplayFilter example does not
include any mechanism for remembering when authentication has already been
successful, it simply replays the authentication every time that the request
URI path is /login:
{
"handler": {
"type": "Chain",
"config": {
"filters": [{
"type": "PasswordReplayFilter",
"config": {
"loginPage": "${request.uri.path == '/login'}",
"request": {
"method": "POST",
"uri": "https://www.example.com:8444/login",
"form": {
"username": [
"MY_USERNAME"
],
"password": [
"MY_PASSWORD"
]
}
}
}
}],
"handler": "ReverseProxyHandler"
}
}
}For additional examples, see Configuration Templates, and the Javadoc for the PasswordReplayFilter class.
PolicyEnforcementFilter
Requests policy decisions from AM, which allows or denies the request based on the request context, the request URI, and the AM policies.
Supported with AM 5 and later versions.
Processing Requests After a Policy Decision
After a policy decision, IG continues to process requests as follows:
-
If the request is allowed, processing continues.
-
If the request is denied with advices, IG checks whether it can respond to the advices. If IG can respond, it sends a redirect and information about how to meet the conditions in the advices.
By default, the request is redirected to AM. If the SingleSignOnFilter property
loginEndpointis configured, the request is redirected to that endpoint. -
If the request is denied without advice, or if IG cannot respond to the advice, IG forwards the request to a
failureHandlerdeclared in thePolicyEnforcementFilter. If there is nofailureHandler, IG returns a 403 Forbidden. -
If an error occurs during the process, IG returns 500 Internal Server Error.
Using Advices From Policy Decisions
Attributes and advices returned by the policy decision are stored in the
policyDecision context. For information, see
PolicyDecisionContext.
IG responds to the following advice types from AM:
-
AuthLevel: The minimum authentication level at which a user-agent must authenticate to access a resource. -
AuthenticateToService: The name of an authorization chain or service to which a user-agent must authenticate to access a resource. -
AuthenticateToRealm: The name of a realm to which a user-agent must authenticate to access a resource. -
AuthScheme: The name of an authentication module to which a user-agent must authenticate to access a resource, the policy set name, and the authentication timeout. -
Transaction: The additional actions that a user-agent must perform before having a one-time access to the protected resource. Supported with AM 5.5 and later versions.
Notes on Configuring Policies in AM
In the AM policy, remember to configure the Resources parameter with
the URI of the protected application.
The request URI from IG must match the Resources parameter defined
in the AM policy. If the URI of the incoming request is changed before it
enters the policy filter (for example, by rebasing or scripting), remember to
change the Resources parameter in AM policy accordingly.
WebSocket Notifications for Policy Changes
When WebSocket notifications are set up for changes to policies, IG receives a notification from AM when a policy decision is created, deleted, or updated.
For information about setting up WebSocket notifications, using them to clear the policy cache, and including them in the server logs, see WebSocket Notifications.
Usage
{
"name": string,
"type": "PolicyEnforcementFilter",
"config": {
"amService": AmService reference,
"pepRealm": string,
"ssoTokenSubject": runtime expression<string>,
"jwtSubject": runtime expression<string>,
"claimsSubject": map or runtime expression<map>,
"cache": object,
"application": configuration expression<string>,
"environment": map or runtime expression<map>,
"failureHandler": handler reference,
"resourceUriProvider": ResourceUriProvider reference
}
}Properties
"amService": AmService reference, required-
The AmService object to use for the following properties:
-
agent, the credentials of the IG agent in AM. When the agent is authenticated, the token can be used for tasks such as getting the user’s profile, making policy evaluations, and connecting to the AM notification endpoint. -
realm: Realm of the IG agent in AM. -
url, the URL of an AM service to use for session token validation and authentication. -
ssoTokenHeader, the name of the HTTP header that provides the session token created by AM -
amHandler, the handler to use when requesting policy decisions from AM. -
version: The version of the AM server.See also AmService.
-
"pepRealm": string, optional-
The AM realm where the policy set is located.
Default: The realm declared for
amService. "ssoTokenSubject": _runtime expression<string>, required if neither of the following properties are present:jwtSubject,claimsSubject-
The AM SSO or CDSSO token ID string for the subject making the request to the protected resource.
ssoTokenSubjectcan take the following values:-
${contexts.ssoToken.value}, when the SingleSignOnFilter is used for authentication -
${contexts.ssoToken.value}or${contexts.cdsso.token}, when the CrossDomainSingleSignOnFilter is used for authentication
When there is no SSO (API protection),
ssoTokenSubjectusually points to a header value such as${request.headers.iPlanetDirectoryPro[0]}, whereiPlanetDirectoryProis the name of the default AM session cookie. To find the name of your AM session cookie, see Find the Name of Your AM Session Cookie. -
"jwtSubject": _runtime expression<string>, required if neither of the following properties are present:ssoTokenSubject,claimsSubject-
The JWT string for the subject making the request to the protected resource.
To use the raw id_token (base64, not decoded) returned by the OpenID Connect Provider during authentication, place an
OAuth2ClientFilterfilter before the PEP filter, and then use${attributes.openid.id_token}as the expression value.See also OAuth2ClientFilter and Expressions.
"claimsSubject": _map or runtime expression<map>, required if neither of the following properties are present:jwtSubject,ssoTokenSubject-
A representation of JWT claims for the subject.
The claim
"sub"must be specified. Other claims are optional.When this property is an expression, its evaluation must give an object of type
Map<String, Object>."claimsSubject": "${attributes.openid.id_token_claims}"When this property is a map, the structure must have the format
Map<String, Object>. The value is evaluated as an expression."claimsSubject": { "sub": "${attributes.subject_identifier}", "iss": "openam.example.com" }For an example of using
claimsSubjectas a map, see Example Policy Enforcement Using claimsSubject on this reference page. "application": configuration expression<string>, optional-
The ID of the AM policy set to use when requesting policy decisions.
Default:
iPlanetAMWebAgentService, provided by AM’s default policy set cache: object, optional-
Enable and configure caching of policy decisions from AM, based on Caffeine. For more information, see the GitHub entry, Caffeine.
{ "cache": { "enabled": configuration expression<boolean>, "defaultTimeout": configuration expression<duration>, "executor": executor service reference, "maximumSize": configuration expression<number>, "maximumTimeToCache": configuration expression<duration>, "onNotificationDisconnection": configuration expression<enumeration> } }Default: Policy decisions are not cached.
Policy decisions that contain advices are never cached. The following code example caches AM policy decisions without advices for these times:
-
One hour, when the policy decision doesn’t provide a
ttlvalue. -
The duration specified by the
ttl, whenttlis shorter than one day. -
One day, when
ttlis longer than one day.
"cache": { "enabled": true, "defaultTimeout": "1 hour", "maximumTimeToCache": "1 day" }enabled: configuration expression<boolean>, optional-
Enable or disable caching of policy decisions.
When a policy decision is cached, IG can reuse the policy decision without repeatedly asking AM for a new policy decision. When caching is disabled, IG must ask AM to make a decision for each request.
Default:
false defaultTimeout: configuration expression<duration>, optional-
The default duration for which to cache AM policy decisions.
If an AM policy decision provides a valid
ttlvalue to specify the time until which the policy decision remains valid, IG uses that value or themaxTimeout.Default:
1 minute executor: executor service reference, optional-
An executor service to schedule the execution of tasks, such as the eviction of entries in the cache.
Default:
ForkJoinPool.commonPool() "maximumSize": configuration expression<number>, optional-
The maximum number of entries the cache can contain.
Default: Unlimited/unbound.
maximumTimeToCache: configuration expression<duration>, optional-
The maximum duration for which to cache AM policy decisions.
If the
ttlvalue provided by the AM policy decision is after the current time plus themaximumTimeToCache, IG uses themaximumTimeToCache.The duration cannot be
zeroorunlimited.
-
onNotificationDisconnection: configuration expression<enumeration>, optional-
The strategy to manage the cache when the WebSocket notification service is disconnected, and IG receives no notifications for AM events. If the cache is not cleared it can become outdated, and IG can allow requests on revoked sessions or tokens.
Cached entries that expire naturally while the notification service is disconnected are removed from the cache.
Use one of the following values:
-
NEVER_CLEAR-
When the notification service is disconnected:
-
Continue to use the existing cache.
-
Deny access for requests that are not cached, but do not update the cache with these requests.
-
-
When the notification service is reconnected:
-
Continue to use the existing cache.
-
Query AM for incoming requests that are not found in the cache, and update the cache with these requests.
-
-
-
CLEAR_ON_DISCONNECT-
When the notification service is disconnected:
-
Clear the cache.
-
Deny access to all requests, but do not update the cache with these requests.
-
-
When the notification service is reconnected:
-
Query AM for all requests that are not found in the cache. (Because the cache was cleared, the cache is empty after reconnection.)
-
Update the cache with these requests.
-
-
-
CLEAR_ON_RECONNECT-
When the notification service is disconnected:
-
Continue to use the existing cache.
-
Deny access for requests that are not cached, but do not update the cache with these requests.
-
-
When the notification service is reconnected:
-
Query AM for all requests that are not found in the cache. (Because the cache was cleared, the cache is empty after reconnection.)
-
Update the cache with these requests.
-
-
Default:
CLEAR_ON_DISCONNECT -
"environment": map or runtime expression<map>, optional-
A list of strings to forward to AM with the request for a policy decision, that represent the environment (or context) of the request. Forward any HTTP header or any value that the AM policy definition can use.
AM can use the environment conditions to set the circumstances under which a policy applies. For example, environment conditions can specify that the policy applies only during working hours or only when accessing from a specific IP address.
If this property is a map, the structure must have the format
Map<String, List<String>>. In the following example, thePolicyEnforcementFilterforwards standard and non-standard request headers, an ID token, and the IP address of the subject making the request:"environment": { "H-Via": "${request.headers['Via']}", "H-X-Forwarded-For": "${request.headers['X-Forwarded-For']}", "H-myHeader": "${request.headers['myHeader']}", "id_token": [ "${attributes.openid.id_token}" ], "IP": [ "${contexts.client.remoteAddress}" ] }If this property is an expression, its evaluation must give an object of type
Map<String, List<String>>."environment": "${attributes.my_environment}" "failureHandler": handler reference, optional-
Handler to treat the request if it is denied by the policy decision.
In the following example, the
failureHandleris a chain with a scriptable filter. If there are some advices with the policy decision, the script recovers the advices for processing. Otherwise, it passes the request to theStaticResponseHandlerto display a message."failureHandler": { "type": "Chain", "config": { "filters": [ { "type": "ScriptableFilter", "config": { "type": "application/x-groovy", "source": [ "if (contexts.policyDecision.advices['MyCustomAdvice'] != null) {", " return handleCustomAdvice(context, request)", "} else {", " return next.handle(context, request)", "}" ] } } ], "handler": { "type": "StaticResponseHandler", "config": { "status": 403, "headers": { "Content-Type": [ "text/plain" ] }, "entity": "Restricted area. You do not have sufficient privileges." } } } }Provide an inline handler configuration object, or the name of a handler object declared in the heap. See also Handlers.
Default: HTTP 403 Forbidden, the request stops being executed.
"resourceUriProvider": ResourceUriProvider reference, optional-
Return the resource URL to include in policy decision requests to AM. Configure one of the following ResourceUriProviders inline or in the heap:
-
RequestResourceUriProvider -
ScriptableResourceUriProviderDefault:
RequestResourceUriProviderRequestResourceUriProvider-
Return the resource URL to include in policy decision requests to AM by using the original URI of the request or the
baseURIof the route."resourceUriProvider": { "type": "RequestResourceUriProvider", "config": { "useOriginalUri": runtime expression<boolean>, "includeQueryParams": runtime expression<boolean> } }useOriginalUri: runtime expression<boolean>, optional-
In policy decision requests to AM, use the original URI of the request as the resource URL.
-
true: Use the original URI of the request as the resource URL when requesting policy decisions from AM. -
false: Use thebaseURIof the route as the resource URL when requesting policy decisions from AM.
-
Default:
falseincludeQueryParams: runtime expression<boolean>, optional-
Include query parameters in the resource URL when requesting policy decisions from AM:
-
true: Include query parameters in the resource URL. For example, use the following URL with a query parameter:http://openig.example.com:8080/login?demo=capture. -
false: Exclude query parameters from the resource URL. For example, exclude the query parameter from the previous example:http://openig.example.com:8080/login.For AM policies that specify resource URLs without query parameters, use this option to reduce the amount of cached information.
-
Default:
trueScriptableResourceUriProvider-
Use a script to return the resource URL to include in policy decision requests to AM. The result of the script must be a string that represents the resource to be used in the policy decision request sent to AM.
"resourceUriProvider": { "type": "ScriptableResourceUriProvider", "config": { "type": string, "file": expression, // Use either "file" "source": string or array of strings, // or "source", but not both. "args": object, "clientHandler": Handler reference } }For information about these properties, see Scripts.
The following example script replaces existing query parameters with a single parameter:
"resourceUriProvider": { "type": "ScriptableResourceUriProvider", "config": { "type": "application/x-groovy", "source": [ "request.uri.setQuery('fromIG=true')", "return request.uri.toASCIIString()" ] } }
-
Example Policy Enforcement Using claimsSubject
This route is a variant of the route in
Enforce AM Policy Decisions In the Same Domain. It enforces a policy decision from AM, using
claimsSubject instead of ssoTokenSubject to identify the subject.
To use this route:
-
Set up AM as described in Enforce AM Policy Decisions In the Same Domain.
-
In AM, select the policy you created in the previous step, and add a new resource:
-
Resource Type :
URL -
Resource pattern :
*://*:*/* -
Resource value :
http://app.example.com:8081/home/pep-claims
-
-
In the same policy, add the following subject condition:
-
Any of -
Type :
OpenID Connect/JwtClaim -
claimName :
iss -
claimValue :
openam.example.com
-
-
Set an environment variable for the IG agent password, and then restart IG:
$ export AGENT_SECRET_ID='cGFzc3dvcmQ='The password is retrieved by a SystemAndEnvSecretStore, and must be base64-encoded.
-
Add the following route to serve static resources, such as .css, for the sample application:
$HOME/.openig/config/routes/static-resources.json
appdata\OpenIG\config\routes\static-resources.json
{ "name" : "sampleapp-resources", "baseURI" : "http://app.example.com:8081", "condition": "${find(request.uri.path,'^/css')}", "handler": "ReverseProxyHandler" } -
Add the following route to IG:
$HOME/.openig/config/routes/04-pep-claims.json
appdata\OpenIG\config\routes\04-pep-claims.json
{ "name": "pep-claims", "baseURI": "http://app.example.com:8081", "condition": "${find(request.uri.path, '^/home/pep-claims')}", "heap": [ { "name": "SystemAndEnvSecretStore-1", "type": "SystemAndEnvSecretStore" }, { "name": "AmService-1", "type": "AmService", "config": { "url": "http://openam.example.com:8088/openam", "agent": { "username": "ig_agent", "passwordSecretId": "agent.secret.id" }, "secretsProvider": "SystemAndEnvSecretStore-1", "version": "7.1" } } ], "handler": { "type": "Chain", "config": { "filters": [ { "name": "SingleSignOnFilter-1", "type": "SingleSignOnFilter", "config": { "amService": "AmService-1" } }, { "name": "PolicyEnforcementFilter-1", "type": "PolicyEnforcementFilter", "config": { "application": "PEP-SSO", "claimsSubject": { "sub": "${contexts.ssoToken.info.uid}", "iss": "openam.example.com" }, "amService": "AmService-1" } } ], "handler": "ReverseProxyHandler" } } } -
Log in to AM as user
demo, passwordCh4ng31t.AM returns a policy decision that grants access to the sample application.
ScriptableFilter
Processes requests and responses by using a Groovy script.
When a ScriptableFilter processes a request, it can execute
return next.handle(context, request) to call the next filter or handler in the
current chain and return the value from the call. Actions on the response must
be performed in the Promise’s callback methods.
Scripts must return a Promise<Response, NeverThrowsException> or a Response.
This section describes the usage of ScriptableFilter, and refers to the following sections of the documentation:
-
For information about script properties, available global objects, and automatically imported classes, see Scripts.
-
For information about creating scriptable objects in Studio, see Scripts in Studio and Configure Scriptable Throttling.
Usage
{
"name": string,
"type": "ScriptableFilter",
"config": {
"type": string,
"file": expression, // Use either "file"
"source": string or array of strings, // or "source", but not both.
"args": object,
"clientHandler": Handler reference
}
}Properties
For information about properties for ScriptableFilter, see Scripts.
Examples
For an example scriptable filter that recovers policy advices from AM,
see the failureHandler property of
PolicyEnforcementFilter.
SessionInfoFilter
Calls the AM endpoint for session information, and makes the data available as a new context to downstream IG filters and handlers. For information, see SessionInfoContext.
Supported with AM 5 and later versions.
WebSocket Notifications for Sessions
When WebSocket notifications are set up for sessions, IG receives a
notification from AM when a user logs out of AM, or when the
AM session is modified, closed, or times out. IG then evicts
entries that are related to the event from the sessionCache.
For information about setting up WebSocket notifications, using them to clear the session cache, and including them in the server logs, see WebSocket Notifications.
Usage
{
"name": string,
"type": "SessionInfoFilter",
"config": {
"amService": AmService reference,
"ssoToken": runtime expression<string>
}
}Properties
"amService": AmService reference, required-
The AmService heap object to use for the following properties:
-
agent, the credentials of the IG agent in AM. When the agent is authenticated, the token can be used for tasks such as getting the user’s profile, making policy evaluations, and connecting to the AM notification endpoint.
-
url, the URL of an AM service to use for session token validation and authentication. -
amHandler, the handler to use when communicating with AM to validate the token in the incoming request.
-
realm: Realm of the IG agent in AM.
-
version: The version of the AM server.
-
sessionProperties, the list of user session properties to retrieve from AM. The following properties are retrieved:-
When
sessionPropertiesin AmService is configured, listed session properties with a value. -
When
sessionPropertiesin AmService is not configured, all session properties with a value. -
Properties with a value that are required by IG but not specified by
sessionPropertiesin AmService. For example, when the session cache is enabled, session properties related to the cache are automatically retrieved.
Properties with a value are returned, properties with a null value are not returned.
"ssoToken": runtime expression<string>, optional-
Location of the AM SSO token. For example, with
${request.headers['mySsoToken'][0]}the SSO token is the first value of the mySsoToken header in the request.Default:
${request.cookies['AmService-ssoTokenHeader'][0].value}, whereAmService-ssoTokenHeaderis the name of the header or cookie where the AmService expects to find SSO tokens.
-
Examples
In the following example, the SingleSignOnFilter requires authentication with
AM before passing the request along the chain. The SessionInfoFilter
collects session info from AM and stores it in the
${contexts.amSession} context. Then the HeaderFilter adds headers containing
some of the session info to the request. The session info is then displayed on
the home page of the sample application:
{
"name": "session-info",
"baseURI": "http://app.example.com:8081",
"condition": "${find(request.uri.path, '^/home/session-info')}",
"heap": [
{
"name": "SystemAndEnvSecretStore-1",
"type": "SystemAndEnvSecretStore"
},
{
"name": "AmService-1",
"type": "AmService",
"config": {
"url": "http://openam.example.com:8088/openam",
"agent": {
"username": "ig_agent",
"passwordSecretId": "agent.secret.id"
},
"secretsProvider": "SystemAndEnvSecretStore-1",
"version": "7.1"
}
}
],
"secrets": {
"stores": [
{
"type": "Base64EncodedSecretStore",
"config": {
"secrets": {
"agent.secret.id": "cGFzc3dvcmQ="
}
}
}
]
},
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"name": "SingleSignOnFilter",
"type": "SingleSignOnFilter",
"config": {
"amService": "AmService-1"
}
},
{
"name": "SessionInfoFilter",
"type": "SessionInfoFilter",
"config": {
"amService": "AmService-1"
}
},
{
"name": "HeaderFilter",
"type": "HeaderFilter",
"config": {
"messageType": "REQUEST",
"add": {
"X-IG-SessionInfo": [ "username: ${contexts.amSession.username}, realm: ${contexts.amSession.realm}, properties: ${contexts.amSession.properties}" ]
}
}
}
],
"handler": "ReverseProxyHandler"
}
}
}To try this example:
-
Add an agent for IG as described in Set Up an IG Agent in AM.
-
With AM, IG, and the sample application running, access the route on http://openig.example.com:8080/home/session-info, and then log in to AM as user
demo, passwordCh4ng31t.The home page of the sample application is displayed.
-
Note that the header
x-ig-sessioninfoand its values are displayed:x-ig-sessioninfo: username: demo, realm: /, properties: {Locale=... ... UserToken=demo}
To capture additional session properties from AM:
-
On AM, as admin, and add the property
user-statusto the Session Property Whitelist Service. For information, see Session Property Whitelist Service in AM’s Reference. -
Post the value
goldtouser-status:$ curl --request POST --header "iPlanetDirectoryPro: token" \ --header 'Accept-API-Version: resource=2.0' \ --header "Content-Type: application/json" \ 'http://openam.example.com:8088/openam/json/sessions/?_action=updateSessionProperties' \ --data '{"user-status":"gold"}'Where iPlanetDirectoryPro is the name of the default AM session cookie, and token is its value. To find the name of your AM session cookie, see Find the Name of Your AM Session Cookie.
-
On IG, access the route and note that
user-statusis displayed:x-ig-sessioninfo: username: demo, realm: /, properties: {... user-status=gold ...}
SetCookieUpdateFilter
Updates the attribute values of Set-Cookie headers in a cookie. This filter facilitates the transition to the SameSite and secure cookie settings required by newer browsers. Use SetCookieUpdateFilter at the beginning of a chain to guarantee security along the chain.
Set-Cookie headers must conform to grammar in rfc6265, section 4.1 SetCookie.
Usage
{
"name": string,
"type": "SetCookieUpdateFilter",
"config": {
"cookies": {
"cookie-name": {
"attribute-name": "attribute-value"
...
}
...
}
}
}Properties
"cookies": runtime expression<map>, required-
Configuration that matches case-sensitive cookie names to response cookies, and specifies how matching cookies attribute values should be updated. Each cookie begins with a name-value pair, where the value is one or more attribute-value pairs.
- cookie-name: pattern, required
-
The name of a cookie contained in the Set-Cookie header, as a pattern.
Specify
.*to change the attribute value on all existing cookies.If a cookie is named more than once, either explicitly or by the wildcard (
*), the rules are applied to the cookie in the order they appear in the map.In the following example, the SameSite attribute of the CSRF cookie first takes the value
none, and then that value is overwritten by the valueLAX."cookies": { "CSRF": { "value": "myValue", "secure": ${true}, "SameSite": "none" } ".*": { "SameSite": "LAX" } } - attribute-name: string, required
-
A case-insensitive string representing a Set-Cookie attribute name.
Attribute names include
SameSite,secure,http-only,value,expires,Max-Age,path, anddomain.For more information, see Set-Cookie.
- attribute-value: runtime expression<string, boolean, or integer>, required
-
The replacement value for the named attribute. The value must conform to the expected type for the attribute name:
-
secure: runtime expression<boolean>. Required ifSameSiteisnone -
http-only: runtime expression<boolean>. -
Max-Age: runtime expression<integer>. -
SameSite, and all other attribute names: runtime expression<string>.For all values except
expires, specify${previous}to reuse the existing value for the attribute. The following example adds five seconds to theMax-Ageattribute:"Max-Age": "${integer(previous+5)}",If the named the Set-Cookie header doesn’t contain the named attribute,
${previous}returns null.
-
Examples
The following example updates attributes of all existing Set-Cookie headers:
{
"name": "SetCookieUpdateFilter",
"condition": "${find(request.uri.path, '/home')}",
"baseURI": "http://app.example.com:8081",
"heap": [],
"handler": {
"type": "Chain",
"config": {
"filters": [{
"type": "SetCookieUpdateFilter",
"config": {
"cookies": {
".*": {
"SameSite": "LAX",
"domain": "openig.example.com",
"Max-Age": "${session.maxAge}",
"Secure": "${true}"
}
}
}
}],
"handler": "ReverseProxyHandler"
}
}
}SingleSignOnFilter
Tests for the presence and validity of an SSO token in the cookie header of a request:
-
If an SSO token is present, the filter calls AM to validate the SSO token. If the SSO token is valid, the request continues along the chain. The token value and additional information are stored in the
ssoTokencontext. For information, see SsoTokenContext. -
If the SSO token is not present, or is empty or invalid, IG checks the
gotoquery parameter for the presence of the redirection marker:-
If the redirection marker parameter is present (for example,
_ig=true), IG fails the request because the cookie domain is incorrectly configured. -
If the redirection marker is not present, IG redirects the user-agent to the AM login page or another provided login page. For information about enabling, disabling, and naming the redirection marker, see the
redirectionMarkerproperty on this page.
-
Supported with AM 5 and later versions.
For more information about SSO, see Single Sign-On and Cross-Domain Single Sign-On.
|
To prevent issues with performance when accessing large resources, such as .jpg and .js files, consider using the SingleSignOnFilter with the following options:
|
|
When AM is using CTS-based sessions, it does not monitor idle time for client-based sessions, and so refresh requests are ignored. When the SingleSignOnFilter is used for authentication with AM, after a time AM can view the session as idle even though the user continues to interact with IG. The user session can eventually time out. (From AM 6.5.3.) When AM is using CTS-based sessions, use the
|
WebSocket Notifications for Sessions
When WebSocket notifications are set up for sessions, IG receives a
notification from AM when a user logs out of AM, or when the
AM session is modified, closed, or times out. IG then evicts
entries that are related to the event from the sessionCache.
For information about setting up WebSocket notifications, using them to clear the session cache, and including them in the server logs, see WebSocket Notifications.
Usage
{
"name": string,
"type": "SingleSignOnFilter",
"config": {
"amService": AmService reference,
"authenticationService": configuration expression<string>,
"redirectionMarker": object,
"realm": string,
"defaultLogoutLandingPage": configuration expression<url>,
"loginEndpoint": runtime expression<url>,
"logoutExpression": runtime expression<boolean>
}
}Properties
"amService": AmService reference, required-
An AmService object to use for the following properties:
-
agent, the credentials of the IG agent in AM. When the agent is authenticated, the token can be used for tasks such as getting the user’s profile, making policy evaluations, and connecting to the AM notification endpoint. -
realm: Realm of the IG agent in AM. -
url, the URL of an AM service to use for session token validation and authentication whenloginEndpointis not specified. -
ssoTokenHeader, the name of the cookie that contains the session token created by AM. -
amHandler, the handler to use when communicating with AM to validate the token in the incoming request. -
sessionCache, the configuration of a cache for session information from AM. -
version: The version of the AM server.
-
redirectionMarker: object, optional-
"redirectionMarker": { "enabled": configuration expression<boolean>, "name": configuration expression<string> }enabled: configuration expression<boolean>, optional-
When
true, use a redirection marker to limit the number of authentication redirects.When there is no SSO session due to, for example, SSO cookie name misconfiguration, an authentication request fails and is redirected back to IG. The scenario can result in infinite authentication redirects.
Consider enabling the redirection marker during development, then disabling it to prevent it being captured in bookmarks.
+
Default: true
name: configuration expression<string>, optional-
The name of the redirection marker query parameter to use when
enabledistrue.Default:
_ig
"authenticationService": configuration expression<uri string>,optional-
The name of an AM authentication tree or authentication chain to use for authentication.
Default: AM’s default authentication service.
For an example that uses
authenticationService, see Authenticate With SSO Through an AM Authentication Tree.For more information about authentication trees and chains, see Authentication Nodes and Trees and Authentication Modules and Chains in AM’s Authentication and Single Sign-On Guide.
"realm": string, optional-
The AM realm where the user is authenticated.
Default: The realm declared for
amService.
"defaultLogoutLandingPage": configuration expression<url>, optional-
The URL to which a request is redirected if
logoutExpressionis evaluated as true.If this property is not an absolute URL, the request is redirected to the IG domain name.
This parameter is effective only when
logoutExpressionis specified.Default: None, processing continues.
"loginEndpoint": runtime expression<url>, optional-
The URL of a service instance for the following tasks:
-
Manage authentication and the location to which the request is redirected after authentication.
-
Process policy advices after an AM policy decision denies a request with supported advices. The PolicyEnforcementFilter redirects the request to this URL, with information about how to meet the conditions in the advices.
For examples of different advice types, and the conditions that cause AM to return advices, see AM’s Authorization Guide. For information about supported advice types in IG, see Using Advices From Policy Decisions.
Default: The value of
urlinamService
Authentication can be performed in the following ways:
-
Directly through AM, with optional authentication parameters in the query string, such as
service,module, andrealm. For a list of authentication parameters that you can include in the query string, see Authenticating (Browser) in AM’s Authentication and Single Sign-On Guide.The value must include a redirect with a
gotoparameter.The following example uses AM as the authentication service, and includes the
serviceauthentication parameter:"loginEndpoint": "https://openam.example.com/openam?service=TwoFactor&goto=${urlEncodeQueryParameterNameOrValue(contexts.router.originalUri)}" -
Through the URL of another application, with optional authentication parameters in the query string, such as
service,module, andrealm. The application must create a session with an AM instance to set an SSO token and return the request to the redirect location.The value can optionally include a redirect with a
gotoparameter or different parameter name.The following example uses an authentication service that is not AM, and includes a redirect parameter:
"loginEndpoint": "https://authservice.example.com/auth?redirect=${urlEncodeQueryParameterNameOrValue(contexts.router.originalUri)}"When using this option, review the cookie domains to make sure that cookies set by the authentication server are properly conveyed to the IG instance.
-
"logoutExpression": runtime expression<boolean>, optional-
An expression to define a condition for logout, based on the request. If the expression evaluates to
true, the AM session token for the end user is revoked.If a
defaultLogoutLandingPageis specified, the request is redirected to that page. Otherwise, the request continues to be processed.The following example expressions can be used to trigger revocation of the end user token:
-
The request URI contains
/logout:${matches(request.uri, '/logout')} -
The request path starts with
/logout:${matches(request.uri.path, '^/logout')} -
The request query includes the
logOff=truequery parameter:${matches(request.uri.query, 'logOff=true')}
Default: Logout is not managed by this filter.
-
SqlAttributesFilter
Executes a SQL query through a prepared statement and exposes its first result.
Parameters in the prepared statement are derived from expressions. The query
result is exposed in an object whose location is specified by the target
expression. If the query yields no result, then the resulting object is empty.
The execution of the query is performed lazily; it does not occur until the first attempt to access a value in the target. This defers the overhead of connection pool, network and database query processing until a value is first required. This also means that the parameters expressions is not evaluated until the object is first accessed.
Usage
{
"name": string,
"type": "SqlAttributesFilter",
"config": {
"dataSource": JdbcDataSource reference,
"preparedStatement": string,
"parameters": [ runtime expression<string>, ... ],
"target": lvalue-expression
}
}Properties
"dataSource": JdbcDataSource reference, required-
The JdbcDataSource to use for connections. Configure JdbcDataSource as described in JdbcDataSource.
"preparedStatement": string, required-
The parameterized SQL query to execute, with
?parameter placeholders. "parameters": array of runtime expressions<string>, optional-
The parameters to evaluate and include in the execution of the prepared statement.
See also Expressions.
"target": lvalue-expression, required-
Expression that yields the target object that will contain the query results.
See also Expressions.
Example
Using the user’s session ID from a cookie, query the database to find the user logged in and set the profile attributes in the attributes context:
{
"name": "SqlAttributesFilter",
"type": "SqlAttributesFilter",
"config": {
"target": "${attributes.sql}",
"dataSource": "java:comp/env/jdbc/mysql",
"preparedStatement": "SELECT f.value AS 'first', l.value AS 'last', u.mail AS 'email', GROUP_CONCAT(CAST(r.rid AS CHAR)) AS 'roles' FROM sessions s INNER JOIN users u ON ( u.uid = s.uid AND u.status = 1 ) LEFT OUTER JOIN profile_values f ON ( f.uid = u.uid AND f.fid = 1 ) LEFT OUTER JOIN profile_values l ON ( l.uid = u.uid AND l.fid = 2 ) LEFT OUTER JOIN users_roles r ON ( r.uid = u.uid ) WHERE (s.sid = ? AND s.uid <> 0) GROUP BY s.sid;",
"parameters": [ "${request.cookies[keyMatch(request.cookies,'JSESSION1234')][0].value}" ]
}
}Lines are folded for readability in this example. In your JSON, keep the values
for "preparedStatement" and "parameters" on one line.
StaticRequestFilter
Creates a new request, replacing any existing request. The request can include
an entity specified in the entity parameter. Alternatively, the request can
include a form, specified in the form parameter, which is included in an
entity encoded in application/x-www-form-urlencoded format if request method
is POST, or otherwise as (additional) query parameters in the URI. The
form and entity parameters cannot be used together when the method is set
to POST.
Usage
{
"name": string,
"type": "StaticRequestFilter",
"config": {
"method": string,
"uri": runtime expression<uri string>,
"version": string,
"headers": {
configuration expression<string>: [ runtime expression<string>, ... ], ...
},
"form": {
configuration expression<string>: [ runtime expression<string>, ... ], ...
},
"entity": runtime expression<string>
}
}Properties
"method": string, required-
The HTTP method to be performed on the resource (for example,
"GET"). "uri": runtime expression<uri string>, required-
The fully-qualified URI of the resource to access (for example,
"http://www.example.com/resource.txt").The result of the expression must be a string that represents a valid URI, but is not a real
java.net.URIobject. For example, it would be incorrect to use${request.uri}, which is not a String but a MutableUri. "version": string, optional-
Protocol version. Default:
"HTTP/1.1". "headers": object, optional-
Header fields to set in the request, with the format
name: [ value, … ].The
namefield ofheadersspecifies the header name. It can be defined by a configuration expression or string. If the configuration expressions for multiplenameresolve to the same final string, multiple values are associated with thename.The
valuefield ofheadersis an array of runtime expressions to evaluate as header values.In the following example, the name of the header is the value of the configuration time, system variable defined in
cookieHeaderName. The value of the header is the runtime value stored incontexts.ssoToken.value:"headers": { "${application['header1Name']}": [ "${application['header1Value'}" ] } "form": object, optional-
A form to include in the request, with the format
param: [ value, … ].The
paramfield offormspecifies the name of the form parameter. It can be defined by a configuration expression or string. If the configuration expressions for multipleparamresolve to the same final string, multiple values are associated with theparam.The
valuefield offormis an array of runtime expressions to evaluate as form field values.When the
methodis set toPOST, this setting is mutually exclusive with theentitysetting.In the following example, the names of the field parameters and the values are hardcoded in the form:
"form": { "username": [ "{amDemoUn}" ], "password": [ "{amDemoPw}" ] }In the following example, the names of the field parameters are hardcoded. The values take the first value of
usernameandpasswordprovided in the session:"form": { "username": [ "${session.username[0]}" ], "password": [ "${session.password[0]}" ] }In the following example, the name of the first field param take the value of the expression
${application['formName']}when it is evaluated at startup. The values take the first value ofusernameandpasswordprovided in the session:"form": { "${application['formName']}": [ "${session.username[0]}" ], "${application['formPassword']}": [ "${session.password[0]}" ] } "entity": runtime expression<string>, optional-
The entity body to include in the request.
This setting is mutually exclusive with the
formsetting when themethodis set toPOST.See also Expressions.
Example
In the following example, IG replaces the browser’s original HTTP GET request with an HTTP POST login request containing credentials to authenticate to the sample application. For information about how to set up and test this example, see the Getting Started.
{
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "StaticRequestFilter",
"config": {
"method": "POST",
"uri": "http://app.example.com:8081/login",
"form": {
"username": [
"demo"
],
"password": [
"Ch4ng31t"
]
}
}
}
],
"handler": "ReverseProxyHandler"
}
},
"condition": "${find(request.uri.path, '^/static')}"
}SwitchFilter
Verifies that a specified condition is met. If the condition is met or no condition is specified, the request is diverted to the associated handler, with no further processing by the switch filter.
Usage
{
"name": string,
"type": "SwitchFilter",
"config": {
"onRequest": [
{
"condition": runtime expression<boolean>,
"handler": Handler reference
},
...
],
"onResponse": [
{
"condition": runtime expression<boolean>,
"handler": Handler reference
},
...
]
}
}Properties
"onRequest": array of objects, optional-
Conditions to test (and handler to dispatch to, if
true) before the request is handled. "onResponse": array of objects, optional-
Conditions to test (and handler to dispatch to, if
true) after the response is handled. "condition": runtime expression<boolean>, optional-
If the expression evaluates to
true, the request is dispatched to the handler. If no condition is specified, the request is dispatched to the handler unconditionally.Default: No condition is specified.
See also Expressions.
"handler": Handler reference, required-
Dispatch to this handler if the condition yields
true.Provide either the name of a Handler object defined in the heap, or an inline Handler configuration object.
See also Handlers.
Example
This example intercepts the response if it is equal to 200 and executes the LoginRequestHandler. This filter might be used in a login flow where the request for the login page must go through to the target, but the response should be intercepted in order to send the login form to the application. This is typical for scenarios where there is a hidden value or cookie returned in the login page, which must be sent in the login form:
{
"name": "SwitchFilter",
"type": "SwitchFilter",
"config": {
"onResponse": [
{
"condition": "${response.status.code == 200}",
"handler": "LoginRequestHandler"
}
]
}
}ThrottlingFilter
Limits the rate that requests pass through a filter. The maximum number of requests that a client is allowed to make in a defined time is called the throttling rate.
When the throttling rate is reached, IG issues an HTTP status code
429 Too Many Requests and a Retry-After header, whose value is rounded up
to the number of seconds to wait before trying the request again.
GET http://openig.example.com:8080/home/throttle-scriptable HTTP/1.1
. . .
HTTP/1.1 429 Too Many Requests
Retry-After: 10Usage
{
"name": string,
"type": "ThrottlingFilter",
"config": {
"requestGroupingPolicy": runtime expression<string>,
"throttlingRatePolicy": reference or inline declaration, //Use either "throttlingRatePolicy"
"rate": { //or "rate", but not both.
"numberOfRequests": integer,
"duration": duration string
},
"cleaningInterval": duration string,
"executor": executor
}
}Properties
"requestGroupingPolicy": runtime expression<string>, optional-
An expression to identify the partition to use for the request. In many cases the partition identifies an individual client that sends requests, but it can also identify a group that sends requests. The expression can evaluate to the client IP address or user ID, or an OpenID Connect subject/issuer.
The value for this expression must not be null.
Default: Empty string; all requests share the same partition
See also Expressions.
"throttlingRatePolicy": reference or inline declaration, required ifrateis not used-
A reference to or inline declaration of a policy to apply for throttling rate. The following policies can be used:
This value for this parameter must not be null.
"rate": rate object, required ifthrottlingRatePolicyis not used-
The throttling rate to apply to requests. The rate is calculated as the number of requests divided by the duration:
"numberOfRequests": integer, required-
The number of requests allowed through the filter in the time specified by
"duration".
"duration": duration string, required-
A time interval during which the number of requests passing through the filter is counted.
"cleaningInterval": duration, optional-
The time to wait before cleaning outdated partitions. The value must be more than zero but not more than one day.
"executor": executor, optional-
An executor service to schedule the execution of tasks, such as the clean up of partitions that are no longer used.
Default:
ScheduledExecutorServiceSee also ScheduledExecutorService.
Examples
The following route defines a throttling rate of 6 requests/10 seconds to requests. For information about how to set up and test this example, see Configure Simple Throttling.
{
"name": "00-throttle-simple",
"baseURI": "http://app.example.com:8081",
"condition": "${find(request.uri.path, '^/home/throttle-simple')}",
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "ThrottlingFilter",
"name": "ThrottlingFilter-1",
"config": {
"requestGroupingPolicy": "",
"rate": {
"numberOfRequests": 6,
"duration": "10 s"
}
}
}
],
"handler": "ReverseProxyHandler"
}
}
}TokenTransformationFilter
Transforms a token issued by AM to another token type.
The TokenTransformationFilter makes the result of the token transformation
available to downstream handlers in the sts context. For information, see
StsContext.
The current implementation uses REST Security Token Service (STS) APIs to
transform an OpenID Connect ID Token (id_token) into a SAML 2.0 assertion.
The subject confirmation method is Bearer, as described in
Profiles for the OASIS Security Assertion Markup Language (SAML) V2.0
.
The TokenTransformationFilter makes the result of the token transformation
available to downstream handlers in the issuedToken property of the
${contexts.sts} context.
The TokenTransformationFilter configuration references a REST STS instance that must be set up in AM before the TokenTransformationFilter can be used. The REST STS instance exposes a preconfigured transformation under a specific REST endpoint. For information about setting up a REST STS instance, see the AM documentation.
Errors that occur during the token transformation cause a error response to be returned to the client and an error message to be logged for the IG administrator.
Supported with OpenAM 13.5, and AM 5 and later versions.
Usage
{
"name": "string",
"type": "TokenTransformationFilter",
"config": {
"amService": AmService reference,
"idToken": runtime expression<string>,
"instance": "expression"
}
}Properties
"amService": AmService reference, required-
The AmService heap object to use for the following properties:
-
agent, the credentials of the IG agent in AM, to authenticate IG as an AM REST STS client, and to communicate WebSocket notifications from AM to IG. This credentials are evaluated when the route is initialized -
url, the URL of an AM service to use for session token validation and authentication. Authentication and REST STS requests are made to this service. -
realm, the AM realm containing the following information:-
The AM application that can make the REST STS request and whose credentials are the username and password.
-
The STS instance described by the instance field.
-
-
ssoTokenHeader, the name of the HTTP header that provides the SSO token for the REST STS client subject. -
amHandler, the handler to use for authentication and STS requests to AM.
See also AmService.
-
"idToken": runtime expression<string>, required-
The value of the OpenID Connect ID token. The expected value is a string that is the JWT encoded
id_token.See also Expressions.
"instance": expression, required-
An expression evaluating to the name of the REST STS instance.
This expression is evaluated when the route is initialized, so the expression cannot refer to
requestorcontexts.See also Expressions.
Example
The following example shows a configuration for a TokenTransformationFilter:
{
"type": "TokenTransformationFilter",
"config": {
"amService": "MyAmService",
"idToken": "${attributes.openid.id_token}",
"instance": "openig"
}
}For an example of how to set up and test the TokenTransformationFilter, see Transform OpenID Connect ID Tokens Into SAML Assertions.
TransactionIdOutboundFilter
Inserts the ID of a transaction into the header of a request.
The default TransactionIdOutboundFilter is created by IG, and used in ForgeRockClientHandler, as follows:
{
"name": "ForgeRockClientHandler",
"type": "ForgeRockClientHandler",
"config": {
"filters": [ "TransactionIdOutboundFilter" ],
"handler": "ClientHandler"
}
}UmaFilter
This filter acts as a policy enforcement point, protecting access as a User-Managed Access (UMA) resource server. Specifically, this filter ensures that a request for protected resources includes a valid requesting party token with appropriate scopes before allowing the response to flow back to the requesting party.
UMA 2.0 is supported with AM 5.5 and later versions. UMA 1.0 is supported with AM 5.1 and later versions.
Usage
{
"name": string,
"type": "UmaFilter",
"config": {
"protectionApiHandler": Handler reference,
"umaService": UmaService reference,
"realm": string
}
}Properties
"protectionApiHandler": Handler reference, required-
The handler to use when interacting with the UMA authorization server for token introspection and permission requests, such as a ClientHandler capable of making an HTTPS connection to the server.
For details, see Handlers.
"umaService": UmaService reference, required-
The UmaService to use when protecting resources.
For details, see UmaService.
"realm": string, optional-
The UMA realm set in the response to a request for a protected resource that does not include a requesting party token enabling access to the resource.
Default:
uma
UriPathRewriteFilter
Rewrite a URL path, using a bidirectional mapping:
-
In the request flow,
fromPathis mapped totoPath. -
In the response flow,
toPathis mapped tofromPath.
IG overwrites a response header only when all of the following conditions are true:
-
The response includes a header such as
LocationorContent-Location -
The URI of the response header matches the mapping
-
The value of response header is a relative path or its
scheme://host:portvalue matches the base URI.
Usage
{
"name": string,
"type": "UriPathRewriteFilter",
"config": {
"mappings": configuration object,
"failureHandler": Handler reference
}
}Properties
"mappings": configuration object, required-
One or more bidirectional mappings between URL paths: For example mappings, request scenarios, and an example route, see Examples.
{ "mappings": { "/fromPath1": "/toPath1", "/fromPath2": "/toPath2" } }Consider the following points when you define paths:
-
The incoming URL must start with the mapping path.
-
When more than one mapping applies to a URL, the most specific mapping is used.
-
Duplicate
fromPathvalues are removed without warning. -
Trailing slashes
/are removed from path values. -
If the response includes a
LocationorContent-Locationheader with atoPathin its URL, the response is rewritten withfromPath.
-
"failureHandler": handler reference, optional-
Failure handler to be invoked if an invalid URL is produced when the request path is mapped or when the response
LocationorContent-Locationheader URI path is reverse-mapped.Provide an inline handler declaration, or the name of a handler object defined in the heap. See also Handlers.
Default: HTTP 500
Examples
Valid and invalid mapping examples
The following mapping examples are valid:
-
Single
fromPathandtoPath"mappings": { "/fromPath1": "/toPath1", "/fromPath2": "/toPath2" } -
Expressions in the
fromPathandtoPath"mappings": { "/${join(array(`fromPath`, 'path1'), `/`)": "/${join(array(`toPath`, 'path2'), `/`)}" } -
Expressions in the
fromPathandtoPaththat use predefined heap properties"mappings": { "${fromPath}": "${toPath}" } -
No mappings—the configuration is valid, but has no effect
"mappings": { } -
Duplicate
toPath"mappings": { "/fromPath1": "/toPath", "/fromPath2": "/toPath" } -
Duplicate
fromPath—the configuration is overwritten without warning"mappings": { "/fromPath": "/toPath1", "/fromPath": "/toPath2" }
The following mapping examples are not valid
-
No
toPath"mappings": { "/fromPath": "" }"mappings": { "/fromPath": "${unknown}" } -
Invalid
toPath"mappings": { "/fromPath": "${invalidExpression}" } -
No
fromPath"mappings": { "": "/toPath" }"mappings": { "${unknown}": "/toPath" } -
Invalid
fromPath"mappings": { "${invalidExpression}": "/toPath" }
Example request scenarios
| Description | Mapping | Inbound URI | Rewritten URI |
|---|---|---|---|
Basic path |
|
http://example.com/fromPath/remainder |
http://example.com/toPath/remainder |
Root context, where the inbound request URI has a |
|
http://example.com/ |
http://example.com/rootcontext/ |
Root context, where the inbound URI has a |
|
http://example.com/rootcontext/ |
http://example.com/ |
Root context, where the inbound request URI has an empty path |
|
http://example.com |
http://example.com/rootcontext |
Root context, where the rewritten URI has an empty path |
|
http://example.com/rootcontext |
http://example.com |
Root context, with path remainder |
|
http://example.com/remainder |
http://example.com/rootcontext/remainder |
Root context, with path remainder |
|
http://example.com/rootcontext/remainder |
http://example.com/remainder |
Root context, where the trailing |
|
http://example.com/remainder |
http://example.com/rootcontext/remainder |
Path with dot-segments: |
|
http://example.com/fromPath |
http://example.com/toPath1/../toPath2 |
Path with syntax: |
|
http://example.com/fromPath;v=1.1 |
http://example.com/toPath,1.1 |
Path with syntax: |
|
http://example.com/$fromPath |
http://example.com/$toPath |
Path with query parameters |
|
http://example.com/fromPath?param1¶m2=2 |
http://example.com/toPath?param1¶m2=2 |
Path with fragment |
|
http://example.com/fromPath#fragment |
http://example.com/toPath#fragment |
Example route
The example route changes a request URL as follows:
-
The
baseURIoverrides the scheme, host, and port of a request URL. -
The UriPathRewriteFilter remaps the path of a request URL.
Requests to
http://openig.example.com:8080/myloginare mapped tohttp://app.example.com:8081/login.Requests to
http://openig.example.com:8080/welcomeare mapped tohttp://app.example.com:8081/home.Requests to
http://openig.example.com:8080/otherare mapped tohttp://app.example.com:8081/not-found, and result in an HTTP 404.Requests to
http://openig.example.com:8080/badurlare mapped to the invalid URLhttp://app.example.com:8081[, and invoke the failure handler.
{
"name": "UriPathRewriteFilter",
"baseURI": "http://app.example.com:8081",
"handler": {
"type": "Chain",
"config": {
"filters": [
{
"type": "UriPathRewriteFilter",
"config": {
"mappings": {
"/mylogin": "/login",
"/welcome": "/home",
"/other": "/not-found",
"/badurl": "["
},
"failureHandler": {
"type": "StaticResponseHandler",
"config": {
"status": 500,
"headers": {
"Content-Type": [
"text/plain"
]
},
"entity": "Invalid URL produced"
}
}
}
}
],
"handler": "ClientHandler"
}
}
}UserProfileFilter
Queries AM to retrieve the profile attributes of an user identified by
their username.
Only profile attributes that are enabled in AM can be returned by the
query. The roles field is not returned.
The data is made available to downstream IG filters and handlers, in the context UserProfileContext.
Supported with AM 5 and later versions.
Usage
{
"name": string,
"type": "UserProfileFilter",
"config": {
"username": configuration expression<string>,
"userProfileService": UserProfileService reference
}
}Properties
"username": configuration expression<string>, required-
The username of an AM subject. This filter retrieves profile attributes for the subject.
"userProfileService": UserProfileService reference, required-
The service to retrieve profile attributes from AM, for the subject identified by
username."userProfileService": { "type": "UserProfileService", "config": { "amService": AmService reference, "cache": object, "profileAttributes": array of runtime expression<string>, "realm": configuration expression<string> } }"amService": AmService reference, required-
The AmService heap object to use for the following properties:
-
agent, the credentials of the IG agent in AM. When the agent is authenticated, the token can be used for tasks such as getting the user’s profile, making policy evaluations, and connecting to the AM notification endpoint.
-
url: URL of the AM server where the user is authenticated. -
amHandler: Handler to use when communicating with AM to fetch the requested user’s profile.
-
realm: Realm of the IG agent in AM.
-
version: The version of the AM server.
cache: object, optional-
Caching of AM user profiles, based on Caffeine. For more information, see the GitHub entry, Caffeine.
When caching is enabled, IG can reuse cached profile attributes without repeatedly querying AM. When caching is disabled, IG must query AM for each request, to retrieve the required user profile attributes.
Default: No cache.
enabled: boolean, optional-
Enable or disable caching of user profiles. When
false, the cache is disabled but the cache configuration is maintained.Default:
truewhencacheis configured executor: executor, optional-
An executor service to schedule the execution of tasks, such as the eviction of entries in the cache.
Default:
ForkJoinPool.commonPool() "maximumSize": configuration expression<number>, optional-
The maximum number of entries the cache can contain.
Default: Unlimited/unbound
maximumTimeToCache: duration, required-
The maximum duration for which to cache user profiles.
The duration cannot be
zero.
profileAttributes: array of runtime expression<string>, optional-
List of one or more fields to return and store in UserProfileContext.
Field names are defined by the underlying repository in AM. When AM is installed with the default configuration, the repository is ForgeRock Directory Services.
The following convenience accessors are provided for commonly used fields:
-
cn: Retrieved through${contexts.userProfile.commonName} -
dn: Retrieved through${contexts.userProfile.distinguishedName} -
realm: Retrieved through${contexts.userProfile.realm} -
username: Retrieved through${contexts.userProfile.username}
All other available fields can be retrieved through
${contexts.userProfile.rawInfo}and${contexts.userProfile.asJsonValue()}.When
profileAttributesis configured, the specified fields and the following fields are returned:username,_id, and_rev.Default: All available fields are returned.
-
"realm": configuration expression<string>, optional-
The AM realm where the subject is authenticated.
Default: The realm declared for
amService.
Example
For examples that use the UserProfileFilter, see Get User Profile Information From AM.