Resource Server Using the Introspection Endpoint in Structured Editor

This section sets up IG as an OAuth 2.0 resource server, using the introspection endpoint, in the structured editor of Studio.

Set Up a Resource Server Using the Introspection Endpoint

To test the example, set up AM as described in "Validating Access_Tokens Through the Introspection Endpoint". In addition, create an OAuth 2.0 Client authorized to introspect tokens, with the following values:

  • Client ID: resource-server

  • Client secret password

  • Scope(s): am-introspect-all-tokens

  1. In IG Studio, create a route:

    1. Go to http://openig.example.com:8080/openig/studio, and select Create a route.

    2. Select Structured to use the structured editor.

  2. Create a route with the following option:

    • Application URL: http://app.example.com:8081/rs-introspect-se

  3. Configure authorization:

    1. Select Authorization > OAuth 2.0 Resource Server, and then select the following options:

      • Token resolver configuration:

        • Access token resolver: OAuth 2.0 introspection endpoint

        • Introspection endpoint URI: http://openam.example.com:8088/openam/oauth2/introspect

        • Client name: and Client secret: resource-server and password

          This is the name and password of the OAuth 2.0 client with the scope to examine (introspect) tokens, configured in AM.

      • Scope configuration:

        • Evaluate scopes: Statically

        • Scopes: mail, employeenumber

      • OAuth 2.0 Authorization settings:

        • Require HTTPS: Deselect this option

        • Enable cache: Deselect this option

      Leave all other values as default.

  4. Add a StaticResponseHandler:

    1. On the top-right of the screen, select and Editor mode to switch into editor mode.

      Warning

      After switching to Editor mode, you cannot go back. You will be able to use the JSON file editor to manually edit the route, but will no longer be able use the full Studio interface to add or edit filters.

    2. Replace the last ReverseProxyHandler in the route with the following StaticResponseHandler, and then save the route:

      "handler": {
        "type": "StaticResponseHandler",
        "config": {
         "status": 200,
         "headers": {
           "Content-Type": [ "text/html" ]
         },
         "entity": "<html><body><h2>Decoded access_token: ${contexts.oauth2.accessToken.info}</h2></body></html>"
        }
      }

  5. On the top-right of the screen, select and Display to review the route.

    The following route should be displayed:

    {
      "name": "rs-introspect-se",
      "baseURI": "http://app.example.com:8081",
      "condition": "${matches(request.uri.path, '^/rs-introspect-se')}",
      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
            {
              "name": "OAuth2ResourceServerFilter-1",
              "type": "OAuth2ResourceServerFilter",
              "config": {
                "scopes": [
                  "mail",
                  "employeenumber"
                ],
                "requireHttps": false,
                "realm": "OpenIG",
                "accessTokenResolver": {
                  "name": "token-resolver-1",
                  "type": "TokenIntrospectionAccessTokenResolver",
                  "config": {
                    "endpoint": "http://openam.example.com:8088/openam/oauth2/introspect",
                    "providerHandler": {
                      "type": "Chain",
                      "config": {
                        "filters": [
                          {
                            "type": "HeaderFilter",
                            "config": {
                              "messageType": "request",
                              "add": {
                                "Authorization": [
                                  "Basic ${encodeBase64('resource-server:password')}"
                                ]
                              }
                            }
                          }
                        ],
                        "handler": "ForgeRockClientHandler"
                      }
                    }
                  }
                }
              }
            }
          ],
          "handler": {
            "type": "StaticResponseHandler",
            "config": {
              "status": 200,
              "headers": {
                "Content-Type": [ "text/html" ]
              },
              "entity": "<html><body><h2>Decoded access_token: ${contexts.oauth2.accessToken.info}</h2></body></html>"
            }
          }
        }
      }
    }

  6. Select Deploy to push the route to the IG configuration.

    You can check the $HOME/.openig/config/routes folder to see that the route is there.

Read a different version of :