Mapped Throttling Filter in Structured Editor

This section describes how to set up a mapped throttling filter in the structured editor of Studio. For more information about how to set up throttling, see "Configuring Mapped Throttling".

Set Up a Mapped Throttling Filter

To test the example, set up AM as described in "Validating Access_Tokens Through the Introspection Endpoint". In addition, create an OAuth 2.0 Client authorized to introspect tokens, with the following values:

Client ID: resource-server
Client secret password
Scope(s): am-introspect-all-tokens

In IG Studio, create a route:
1. Go to http://openig.example.com:8080/openig/studio, and select  Create a route.
2. Select  Structured to use the structured editor.
Select Advanced options on the right, and create a route with the following options:
- Base URI: http://app.example.com:8081
- Condition: Path: /home/throttle-mapped-se
- Name: 00-throttle-mapped-se
Configure authorization:
1. Select  Authorization > OAuth 2.0 Resource Server, and then select the following options:
  - Token resolver configuration:
    Access token resolver: OAuth 2.0 introspection endpoint
    Introspection endpoint URI: http://openam.example.com:8088/openam/oauth2/introspect
    Client name: and Client secret: resource-server and password
    This is the name and password of the OAuth 2.0 client with the scope to examine (introspect) tokens, configured in AM.
  - Scope configuration:
    Evaluate scopes: Statically
    Scopes: mail, employeenumber
  - OAuth 2.0 Authorization settings:
    Require HTTPS: Deselect this option
    Enable cache: Deselect this option
  Leave all other values as default.
Configure throttling:
1. Select and enable  Throttling.
2. Set up the grouping policy:
  1. In GROUPING POLICY, apply the rate to independent groups of requests.
    Requests are split into different groups according to criteria, and the throttling rate is applied to each group.
  2. Select to group requests by custom criteria.
  3. Enter ${contexts.oauth2.accessToken.info.mail} as the custom expression.
    This expression defines the subject in the OAuth2Context.
3. Set up the rate policy:
  1. In RATE POLICY, select Mapped.
  2. Select to map requests by custom criteria.
  3. Enter the custom expression ${contexts.oauth2.accessToken.info.status}.
  4. In Default Rate, select Edit and change default rate to 1 request each 10 seconds.
  5. In Mapped Rates, add the following rate for gold status:
    - Match Value: gold
    - Number of requests: 6
    - Period: 10 seconds
  6. Add a different rate for silver status:
    - Match Value: silver
    - Number of requests: 3
    - Period: 10 seconds
  7. Add a different rate for bronze status:
    - Match Value: bronze
    - Number of requests: 1
    - Period: 10 seconds
  8. Save the rate policy.
Select  Chain, and change the order of the filters so that  Throttling comes after  Authorization.

On the top-right of the screen, select  and  Display to review the route.

The following route should be displayed:

{
  "name": "00-throttle-mapped-se",
  "baseURI": "http://app.example.com:8081",
  "condition": "${matches(request.uri.path, '^/home/throttle-mapped-se')}",
  "handler": {
    "type": "Chain",
    "config": {
      "filters": [
        {
          "name": "OAuth2ResourceServerFilter-1",
          "type": "OAuth2ResourceServerFilter",
          "config": {
            "scopes": [
              "mail",
              "employeenumber"
            ],
            "requireHttps": false,
            "realm": "OpenIG",
            "accessTokenResolver": {
              "name": "token-resolver-1",
              "type": "TokenIntrospectionAccessTokenResolver",
              "config": {
                "endpoint": "http://openam.example.com:8088/openam/oauth2/introspect",
                "providerHandler": {
                  "type": "Chain",
                  "config": {
                    "filters": [
                      {
                        "type": "HeaderFilter",
                        "config": {
                          "messageType": "request",
                          "add": {
                            "Authorization": [
                              "Basic ${encodeBase64('resource-server:password')}"
                            ]
                          }
                        }
                      }
                    ],
                    "handler": "ForgeRockClientHandler"
                  }
                }
              }
            }
          }
        },
        {
          "name": "ThrottlingFilter-1",
          "type": "ThrottlingFilter",
          "config": {
            "requestGroupingPolicy": "${contexts.oauth2.accessToken.info.mail}",
            "throttlingRatePolicy": {
              "name": "MappedPolicy",
              "type": "MappedThrottlingPolicy",
              "config": {
                "throttlingRateMapper": "${contexts.oauth2.accessToken.info.status}",
                "throttlingRatesMapping": {
                  "gold": {
                    "numberOfRequests": 6,
                    "duration": "10 s"
                  },
                  "silver": {
                    "numberOfRequests": 3,
                    "duration": "10 s"
                  },
                  "bronze": {
                    "numberOfRequests": 1,
                    "duration": "10 s"
                  }
                },
                "defaultRate": {
                  "numberOfRequests": 1,
                  "duration": "10 s"
                }
              }
            }
          }
        }
      ],
      "handler": "ReverseProxyHandler"
    }
  }
}

Select  Deploy to push the route to the IG configuration.
You can check the $HOME/.openig/config/routes folder to see that the route is there.