Scriptable Throttling Filter in Structured Editor
This section describes how to set up a scriptable throttling filter in the structured editor of Studio. For more information about how to set up throttling, see "Configuring Scriptable Throttling".
To test the example, set up AM as described in "Validating Access_Tokens Through the Introspection Endpoint". In addition, create an OAuth 2.0 Client authorized to introspect tokens, with the following values:
Client ID:
resource-serverClient secret
passwordScope(s):
am-introspect-all-tokens
In IG Studio, create a route:
Go to http://openig.example.com:8080/openig/studio, and select Create a route.
Select Structured to use the structured editor.
Select Advanced options on the right, and create a route with the following options:
Base URI:
http://app.example.com:8081Condition: Path:
/home/throttle-scriptable-seName:
00-throttle-scriptable-se
Configure authorization:
Select Authorization > OAuth 2.0 Resource Server, and then select the following options:
Token resolver configuration:
Access token resolver:
OAuth 2.0 introspection endpointIntrospection endpoint URI:
http://openam.example.com:8088/openam/oauth2/introspectClient name: and Client secret:
resource-serverandpasswordThis is the name and password of the OAuth 2.0 client with the scope to examine (introspect) tokens, configured in AM.
Scope configuration:
Evaluate scopes:
StaticallyScopes:
mail,employeenumber
OAuth 2.0 Authorization settings:
Require HTTPS: Deselect this option
Enable cache: Deselect this option
Leave all other values as default.
Configure throttling:
Select and enable Throttling.
Set up the grouping policy:
In GROUPING POLICY, apply the rate to independent groups of requests.
Requests are split into different groups according to criteria, and the throttling rate is applied to each group.
Select to group requests by custom criteria.
Enter
${contexts.oauth2.accessToken.info.mail}as the custom expression.
Set up the rate policy:
In RATE POLICY, select Scripted.
Select to create a new script, and name it
X-User-Status. So that you can easily identify the script, use a name that describes the content of the script.Add the following argument/value pairs:
argument:
status, value:goldargument:
rate, value:6argument:
duration, value:10 seconds
Replace the default script with the content of a valid Groovy script. For example, enter the following script:
if (contexts.oauth2.accessToken.info.status == status) { return new ThrottlingRate(rate, duration) } else { return null }Tip
Alternatively, you can skip the step where you define arguments, and add the following script instead:
if (contexts.oauth2.accessToken.info.status == 'gold') { return new ThrottlingRate(6, '10 seconds') } else { return null }Note
Studio does not check the validity of the Groovy script.
Enable the default rate, and set it to 1 request each 10 seconds.
Save the rate policy. The script is added to the list of reference scripts available to use in scriptable throttling filters.
Select Chain, and change the order of the filters so that Throttling comes after Authorization.
On the top-right of the screen, select and Display to review the route.
The following route should be displayed:
{ "name": "00-throttle-scriptable-se", "baseURI": "http://app.example.com:8081", "condition": "${matches(request.uri.path, '^/home/throttle-scriptable-se')}", "handler": { "type": "Chain", "config": { "filters": [ { "name": "OAuth2ResourceServerFilter-1", "type": "OAuth2ResourceServerFilter", "config": { "scopes": [ "mail", "employeenumber" ], "requireHttps": false, "realm": "OpenIG", "accessTokenResolver": { "name": "token-resolver-1", "type": "TokenIntrospectionAccessTokenResolver", "config": { "endpoint": "http://openam.example.com:8088/openam/oauth2/introspect", "providerHandler": { "type": "Chain", "config": { "filters": [ { "type": "HeaderFilter", "config": { "messageType": "request", "add": { "Authorization": [ "Basic ${encodeBase64('resource-server:password')}" ] } } } ], "handler": "ForgeRockClientHandler" } } } } } }, { "name": "ThrottlingFilter-1", "type": "ThrottlingFilter", "config": { "requestGroupingPolicy": "${contexts.oauth2.accessToken.info.mail}", "throttlingRatePolicy": { "type": "DefaultRateThrottlingPolicy", "config": { "delegateThrottlingRatePolicy": { "name": "ScriptedPolicy", "type": "ScriptableThrottlingPolicy", "config": { "type": "application/x-groovy", "source": [ "if (contexts.oauth2.accessToken.info.status == status) {", " return new ThrottlingRate(rate, duration)", "} else {", " return null", "}" ], "args": { "status": "gold", "rate": 6, "duration": "10 seconds" } } }, "defaultRate": { "numberOfRequests": 1, "duration": "10 s" } } } } } ], "handler": "ReverseProxyHandler" } } }Select Deploy to push the route to the IG configuration.
You can check the
$HOME/.openig/config/routesfolder to see that the route is there.