Scriptable Throttling Filter in Structured Editor

This section describes how to set up a scriptable throttling filter in the structured editor of Studio. For more information about how to set up throttling, see "Configuring Scriptable Throttling".

Set Up a Scriptable Throttling Filter}

To test the example, set up AM as described in "Validating Access_Tokens Through the Introspection Endpoint". In addition, create an OAuth 2.0 Client authorized to introspect tokens, with the following values:

  • Client ID: resource-server

  • Client secret password

  • Scope(s): am-introspect-all-tokens

  1. In IG Studio, create a route:

    1. Go to http://openig.example.com:8080/openig/studio, and select Create a route.

    2. Select Structured to use the structured editor.

  2. Select Advanced options on the right, and create a route with the following options:

    • Base URI: http://app.example.com:8081

    • Condition: Path: /home/throttle-scriptable-se

    • Name: 00-throttle-scriptable-se

  3. Configure authorization:

    1. Select Authorization > OAuth 2.0 Resource Server, and then select the following options:

      • Token resolver configuration:

        • Access token resolver: OAuth 2.0 introspection endpoint

        • Introspection endpoint URI: http://openam.example.com:8088/openam/oauth2/introspect

        • Client name: and Client secret: resource-server and password

          This is the name and password of the OAuth 2.0 client with the scope to examine (introspect) tokens, configured in AM.

      • Scope configuration:

        • Evaluate scopes: Statically

        • Scopes: mail, employeenumber

      • OAuth 2.0 Authorization settings:

        • Require HTTPS: Deselect this option

        • Enable cache: Deselect this option

      Leave all other values as default.

  4. Configure throttling:

    1. Select and enable Throttling.

    2. Set up the grouping policy:

      1. In GROUPING POLICY, apply the rate to independent groups of requests.

        Requests are split into different groups according to criteria, and the throttling rate is applied to each group.

      2. Select to group requests by custom criteria.

      3. Enter ${contexts.oauth2.accessToken.info.mail} as the custom expression.

    3. Set up the rate policy:

      1. In RATE POLICY, select Scripted.

      2. Select to create a new script, and name it X-User-Status. So that you can easily identify the script, use a name that describes the content of the script.

      3. Add the following argument/value pairs:

        • argument: status, value: gold

        • argument: rate, value: 6

        • argument: duration, value: 10 seconds

      4. Replace the default script with the content of a valid Groovy script. For example, enter the following script:

        if (contexts.oauth2.accessToken.info.status == status) {
        return new ThrottlingRate(rate, duration)
        } else {
        return null
        }

        Tip

        Alternatively, you can skip the step where you define arguments, and add the following script instead:

        if (contexts.oauth2.accessToken.info.status == 'gold') {
        return new ThrottlingRate(6, '10 seconds')
        } else {
        return null
        }

        Note

        Studio does not check the validity of the Groovy script.

      5. Enable the default rate, and set it to 1 request each 10 seconds.

      6. Save the rate policy. The script is added to the list of reference scripts available to use in scriptable throttling filters.

  5. Select Chain, and change the order of the filters so that Throttling comes after Authorization.

  6. On the top-right of the screen, select and Display to review the route.

    The following route should be displayed:

    {
      "name": "00-throttle-scriptable-se",
      "baseURI": "http://app.example.com:8081",
      "condition": "${matches(request.uri.path, '^/home/throttle-scriptable-se')}",
      "handler": {
        "type": "Chain",
        "config": {
          "filters": [
            {
              "name": "OAuth2ResourceServerFilter-1",
              "type": "OAuth2ResourceServerFilter",
              "config": {
                "scopes": [
                  "mail",
                  "employeenumber"
                ],
                "requireHttps": false,
                "realm": "OpenIG",
                "accessTokenResolver": {
                  "name": "token-resolver-1",
                  "type": "TokenIntrospectionAccessTokenResolver",
                  "config": {
                    "endpoint": "http://openam.example.com:8088/openam/oauth2/introspect",
                    "providerHandler": {
                      "type": "Chain",
                      "config": {
                        "filters": [
                          {
                            "type": "HeaderFilter",
                            "config": {
                              "messageType": "request",
                              "add": {
                                "Authorization": [
                                  "Basic ${encodeBase64('resource-server:password')}"
                                ]
                              }
                            }
                          }
                        ],
                        "handler": "ForgeRockClientHandler"
                      }
                    }
                  }
                }
              }
            },
            {
              "name": "ThrottlingFilter-1",
              "type": "ThrottlingFilter",
              "config": {
                "requestGroupingPolicy": "${contexts.oauth2.accessToken.info.mail}",
                "throttlingRatePolicy": {
                  "type": "DefaultRateThrottlingPolicy",
                  "config": {
                    "delegateThrottlingRatePolicy": {
                      "name": "ScriptedPolicy",
                      "type": "ScriptableThrottlingPolicy",
                      "config": {
                        "type": "application/x-groovy",
                        "source": [
                          "if (contexts.oauth2.accessToken.info.status == status) {",
                          "  return new ThrottlingRate(rate, duration)",
                          "} else {",
                          "  return null",
                          "}"
                        ],
                        "args": {
                          "status": "gold",
                          "rate": 6,
                          "duration": "10 seconds"
                        }
                      }
                    },
                    "defaultRate": {
                      "numberOfRequests": 1,
                      "duration": "10 s"
                    }
                  }
                }
              }
            }
          ],
          "handler": "ReverseProxyHandler"
        }
      }
    }

  7. Select Deploy to push the route to the IG configuration.

    You can check the $HOME/.openig/config/routes folder to see that the route is there.

Read a different version of :