PingGateway

FapiResourceFilterChain

A filter chain to validate requests to resource servers and make sure they comply with the following FAPI specifications:

Usage

{
    "name": string,
    "type": "FapiResourceFilterChain",
    "config": {
        "clientCertificate": runtime expression<certificate>,
        "accessTokenResolver": AccessTokenResolver reference,
        "apiClientService": ApiClientService reference,
        "scopes": [runtime expression<string>, ...],
        "auditService": AuditService reference,
        "clientIdClaim": string,
        "allowedGrantType": string,
        "realm": string
    }
}

Properties

"clientCertificate": runtime expression<certificate>, required

The client TLS certificate, often found in the request as shown in the examples that follow. The filter evaluates this for every request.

"accessTokenResolver": AccessTokenResolver reference, required

The AccessTokenResolver to resolve access tokens.

"apiClientService": ApiClientService reference, required

The ApiClientService to retrieve the API client, such as an IdmApiClientService.

"scopes": array of runtime expression<string>, required

The scopes for the request.

"auditService": AuditService reference, optional

The AuditService to record audit events. Provide either the name of an AuditService object defined in the heap or an inline AuditService configuration object.

Default: Use the AuditService defined in the heap.

"clientIdClaim": string, optional

The filter uses this claim to get the client_id from the access_token.

Default: aud

"allowedGrantType": string, optional

The grant_type permitted for the request.

Default: authorization_code

"realm": string, optional

The realm for the request.

Default: none

Example

The following example gets the client certificate from an ssl-client-cert header:

{
    "name": "fapiResourceFilterChain",
    "type": "FapiResourceFilterChain",
    "config": {
        "clientCertificate": "${pemCertificate(urlDecode(request.headers['ssl-client-cert'][0]))}",
        "apiClientService" : "apiClientService",
        "clientIdClaim" : "aud",
        "allowedGrantType" : "client_credentials"
    }
}

Get the client certificate

This section shows how to get the client certificate in various situations.

From HTTPS

When PingGateway terminates transport layer security (TLS), use the certificate associated with the incoming HTTPS connection:

"clientCertificate": "${contexts.client.certificates[0]}"

From a Client-Cert trusted header

When a proxy using the Client-Cert header fronts PingGateway and terminates TLS, it sends the client certificate with distinguished encoding rules (DER).

The following example gets the certificate from the header:

"clientCertificate": "${derCertificate(request.headers['Client-Cert'][0])}"

From an NGINX trusted header

When NINGX fronts PingGateway and terminates TLS, it can send the client certificate in a trusted header.

The following example uses x-ssl-cert as the trusted header. NGINX encodes the certificate in PEM format and URL-encodes the result:

"clientCertificate": "${pemCertificate(urlDecode(request.headers['x-ssl-cert'][0]))}"

Learn more in the NGINX Module ngx_http_ssl_module documentation.

From an Envoy or Istio trusted header

When Envoy or Istio fronts PingGateway and terminates TLS, it can send the client certificate in a field in a trusted header.

The following example uses x-forwarded-client-cert as the trusted header. Envoy puts the client certificate in the Cert field of the header value. Envoy encodes the certificate in privacy enhanced mail (PEM) format and URL-encodes the result:

"clientCertificate": "${pemCertificate(urlDecode(findGroups(request.headers['x-forwarded-client-cert'][0], 'Cert=([^;]+);?')[1]))}"

Learn more in the Envoy x-forwarded-client-cert documentation.