FapiTokenFilterChain
A filter chain to validate token requests that comply with the following FAPI specifications:
Put this filter before other filters to reject requests that would result in token requests that don’t comply with the FAPI specifications.
Usage
{
"name": string,
"type": "FapiTokenFilterChain",
"config": {
"forwardedHost": string,
"clientCertificate": runtime expression<certificate>,
"apiClientService": ApiClientService reference,
"accessTokenResolver": AccessTokenResolver reference,
"auditService": AuditService reference,
"clientIdClaim": string
}
}
Properties
"forwardedHost"
: string, required-
The forwarded host added to the endpoint request.
"clientCertificate"
: runtime expression<certificate>, required-
The client TLS certificate, often found in the request as shown in the examples that follow. The filter evaluates this for every request.
"apiClientService"
: ApiClientService reference, required-
The
ApiClientService
to retrieve the API client, such as an IdmApiClientService. "accessTokenResolver"
: AccessTokenResolver reference, required"auditService"
: AuditService reference, optional-
The AuditService to record audit events. Provide either the name of an AuditService object defined in the heap or an inline AuditService configuration object.
Default: No audit service.
"clientIdClaim"
: string, optional-
The filter uses this claim to get the
client_id
from theaccess_token
.Default:
aud
Example
The following example uses the authorization server as the forwarded host
and gets the client certificate from an ssl-client-cert
header:
{
"name": "fapiTokenFilterChain",
"type": "FapiTokenFilterChain",
"config": {
"forwardedHost" : "&{as.fqdn}",
"clientCertificate": "${pemCertificate(urlDecode(request.headers['ssl-client-cert'][0]))}",
"apiClientService" : "apiClientService",
"accessTokenResolver" : "accessTokenResolver",
"clientIdClaim" : "aud"
}
}
Get the client certificate
This section shows how to get the client certificate in various situations.
From HTTPS
When PingGateway terminates transport layer security (TLS), use the certificate associated with the incoming HTTPS connection:
"clientCertificate": "${contexts.client.certificates[0]}"
From a Client-Cert
trusted header
When a proxy using the Client-Cert
header fronts PingGateway and terminates TLS,
it sends the client certificate with distinguished encoding rules (DER).
The following example gets the certificate from the header:
"clientCertificate": "${derCertificate(request.headers['Client-Cert'][0])}"
Learn more in RFC 9440, Client-Cert HTTP Header Field.
From an NGINX trusted header
When NINGX fronts PingGateway and terminates TLS, it can send the client certificate in a trusted header.
The following example uses x-ssl-cert
as the trusted header.
NGINX encodes the certificate in PEM format and URL-encodes the result:
"clientCertificate": "${pemCertificate(urlDecode(request.headers['x-ssl-cert'][0]))}"
Learn more in the NGINX Module ngx_http_ssl_module documentation.
From an Envoy or Istio trusted header
When Envoy or Istio fronts PingGateway and terminates TLS, it can send the client certificate in a field in a trusted header.
The following example uses x-forwarded-client-cert
as the trusted header.
Envoy puts the client certificate in the Cert
field of the header value.
Envoy encodes the certificate in privacy enhanced mail (PEM) format and URL-encodes the result:
"clientCertificate": "${pemCertificate(urlDecode(findGroups(request.headers['x-forwarded-client-cert'][0], 'Cert=([^;]+);?')[1]))}"
Learn more in the Envoy x-forwarded-client-cert documentation.