PingGateway

FapiWellKnownFilterChain

A filter chain to validate requests to well-known endpoints and make sure they produce OAuth 2.0 clients that comply with the following FAPI specifications:

Put this filter before other filters to reject requests that would result in creating an OAuth 2.0 client that doesn’t comply with the FAPI specifications.

Usage

{
    "name": string,
    "type": "FapiWellKnownFilterChain",
    "config": {
        "forwardedHost": string,
        "mtlsEndpoints": {
            "endpointNames": [ configuration expression<string>, ... ],
            "mtlsHostname": string
        }
        "supportedTokenEndpointAuthMethods": [ configuration expression<string>, ... ]
    }
}

Properties

"forwardedHost": string, required

The forwarded host added to the endpoint request.

"mtlsEndpoints": object, required

Well-known endpoints to reconfigure to use mTLS.

"endpointNames": array of configuration expression<strings>, required

The well-known endpoint names to update.

"mtlsHostname": string, required

The mTLS hostname to use.

"supportedTokenEndpointAuthMethods": array of configuration expression<strings>, optional

The supported OAuth 2.0 token_endpoint_auth_method values.

Default: private_key_jwt, self_signed_tls_client_auth, tls_client_auth

Example

{
    "name": "FapiWellKnownFilterChain",
    "type": "FapiWellKnownFilterChain",
    "config": {
        "forwardedHost" : "&{as.fqdn}",
        "mtlsEndpoints" : {
            "endpointNames" : [ "authorization_endpoint", "registration_endpoint", "token_endpoint" ],
            "mtlsHostname" : "&{as.mtls.fqdn}"
        }
    }
}