{ "name": "21 - Protect authorization server access token endpoint", "comment": "Ensure FAPI compliant access_token endpoint requests", "baseURI": "https://&{tenantHostname}", "condition": "${find(request.uri.path, '^/am/oauth2/realms/root/realms/&{realm}/access_token')}", "handler": { "type": "Chain", "config": { "filters": [ { "type": "FapiTokenFilterChain", "config": { "accessTokenResolver": { "name": "token-resolver", "type": "StatelessAccessTokenResolver", "config": { "secretsProvider": "AsJwkSecretsProvider", "issuer": "https://&{asHostname}/am/oauth2/realms/root/realms/&{realm}", "verificationSecretId": "any.value.in.regex.format" } }, "apiClientService": "IdmApiClientService", "clientCertificate": "${pemCertificate(urlDecode(request.headers['ssl-client-cert'][0]))}", "forwardedHost": "&{asHostname}" } }, { "comment": "Add gateway access token to request (custom AT modification script checks access token to enforce route via IG)", "type": "ClientCredentialsOAuth2ClientFilter", "config": { "tokenEndpoint": "https://&{tenantHostname}/am/oauth2/realms/root/realms/&{realm}/access_token", "scopes": [ "trusted_gateway" ], "endpointHandler": { "name": "ClientCredentialsOAuth2ClientFilterHandler", "type": "Chain", "config": { "handler": "ForgeRockClientHandler", "filters": [ { "type": "ClientSecretBasicAuthenticationFilter", "config": { "clientId": "&{gatewayOAuth2ClientId}", "clientSecretId": "gateway.oauth2.client.secret", "secretsProvider": "SystemAndEnvSecretStore" } } ] } } } } ], "handler": "PlatformReverseProxyHandler" } } }