Uploaded image for project: 'Identity Gateway'
  1. Identity Gateway
  2. OPENIG-3913

Provide more flexibility around the generation of the OAuth2ClientFilter clientEndpoint URIs

    XMLWordPrintable

    Details

    • Improvement
    • Status: Resolved
    • Major
    • Resolution: Duplicate
    • 5.0.0, 5.5.0, 5.5.1, 6.0.0, 6.1.0, 6.5.0, 6.5.1, 7.0.0
    • Not Applicable
    • OAuth 2.0

      Description

      When generating one of the three clientEndpoint URIs, IG uses theĀ org.forgerock.http.routing.UriRouterContext#getOriginalUri as part of calculating the base URI to use which may not be valid in all use-cases, especially if IG is behind a load-balancer doing SSL offloading.

      Providing something pluggable, like the resourceUriProvider in OPENIG-2568, would provide flexibility over how the final clientEndpoint URI is generated, with a default implementation that provides the same default behaviour as the existing clientEndpoint configuration item.

      Discussion outcome

      • Find a solution that would work not only for OIDC but for all scenarios where we expect originalUri to be okay
      • Investigate if we should reuse UriRouterContext or have our own (issues when stacked ?)
      • Should that be a route configuration attribute ?
      • Implementation of a ForwardedFilter that would create a context taking into account X-Forwarded headers values
      • Implementation of a static filter (just replace scheme, host and/or port)
      • For a script, that would be more a doc thing (example)

        Attachments

          Issue Links

            Activity

              People

              Unassigned Unassigned
              markdr Mark de Reeper
              Votes:
              1 Vote for this issue
              Watchers:
              2 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved: