Big news! The community will be moving to a new platform April 21. Read more.
Big news! The community will be moving to a new platform April 21. Read more.
Knowledge Partner Knowledge Partner
Knowledge Partner
211 views

OAuth Client Credentials and policies

Hi!

 

We need to protect API but clients can only use client credentials claim.

Since this is client credential flow (no user authentication), there is no user information on which we could set some access rules and maybe send information about client to backend services using identity injection.

So is there a possibility to use OAuth clientID and/or Client Name in conditions in authorization policy or identity injection policy?

Any other ideas how to somehow evaluate oauth client information (e.g. clientID) is also appreciated.

 

Thanks and kind regards,

Sebastijan

0 Likes
1 Reply
Micro Focus Expert
Micro Focus Expert

Currently the Authorization Policy and II Policy doesn't not fetch the client id from the IDP server. However, if you are using 'Do Not Encrypt' with Resource Server you can see the client ID in the Token Itself.

{
"iss": "https://msingh5.lab.novell.com:8443/nidp/oauth/nam",
"jti": "b00259f2-cbc7-41cd-b03d-36e7dcdb8f7f",
"aud": "cc8d90a1-aa7b-490a-a6a8-ea0f77e65462",
"exp": 1585557261,
"iat": 1585553661,
"nbf": 1585553631,
"sub": "cc8d90a1-aa7b-490a-a6a8-ea0f77e65462",
"_pvt": "McBJE5fkmzZqtBxA2PpolBRrtAt8/7FCjY+g7FsoKLtFtFEpmH7UdSY0tOrb0fzD8CFn8AQRak4Gt709Eeyg5Mn1AZoClQobG+MhF5VHG1KcsxceIJm4l2bY0fGd18SJJVE4tg+kYoFgkv4iX4d1Gr+oi4h+xdBGyLuXt0JVw7iIBZFWOAiDYfvsvDT6YbnwLJUrgFWTprbbE+B9C0tb2w==.8",
"scope": [
"profile"
],
"_target": "Identity Provider"
}

aud field has the client id, if you can inject access token to backend web server, then this value can be retrieved.(Changes in web server required for this)

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.