Configure resource gateway functionality¶
The configuration for the resource gateway functionality can be divided in two parts, token validation and request mapping.
Configure token validation¶
Token validation is optional functionality of the Onegini Security Proxy. When enabled it performs a call to the Onegini Token Server to validate an access token on resource calls. During token validation the Onegini Security Proxy only verifies that the access token is valid. When the access token is invalid an error is returned in line with RFC6750. The token validation functionality won't validate any other details of the token validation result like scopes, availability of the user id etc.
By default the service is disabled. In order to enable it, the SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_ENABLED environment variable must be set to true,
which is done using the docker-compose.yml file:
Example:
security-proxy:
image: snapshot.onewelcome.com/onegini/security-proxy:snapshot
...
environment:
- SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_ENABLED=true
...
Token validation configuration parameters:
| Property | Required | Default value | Description |
|---|---|---|---|
| SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_ID | Y | Client id of the resource gateway (API client) configured in the Token Server. | |
| SECURITY_PROXY_TOKEN_SERVER_API_CLIENT_SECRET | Y | Client secret of the resource gateway (API client) configured in the Token Server. | |
| SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_ENABLED | N | Boolean indicating if token validation should be performed or not. | |
| SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_TOKEN_SERVER_HOST | N | 127.0.0.1 | Host where the Token Server is running. |
| SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_TOKEN_SERVER_PORT | N | 8080 | Port the Token Server can be accessed on. |
| SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_TOKEN_SERVER_SCHEME | N | http | Scheme where Token Server can be accessed on. |
Note: The API client that is created in the token server must be valid for the
Token introspectionAPI.
Configure token validation result caching¶
In order to reduce the load on the Token Server and reduce the load times of the requests the token validation result can be cached for some period of time.
| Property | Default value | Description |
|---|---|---|
| SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_CACHE_TOKEN_VALIDATION_RESULT_CACHE_TTL_SECONDS | 0 | The maximum time a token validation result can be available in cache. |
Note: For highest security we would advice to not use cache (so to leave this setting to its default value). But a setting of 30 or 60 seconds is acceptable.
Note: Tokens with limited usage won't be cached.
Configure request mapper¶
Usage of the request mapper is optional and can be used with or without token validation. To enable request mapping a request mapper should be configured. A
request mapper can be configured by setting its URI via environment variable SECURITY_PROXY_REQUEST_MAPPER_SERVICE_URI.
| Property | Example value | Description |
|---|---|---|
| SECURITY_PROXY_REQUEST_MAPPER_SERVICE_URI | http://${HOST_IP}:5544/map-request | Uri where the request mapper can be reached on. |
| SECURITY_PROXY_REQUEST_MAPPER_SERVICE_USERNAME | username | Basic authentication user of the request mapping endpoint. |
| SECURITY_PROXY_REQUEST_MAPPER_SERVICE_PASSWORD | password | Basic authentication password of the request mapping endpoint. |