Configure resource gateway functionality

The configuration for the resource gateway functionality can be divided in two parts, token validation and request mapping.

Configure token validation

Token validation is optional functionality of the Onegini Security Proxy. When enabled it performs a call to the Onegini Token Server to validate an access token on resource calls. During token validation the Onegini Security Proxy only verifies that the access token is valid. When the access token is invalid an error is returned in line with RFC6750. The token validation functionality won't validate any other details of the token validation result like scopes, availability of the user id etc.

By default the service is disabled. In order to enable it, the SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_ENABLED environment variable must be set to true, which is done using the docker-compose.yml file:

Example:

security-proxy:
    image: snapshot.onegini.com/onegini/security-proxy:snapshot
    ...
    environment:
      - SECURITY_PROXY_TOKEN_VALIDATION_SERVICE_ENABLED=true
    ...

Token validation configuration parameters:

Property Required Default value Description
SECURITY_​PROXY_​TOKEN_​SERVER_​API_​CLIENT_​ID Y Client id of the resource gateway (API client) configured in the Token Server.
SECURITY_​PROXY_​TOKEN_​SERVER_​API_​CLIENT_​SECRET Y Client secret of the resource gateway (API client) configured in the Token Server.
SECURITY_​PROXY_​TOKEN_​VALIDATION_​SERVICE_​ENABLED N Boolean indicating if token validation should be performed or not.
SECURITY_​PROXY_​TOKEN_​VALIDATION_​SERVICE_​TOKEN_​SERVER_​HOST N 127.0.0.1 Host where the Token Server is running.
SECURITY_​PROXY_​TOKEN_​VALIDATION_​SERVICE_​TOKEN_​SERVER_​PORT N 8080 Port the Token Server can be accessed on.
SECURITY_​PROXY_​TOKEN_​VALIDATION_​SERVICE_​TOKEN_​SERVER_​SCHEME N http Scheme where Token Server can be accessed on.

Note: The API client that is created in the token server must be valid for the Token introspection API.

Configure token validation result caching

In order to reduce the load on the Token Server and reduce the load times of the requests the token validation result can be cached for some period of time.

Property Default value Description
SECURITY_​PROXY_​TOKEN_​VALIDATION_​SERVICE_​CACHE_​TOKEN_​VALIDATION_​RESULT_​CACHE_​TTL_​SECONDS 0 The maximum time a token validation result can be available in cache.

Note: For highest security we would advice to not use cache (so to leave this setting to its default value). But a setting of 30 or 60 seconds is acceptable.

Note: Tokens with limited usage won't be cached.

Configure request mapper

Usage of the request mapper is optional and can be used with or without token validation. To enable request mapping a request mapper should be configured. A request mapper can be configured by setting its URI via environment variable SECURITY_PROXY_REQUEST_MAPPER_SERVICE_URI.

Property Example value Description
SECURITY_​PROXY_​REQUEST_​MAPPER_​SERVICE_​URI http://${HOST_IP}:5544/map-request Uri where the request mapper can be reached on.
SECURITY_​PROXY_​REQUEST_​MAPPER_​SERVICE_​USERNAME username Basic authentication user of the request mapping endpoint.
SECURITY_​PROXY_​REQUEST_​MAPPER_​SERVICE_​PASSWORD password Basic authentication password of the request mapping endpoint.