The role of the resource server is to validate the Access Token.
Using the Authorization Policies
Scopes are currently not supported. Therefore, Scope-Resource mapping is not available. That is, there is no native support for scopes, and consequently there is so no match type named scope available.
However, the scope is one of the claims (attribute values pairs) in the Access Token. So, scope-based authorization matches can be indirectly achieved using attribute matches.
For instance, if the admin wants to map /apiA to ScopeA and /apiB to ScopeB. This can be written as attribute matches using the following authorization policy:
1+----------------------------+-------------------------------+ 2| Field | Value | 3+----------------------------+-------------------------------+ 4| authz_rules[1] | | 5| match | | 6| attr_matches[1] | | 7| attribute_name | scope | 8| attribute_value_list | | 9| match_criteria | CONTAINS | 10| match_str[1] | scopeA | 11| path | | 12| match_criteria | BEGINS_WITH | 13| match_str[1] | /apiA | 14| action | | 15| type | ALLOW_ACCESS | 16| authz_rules[2] | | 17| match | | 18| attr_matches[1] | | 19| attribute_name | scope | 20| attribute_value_list | | 21| match_criteria | CONTAINS | 22| match_str[1] | scopeB | 23| path | | 24| match_criteria | BEGINS_WITH | 25| match_str[1] | /apiB | 26| action | | 27| type | ALLOW_ACCESS | 28| authz_rules[3] | | 29| match | | 30| path | | 31| match_criteria | BEGINS_WITH | 32| match_str[1] | / | 33| action | | 34| type | HTTP_LOCAL_RESPONSE | 35| status_code | HTTP_RESPONSE_STATUS_CODE_401 | 36| authz_rules[4] | | 37| index | 1 | 38+----------------------------+-------------------------------+
Use DataScripts with Examples
DataScript API |
oauth_get_claim |
Description |
Used to map a scope that is a part of a claim |
Example |
To map /apiA to ScopeA and /apiB to ScopeB: path = avi.http.get_path() avi.vs.log(path) values, count = avi.http.oauth_get_claim(avi.OAUTH_ACCESS_TOKEN, "scope") for i = 1,count,1 do avi.vs.log(values[i]) avi.vs.log("checking scope11") if string.match(values[i],"scope1") and string.match(path, "api1") then allow = true avi.vs.log("api1 scope1 found ") end avi.vs.log("checking scope2") if string.match(values[i],"scope1") and string.match(path, "api2") then allow = true avi.vs.log("api2 scope 2found ") end end if allow == false then avi.http.response(403) end |
Extracting Token using DataScript
Starting with Avi Load Balancer version 22.1.3, a new DataScript function is supported for OAuth, namely, avi.http.oauth_get_token. This function extracts the token from the user’s OAuth session after the session is established. For more information, see avi.http.oauth_get_token(TOKEN_TYPE) (HTTP Functions section in VMware Avi Load BalancerDatascript guide.
Caveats and Limitations
Only authorization code grant is supported.
Multiple IDPs cannot be configured with the same virtual service.