The role of the resource server is to validate the Access Token.

Using the Authorization Policies

The scope is not supported in this release, so no Scope-Resource Mapping will be available, that is, there is no native support for scopes, so no match type called scope in Phase 1 will be available.

However, the scope is one of the claims (attribute values pairs) in the Access Token. So, scope-based authorization matches can be indirectly achieved using attribute matches.

For instance, if the admin wants to map /apiA to ScopeA and /apiB to ScopeB. This can be written as attribute matches using the following authorization policy:

1+----------------------------+-------------------------------+
2| Field                      | Value                         |
3+----------------------------+-------------------------------+
4| authz_rules[1]             |                               |
5|   match                    |                               |
6|     attr_matches[1]        |                               |
7|       attribute_name       | scope                         |
8|       attribute_value_list |                               |
9|         match_criteria     | CONTAINS                      |
10|         match_str[1]       | scopeA                        |
11|     path                   |                               |
12|       match_criteria       | BEGINS_WITH                   |
13|       match_str[1]         | /apiA                         |
14|   action                   |                               |
15|     type                   | ALLOW_ACCESS                  |
16| authz_rules[2]             |                               |
17|   match                    |                               |
18|     attr_matches[1]        |                               |
19|       attribute_name       | scope                         |
20|       attribute_value_list |                               |
21|         match_criteria     | CONTAINS                      |
22|         match_str[1]       | scopeB                        |
23|     path                   |                               |
24|       match_criteria       | BEGINS_WITH                   |
25|       match_str[1]         | /apiB                         |
26|   action                   |                               |
27|     type                   | ALLOW_ACCESS                  |
28| authz_rules[3]             |                               |
29|   match                    |                               |
30|     path                   |                               |
31|       match_criteria       | BEGINS_WITH                   |
32|       match_str[1]         | /                             |
33|   action                   |                               |
34|     type                   | HTTP_LOCAL_RESPONSE           |
35|     status_code            | HTTP_RESPONSE_STATUS_CODE_401 |
36| authz_rules[4]             |                               |
37|   index                    | 1                             |
38+----------------------------+-------------------------------+

Use DataScripts with Examples

A scope, that is, part of a claim can easily be used in any custom action using Datascripts also.

DataScript API

oauth_get_claim

Description

Used to map a scope that is a part of a claim

Example

To map /apiA to ScopeA and /apiB to ScopeB:

path = avi.http.get_path()
avi.vs.log(path) 
values, count = avi.http.oauth_get_claim(avi.OAUTH_ACCESS_TOKEN, "scope") 
for i = 1,count,1 
	do 
	   avi.vs.log(values[i]) 
	   avi.vs.log("checking scope11")
	   if string.match(values[i],"scope1") and  string.match(path, "api1") then 
	   		allow = true
	   		avi.vs.log("api1 scope1 found ")  
	   	end
	   avi.vs.log("checking scope2")
	   if string.match(values[i],"scope1") and  string.match(path, "api2") then 
	   		allow = true
	   		avi.vs.log("api2 scope 2found ")
	   end
	end
if allow == false then  avi.http.response(403)
end

Extracting Token using DataScript

Starting with NSX Advanced Load Balancer version 22.1.3, a new DataScript function is supported for OAuth, namely, avi.http.oauth_get_token. This function extracts the token from the user’s OAuth session after the session is established. For more information, see avi.http.oauth_get_token(TOKEN_TYPE) (HTTP Functions section in VMware NSX Advanced Load BalancerDatascript guide.

Logout Support in OIDC

Starting with NSX Advanced Load Balancer version 22.1.3, Client/Relying Party (RP)-initiated Logout for OpenID is supported.

The NSX Advanced Load Balancer (the OAuth Client (RP) initiates a request that directs the Identity Provider (IDP) to log out, by redirecting the user agent of the user to the IDP’s Logout endpoint.

For more information, see Logout Support in OIDC.

Caveats and Limitations

  • Only authorization code grant is supported.

  • Scope and consent screens are not supported.

  • Multiple IDPs cannot be configured with the same virtual service.