Common Features#
Below are common features in the Gluu OAuth and UMA plugins.
Phantom Token#
Some deployments require the use of a bearer token outside of the internal network and a JWT token within it. This phantom token approach is similar to a reverse proxy, adding a layer of insulation between external requests and the internal network.
This feature is available in both the gluu-oauth-auth and the gluu-uma-auth plugins. To configure phantom token feature, you just need to set pass_credentials='phantom_token' in plugin configuration.
Important
Set access_token_as_jwt: false and rpt_as_jwt: false in client registration, otherwise client by default returns you access token as JWT.
Dynamic Resource Protection#
This feature is available for the gluu-oauth-pep and gluu-uma-pep plugins.
There are 3 elements to make more dynamic path registration and protection:
- ? match anyone path element
- ?? match zero or more path elements
- {regexp} - match single path element against PCRE
The priority for the elements are:
- Exact match
- Regexp match
- ?
- ??
Important
A slash(/) is required before multiple wildcards placeholders.
Info
A ? in the HTTP method allows all HTTP methods.
Info
You can use this elements to register more dynamic path for required_acrs_expression in gluu-openid-connect
Examples:
Assume that all paths below are registered in one plugin:
| Register Path | Allow path | Deny path |
|---|---|---|
/?? |
|
|
/folder/file.ext |
|
|
/folder/?/file |
|
|
/path/?? |
|
|
/path/??/image.jpg |
|
|
/path/?/image.jpg |
|
|
/path/{abc|xyz}/image.jpg |
|
|
/users/?/{todos|photos} |
|
|
/users/?/{todos|photos}/? |
|