Reverse proxy local redirects and /apiauthsvc obligations url mappings for context-based access
Context Based Access (CBA) policies provide dynamic, policy-based authorization to protected resources.
A component feature of CBA enables policy rules to permit access to a protected resource if a specified authentication condition exists. This feature is embodied by authentication obligations that integrate CBA with the Authentication Service Framework. The technical implementation of this feature depends on 302 redirects and cookies for tracking session and state. Previous topics discussed options for handling session and state while minimizing its impact for REST client access. This topic discusses extra settings to transparently handle 302 redirects and obligations triggers to optimize REST client access for CBA triggered authentication in the context of protected resource access.
When a CBA policy rule triggers an authentication obligation, control is returned to the reverse proxy point of contact for obligation enforcement. The reverse proxy supports configuration file based options within its obligationsurlsmapping, which define how the reverse proxy enforces an obligation. The entries within this stanza effectively result in a 302 redirect to a matched URL, which technically performs the enforcement. There are two issues with this approach and its default configuration, which increase the complexity burden for REST clients:
- Default configuration of authentication obligations always redirect clients to "/mga/sps/authsvc". This endpoint is optimized for browser client access.
- 302 redirects are difficult for REST API clients to handle.
Fortunately, both of these issues can be overridden and controlled with reverse proxy configuration file settings. Assuming previous suggestions were adopted and implemented, obligation URL mappings define redirects to "/mgaapi/sps/apiauthsvc" rather than the default "/mga/sps/authsvc". This can be achieved with the following settings:
[obligations-urls-mapping] urn:ibm:security:authentication:asf:* = /mgaapi/sps/apiauthsvc
The name, or left side, represents an authentication policy URI. The value, or right side, specifies the redirect target URL. Additionally, this redirection setting might be limited to a small subset of authentication policy URIs if wanted.
The reverse proxy supports a feature known as local redirects. Configuration of this feature instructs the reverse proxy to automatically follow 302 responses received from junctioned servers on behalf of the client. The net effect is the client does not receive the 302 redirect. The following settings enable this feature:
[server] maximumfollowredirects = 4 followredirectsfor = GET /mgaapi/sps/apiauthsvc* followredirectsfor = PUT /mgaapi/sps/apiauthsvc* followredirectsfor = GET /<protected application junction point name> /<path to protected application resource>/*
Parent topic: Authentication Service Framework for REST API clients