Skip to main content

Identity Headers

Description

Specifies the configuration information associated with the provision of identity information to the resource server.

Encoding

Type Description
utf8_bin Unencoded UTF-8 data. This setting allows data to be transmitted without data loss, and the user does not need to URI-decode the data.
utf8_uri URI encoded UTF-8 data. All white space and non-ASCII bytes are encoded %XY, where X and Y are hex values (0 - F).
lcp_bin Unencoded local code page data. Data loss can potentially occur with this mode. Use with caution.
lcp_uri URI encoded local code page data. Any UTF-8 characters that cannot be converted to a local code page are converted to question marks (?).

Basic Auth

Type Description
filter The Authorization header, if provided by the client, will be removed before the resource request is forwarded to the resource server. This is the default option if no option is specified.
supply A new Authorization header will be created by the gateway and forwarded to the resource server. The Basic Authentication information contained in the header will consist of the name of the authenticated user, along with a static password. Use the 'advanced' YAML configuration entry, 'basicauth-dummy-passwd', in the 'junction' stanza, to set the static password.
ignore The Authorization header, if provided by the client, will be forwarded to the resource server unchanged.

Properties

The following table(s) describe the configuration properties for this component:

Name Type Constraints Description
ip_address boolean Values: true,false
Default:false
A boolean flag indicating whether or not to provide the client IP address as a HTTP header in requests forwarded to the resource server. The IP address will be added in the 'iv-remote-address' HTTP header.
encoding string Values: utf8_bin,utf8_uri,lcp_bin,lcp_uri
Default:utf8_uri
The encoding type to use for any identity headers passed to the resource server. See the Encoding table for a description of the available options.
session_cookie boolean Values: true,false
Default:false
A boolean flag indicating whether or not to forward the reverse proxy cookie to the resource server. The name of this cookie is configured in the server:session:cookie_name entry.
attributes array[ATTRIBUTES Object]
iv_creds boolean Values: true,false
Default:false
A boolean flag indicating whether or not to provide an ASN.1 encoded version of the credential as a HTTP header in requests forwarded to the resource server. The credential will be added in the 'iv-creds' HTTP header.
jwt JWT Object
basic_auth string Values: filter,supply,ignore
Default:filter
Controls the basic authentication information, contained within the Authorization header, that is passed to the resource server. See the Basic Auth table for a description of the available options.

ATTRIBUTES Object

Specifies a list of attributes from the authenticated credential which will be inserted into the HTTP requests sent to the resource server.

Name Type Constraints Description
attribute string The name of the credential attribute.
header string The name of the HTTP header which will contain the credential attribute. If no name is supplied the name of the credential attribute itself will be used.

JWT Object

Specifies the information associated with the generation of JSON Web tokens (JWT).

Name Type Constraints Description
claims array[CLAIMS Object]
hdr_name string Default:jwt The name of the HTTP header which will contain the generated JWT.
certificate string The key which is used to sign the JWT.

CLAIMS Object

The claims which are to be added to the JWT. The claim can either be obtained from a literal string, or from the value of a credential attribute.

Name Type Constraints Description
text string The literal text to be used as the claim value. If both a 'text' value and an 'attr' value is specified the 'text' value will be used. If an array is supplied in the configuration the claim will be added to the JWT as a JSON array.
type string Values: string,bool,int
Default:string
The type of textual data which is being provided. This will control the JSON type which is used in the JWT. Please note that this field is only valid if a 'text' value has been specified and will be ignored if an 'attr' value is specified.
name string The name of the claim which is to be added to the JWT. If the name is not specified, and the claim value is obtained from an attribute name, the name of the claim will match the name of the attribute. Nested objects can be specified, separating the name of each object field with a . (dot). If the name of a field itself embeds a dot it should be escaped with a backslach character.
attr string The name of the credential attribute from which the claim value will be obtained. The '*' and '?' pattern matching characters can be used to match multiple attributes, however the pattern matching characters will be ignored if a claim 'name' is specified. If both a 'text' value and an 'attr' value is specified the 'text' value will be used.

Example

 resource_servers:
         - path: "/example"
           ...
           identity_headers:
               encoding: utf8_uri
               basic_auth: filter
               ip_address: true
               attributes:
                   - attribute: emailAddress
                     header: email_header
                   - attribute: AUTHENTICATION_LEVEL
                     header: auth_level
               session_cookie: true
               jwt:
                   certificate: "@jwt.cer"
                    hdr_name: jwt
                    claims:
                        - text: www.ibm.com
                          name: iss
                        - attr: AZN_CRED_PRINCIPAL_NAME
                          name: sub
                        - attr: AZN_*