I am looking to implement policy evaluation for transactional authorization using IG policyEnforcement filter. However, we have a requirement to use jwtSubject instead of ssoTokenSubject. wondering if anyone had done this before.
I am trying to implement example as described in doc Policy enforcement :: ForgeRock Identity Gateway.
Any input or pointers would be helpful.
Thanks,
Ragha
greetings @halliragha ,
Firstly, I’m always happy to hear when a customer decides to use the policy framework for fine grained authorizations, which may or may not include Advices or Transaction Authorization. Now if we could only get more customers to use the OAuth2 Claims implementation… as opposed to providing a claims script in the OAuth2 Provider… Another challenge for another day.
Within the policy itself, there is a provision for the Subject criteria to reference an OIDC/Jwt Claim. Have you tried that? What was your outcome please?
First thing is to understand the ‘jwt’ parameter of the Subject in an authorization policy. I wrote about this many years ago! Yet another user name and password: Fun with OpenAM13 Authz Policies over REST - the ‘jwt’ parameter of the ‘Subject’
Then you need to pass the id_token from IG to AM. See Filters :: ForgeRock Identity Gateway for details about the jwtSubject config option for the filter.
Sorry - I don’t have an example, but hope this helps!
I remember reading that! And was so hopeful to see a future where dynamic OAuth2 scopes, derived via the policy framework would take hold.
One thing is certain, having IG now certainly does simplify my integration needs.