This is a long shot, but I’m in dire need of advice. If you know of a more appropriate forum for this type of question please share!

I’m working with a legacy OAuth system using email + password grant type (deprecated, I know: it’s out of my control).

I have to somehow connect this authentication service with a database backend for which I have an API key for.

Existing architecture

  • Frontend application of our creation
  • Legacy pingidentity OAuth service (must remain as is)
  • Legacy backend (must remain as is)

Everything already exists other than whatever middleware solution that should handle the authentication validation and request header modifying.

Ideal flow

  1. User logs in with OAuth service with email + password, gets access token
  2. User sends backend request to some middleware, which does introspection / validates access token
  3. Middleware appends API key to request header to retrieve backend data

enter image description here

Things I’ve considered

  1. Traefik instance + auth forwarding
    This seems to expect authentication to be done in the middleware rather than passing and introspecting an access token. Also the OAuth service’s introspection endpoint requires client ID and client secret as documented here.

  2. Ory Oathkeeper
    This seems to expect arguments which would be used for regular OAuth2 redirect flow, such as pre_authorization.



I was able to accomplish this with Ory Oathkeeper.

There is an unmerged pull request there which makes it possible to authenticate against some URL before forwarding the request + response.

Most importantly this method forwards all request elements. In this case I needed the body to be forwarded for the client ID + secret.

This is the mentioned PR.

The authenticator configuration looks like this:

    enabled: true
      service_url: <REDACTED>
      preserve_path: true
      method: "POST"

Trả lời

Email của bạn sẽ không được hiển thị công khai. Các trường bắt buộc được đánh dấu *