Description
This is a long shot, but I’m in dire need of advice. If you know of a more appropriate forum for this type of question please share!
I’m working with a legacy OAuth system using email + password grant type (deprecated, I know: it’s out of my control).
I have to somehow connect this authentication service with a database backend for which I have an API key for.
Existing architecture
- Frontend application of our creation
- Legacy pingidentity OAuth service (must remain as is)
- Legacy backend (must remain as is)
Everything already exists other than whatever middleware solution that should handle the authentication validation and request header modifying.
Ideal flow
- User logs in with OAuth service with email + password, gets access token
- User sends backend request to some middleware, which does introspection / validates access token
- Middleware appends API key to request header to retrieve backend data
Things I’ve considered
-
Traefik instance + auth forwarding
This seems to expect authentication to be done in the middleware rather than passing and introspecting an access token. Also the OAuth service’s introspection endpoint requires client ID and client secret as documented here. -
Ory Oathkeeper
This seems to expect arguments which would be used for regular OAuth2 redirect flow, such aspre_authorization.
3
I was able to accomplish this with Ory Oathkeeper.
There is an unmerged pull request there which makes it possible to authenticate against some URL before forwarding the request + response.
Most importantly this method forwards all request elements. In this case I needed the body to be forwarded for the client ID + secret.
This is the mentioned PR.
The authenticator configuration looks like this:
authenticators:
remote_json:
enabled: true
config:
service_url: <REDACTED>
preserve_path: true
method: "POST"