Configure rlm_rest module to allow token authentication

Arran Cudbard-Bell a.cudbardb at freeradius.org
Tue Jul 10 13:42:51 CEST 2018



> On Jul 10, 2018, at 6:37 AM, Zenon Mousmoulas <zmousm at noc.grnet.gr> wrote:
> 
> July 10, 2018 1:18 PM, "Rohith Asrk" <rohith.asrk at gmail.com> wrote:
> 
>> I actually think I got my basics wrong here. Sorry for all the confusion.
>> Please ignore the previous mail.
>> 
>> What I actually need is configuring the FreeRADIUS daemon to send requests
>> to the API. And the API here needs token in the form of a authorization
>> header or a querystring.
>> 
>> Can I configure FreeRADIUS to send HTTP requests to the API with bearer
>> authorization in the headers? As of now, the rest module configuration
>> looks like this
>> <http://django-freeradius.readthedocs.io/en/latest/general/freeradius.html>
>> [1].
>> 
>> The API is going to check for tokens in the headers or in the query strings
>> and we want the FreeRADIUS instance to be an authorized user.
> 
> No mention of HTTP auth in the linked doc.
> 
> So rlm_rest supports a number of options for that, but not bearer. Just adding that as a header might work though:
> 
> https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/raddb/mods-available/rest#L84

It does, i've done it.

		map json "%{rest_subsc:POST https://${modules.rest[rest_subsc].username}:${modules.rest[rest_subsc].password}@${modules.rest[rest_subsc].server}:${modules.rest[rest_subsc].port}/oauthv2/token grant_type=client_credentialst}" {
			&control:Cache-TTL := '$.expires_in'
			&control:Tmp-String-0 := '$.access_token'
			&control:Tmp-String-1 := '$.token_type'
		}

		timer_record_rest_subsc

		if (&reply:REST-HTTP-Status-Code && (&reply:REST-HTTP-Status-Code != 200)) {
			fail
		}

		# Access token should be pre-base64 encoded by the server
		update control {
			&REST-HTTP-Header += "Authorization: Bearer %{control:Tmp-String-0}"
		}

		# Issue request with new token
		rest

The map/json/rest xlat are all specific to v4 for, so you'd need to figure out how to do it on your own in v3.  I'd recommend caching the token using the cache module once you have it.

-Arran

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.freeradius.org/pipermail/freeradius-users/attachments/20180710/3b6c4c88/attachment.sig>


More information about the Freeradius-Users mailing list