Configure rlm_rest module to allow token authentication

Rohith Asrk rohith.asrk at gmail.com
Thu Jul 12 23:57:30 CEST 2018 

Hi Arran and Zenon,

Thank you for your replies. I've tried configuring my authorize section to
send a token in the bearer header whenever a authorize request is sent.
I've failed at doing it maybe because I'm a beginner to FreeRADIUS.

My authorize section looks like the following.

authorize {
            uri = "${..connect_uri}/api/authorize/"
            method = 'post'
            body = 'json'
            data = '{"username": "%{User-Name}", "password":
"%{User-Password}"}'
            tls = ${..tls}

            # Confused about this section.
            update control {
                &REST-HTTP-Header += "Authorization: Bearer token123"
            }
            rest
        }

I tried testing it using the radtest command. I see that there are no
headers being set. I'm using FreeRADIUS version 3.0.15 on Fedora (Redhat).

Can you please help me out with this?

On Tue, Jul 10, 2018 at 5:12 PM, Arran Cudbard-Bell <
a.cudbardb at freeradius.org> wrote:

>
>
> > On Jul 10, 2018, at 6:37 AM, Zenon Mousmoulas <zmousm at noc.grnet.gr>
> wrote:
> >
> > July 10, 2018 1:18 PM, "Rohith Asrk" <rohith.asrk at gmail.com> wrote:
> >
> >> I actually think I got my basics wrong here. Sorry for all the
> confusion.
> >> Please ignore the previous mail.
> >>
> >> What I actually need is configuring the FreeRADIUS daemon to send
> requests
> >> to the API. And the API here needs token in the form of a authorization
> >> header or a querystring.
> >>
> >> Can I configure FreeRADIUS to send HTTP requests to the API with bearer
> >> authorization in the headers? As of now, the rest module configuration
> >> looks like this
> >> <http://django-freeradius.readthedocs.io/en/latest/
> general/freeradius.html>
> >> [1].
> >>
> >> The API is going to check for tokens in the headers or in the query
> strings
> >> and we want the FreeRADIUS instance to be an authorized user.
> >
> > No mention of HTTP auth in the linked doc.
> >
> > So rlm_rest supports a number of options for that, but not bearer. Just
> adding that as a header might work though:
> >
> > https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/
> raddb/mods-available/rest#L84
>
> It does, i've done it.
>
>                 map json "%{rest_subsc:POST https://${modules.rest[rest_
> subsc].username}:${modules.rest[rest_subsc].password}@${
> modules.rest[rest_subsc].server}:${modules.rest[rest_subsc].port}/oauthv2/token
> grant_type=client_credentialst}" {
>                         &control:Cache-TTL := '$.expires_in'
>                         &control:Tmp-String-0 := '$.access_token'
>                         &control:Tmp-String-1 := '$.token_type'
>                 }
>
>                 timer_record_rest_subsc
>
>                 if (&reply:REST-HTTP-Status-Code &&
> (&reply:REST-HTTP-Status-Code != 200)) {
>                         fail
>                 }
>
>                 # Access token should be pre-base64 encoded by the server
>                 update control {
>                         &REST-HTTP-Header += "Authorization: Bearer
> %{control:Tmp-String-0}"
>                 }
>
>                 # Issue request with new token
>                 rest
>
> The map/json/rest xlat are all specific to v4 for, so you'd need to figure
> out how to do it on your own in v3.  I'd recommend caching the token using
> the cache module once you have it.
>
> -Arran
>
>
> -
> List info/subscribe/unsubscribe? See http://www.freeradius.org/
> list/users.html
>

More information about the Freeradius-Users mailing list