1

Hello
I manage 2 Liberty servers that serve UI and BFF content respectively and I want to secure them both with corporate oidc OP.
Having heard about inbound propagation, I was thinking in propagating the access token from UI to BFF.
However I didnt find documentation on how should I configure it to outbound propagate the access token after successful authentication. The documentation only refers to inbound propagation.
Only thing I see is a WASOidcClient_*** cookie being set, which I know nothing about it.
I also heard about jwtSso-1.0 feature and tried to create my own JWT with the necessary user information, but can't make this feature get the desired claims from the ID Token (already opened this other question).
So I'm unclear of:

  1. Am I designing this correctly?
  2. How can I get the UI Liberty propagate access token after successful authentication, preferably without coding anything?
  3. Should I propagate access token, or IDToken? BFF needs basic user information that is present in IDToken
  4. What is the WASOidcClient_*** cookie for? Can it be used by different Liberty instances to authenticate requests? Is the name configurable? Im just curious, because this cookie is probably proprietary and not portable, not much desired.

Appreciate it in advance!!

Kuper
  • 23
  • 4
  • I don't have a proper answer for this, but I've been trying to wrangle my way to a similar thing - I want to use the token in code for an upstream data source. So far, I've found that setting `accessTokenInLtpaCookie="true"` in the `openidConnectClient` config for the server will populate an attribute named `oidc_access_token` on the `HttpServletRequest` after the first page request. That contains the raw token from the OIDC host that I can then use in code. It feels "incorrect", though, so I'm going to keep looking for a right way to do it. – Jesse Gallagher Sep 09 '22 at 13:25

0 Answers0