| Last Updated | 08 March 2022 |
| Document Tag | tch-research-next-gen-authz |
| Author | simonm@thecyberhut.com |
| Part of Research Product | Next Generation Authorization Technology |
ForgeRock’s authorization components fall under their Access Management umbrella of features. Authorization capabilities within the ForgeRock portfolio can be applied to B2E (employee), B2C (consumer) and IoT related environments.
ForgeRock authorization capability can be broken down into several categories:
- Policy Decision Point / Policy Management
- OAuth2 Authorization Service
- Identity Gateway OAuth2 Resource Server / Policy Enforcement Point
Policy Decision Point / Policy Management
The ForgeRock PDP solution is a long-standing component that has its origins from the Sun Microsystems OpenSSO days. There is a centralized user interface where administrators can create policies based on resources, subjects and conditions. The policy set is accessible and is enforced by agents or a REST API.
Source: ForgeRock official documentation
Policies can be used to protect URL’s or arbitrary string based representations of any object. This allows the policy engine to be extended to protect IoT or physical objects that can have a custom schema attached to them.
Source: ForgeRock official documentation
For example a string representation of a door could be house://door/front or office://floor/ground/entrance. Conditions can be leveraged to capture and analyse context during the access evaluation process, which could include session properties, location, time of day or custom scripts.
Source: ForgeRock official documentation
Changes to the PDP since 2019:
| Date | Feature | Details |
| August 2020 | Improvements to Transactional Authorization | Transactional authorization is the ability to provide policy enforcement for single events, requiring a set of repeated steps to be performed before access is granted. If the user credentials provided are invalid or the user authentication event fails, a 401 is returned during eval, instead of continuing to the resource where a 403 would be returned. |
OAuth2 Authorization Service
ForgeRock provides a fully capable OAuth2 authorization service and is involved in the IETF OAuth2 working group. It provides support for the likes of MTLS client authentication, device flow, PKCE and other sub profiles of OAuth2. ForgeRock can also act as an OAuth2 client to other third party authorization services.
| Date | Feature | Details |
| April 2019 | OAuth2 MTLS Support | OAuth2 clients that register against the ForgeRock authorization service, can now authenticate using certificates, in a way that mutually authenticates the service and the client. |
| April 2019 | OAuth2 Certificate Bound Access Tokens | Clients that authenticate using MTLS can be issued with tokens that are bound to the client. This is possible using a hash of the client certificate. Proof of ownership of the corresponding private key is required when the issued access token is used. |
| April 2019 | OAuth 2.0 Dynamic Client Registration Management Protocol (RFC7592) Fully Supported | Clients of the ForgeRock OAuth2 service can now register and manage their profile information in a standards based way. |
| June 2019 | OAuth2 Access Token Modification Scripts | ForgeRock issued OAuth2 access tokens now have a scripted component that allows for the arbitrary process of context and addition or removal of attributes or scopes within a token. |
| Aug 2020 | Support for Macaroons based Tokens | A new token format called Macaroons, which can be used when issuing OAuth 2.0 access and refresh tokens was added. Macaroons allow caveats to be appended to them, which restrict how a token can be used. Macaroons provide additional security, as tokens can be restricted just before use. |
| May 2021 | New Properties Available to Claims and Access Token Scripts | The ability to now analyse the contents of the inbound client request details before issuing access tokens was added to the scripting API. |
| May 2021 | OAuth 2.0 and OpenID Connect Token Exchange Support | ForgeRock added support for the IETF standard RFC 8693 which allows for the exchange of access and OIDC id tokens from the same authorization server, to allow different resource servers to have more scoped tokens. |
Identity Gateway
The ForgeRock Identity Gateway is a small software based application that acts as an HTTP based reverse proxy. It intercepts inbound requests before they hit a protected resource. IG can then perform authorization enforcement functions either by calling out to a policy decision point or via locally coded transformations and logic run through. IG can then alter the response from the protected resource before it is returned to the calling client.
A selection of changes made to IG since 2019 as they related to authorization capabilities:
| Date | Feature | Capabilities |
| March 2019 | OAuth2 Client Authentication via MTLS | When IG is acting as an OAuth2 client to the ForgeRock OAuth2 authorization service, it can authenticate using MTLS. |
| March 2019 | Improved PDP Policy Advice Redirection | When IG receives policy advice from the ForgeRock PDP, the redirection URL that requires the end user to perform a verification event is now configurable. |
| Dec 2019 | Request Policy Decisions From AM Using a Configurable Resource URL | IG when acting as the PEP can request information from AM as the PDP using a protected resource URL that is configurable. |
| Aug 2020 | Locally Enforced Declarative Authorization | Ability to create rules that are evaluated locally within the IG instance. Requests are only allowed if a set of conditions are met. |
| Aug 2020 | Financial Grade API Security | Additional client side filters to increase support for FAPI standards. |
| Aug 2020 | Ability to Cache OAuth2 Access Tokens | Creation of new object to improve the caching of presented OAuth2 access tokens. |