I try to reply a rest response to the user as a simple string (reply message). The authentication against an rest api works and i get a json formatted reponse (called "token"). I've declared this attribute as an attribute in raddb/dictionary file.
My question is: How can i access this attribute in authentication or post-authentication section?
Below my config (raddb/sites-available/default):
authenticate {
#
# REST authentication
Auth-Type rest {
rest {
updated = 1
}
if (updated) {
%{Token}
ok
}
}
I tried all possibilities like &Token
"%{Token}"
&rest:Token
See below my Debug-Output:
Ready to process requests,
(0) Received Access-Request Id 96 from 127.0.0.1:49260 to 127.0.0.1:1812 length 50,
(0) User-Name = "Arya Stark",
(0) User-Password = "verySecret",
(0) # Executing section authorize from file /etc/freeradius/sites-enabled/default,
(0) authorize {,
(0) [preprocess] = ok,
(0) [chap] = noop,
(0) [mschap] = noop,
(0) [digest] = noop,
(0) suffix: Checking for suffix after "@",
(0) suffix: No '@' in User-Name = "Arya Stark", looking up realm NULL,
(0) suffix: No such realm "NULL",
(0) [suffix] = noop,
(0) eap: No EAP-Message, not doing EAP,
(0) [eap] = noop,
(0) files: users: Matched entry DEFAULT at line 154,
(0) [files] = ok,
(0) [expiration] = noop,
[logintime] = noop,
Not doing PAP as Auth-Type is already set.,
(0) [pap] = noop,
(0) } # authorize = ok,
Found Auth-Type = rest,
(0) # Executing group from file /etc/freeradius/sites-enabled/default,
(0) Auth-Type rest {,
rlm_rest (rest): Reserved connection (0),
(0) rest: Expanding URI components,
(0) rest: EXPAND https://172.16.0.5,
(0) rest: --> https://172.16.0.5,
(0) rest: EXPAND /identityprovider/auth/passwordlogin,
(0) rest: --> /identityprovider/auth/passwordlogin,
(0) rest: Sending HTTP POST to "https://172.16.0.5/provider/auth/login",
(0) rest: EXPAND { "Username": "%{User-Name}", "Password":"%{User-Password}" },
(0) rest: --> { "Username": "Arya Stark", "Password":"verySecret" },
(0) rest: Processing response header,
(0) rest: Status : 200 (OK),
(0) rest: Type : json (application/json),
(0) rest: Parsing attribute "token",
(0) rest: EXPAND eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJBcnlhIFN0YXJrIiwiaWF0IjoxNTgwMTI5......1DuIVMzCI4a1UWUThAce0xnA,
(0) rest: --> eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJBcnlhIFN0YXJrIiwiaWF0IjoxNTgwMTI5......1DuIVMzCI4a1UWUThAce0xnA,
(0) rest: Token := "eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJBcnlhIFN0YXJrIiwiaWF0IjoxNTgwMTI5......1DuIVMzCI4a1UWUThAce0xnA",
rlm_rest (rest): Released connection (0),
Need 5 more connections to reach 10 spares,
rlm_rest (rest): Opening additional connection (5), 1 of 27 pending slots used,
rlm_rest (rest): Connecting to "https://172.16.0.5",
(0) [rest] = updated,
(0) if (updated) {,
(0) if (updated) -> TRUE,
(0) if (updated) {,
(0) EXPAND %{Token},
(0) --> ,
(0) [ok] = ok,
(0) } # if (updated) = ok,
(0) } # Auth-Type rest = ok,
(0) # Executing section post-auth from file /etc/freeradius/sites-enabled/default,
(0) post-auth {,
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) {,
(0) if (session-state:User-Name && reply:User-Name && request:User-Name && (reply:User-Name == request:User-Name)) -> FALSE,
(0) update {,
(0) No attributes updated for RHS &session-state:,
(0) } # update = noop,
(0) [exec] = noop,
(0) policy remove_reply_message_if_eap {,
(0) if (&reply:EAP-Message && &reply:Reply-Message) {,
(0) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE,
(0) else {,
(0) [noop] = noop,
(0) } # else = noop,
(0) } # policy remove_reply_message_if_eap = noop,
} # post-auth = noop,
(0) Sent Access-Accept Id 96 from 127.0.0.1:1812 to 127.0.0.1:49260 length 0,
(0) Finished request,
Waking up in 4.9 seconds.,
(0) Cleaning up request packet ID 96 with timestamp +17,
Ready to process requests,
The issue here is that by default any attributes specified in the JSON response are inserted into the reply list.
This can be fixed in two ways, either change your JSON blob to specify a list qualifier:
{ 'request:Token': '<token value>' }
or access the attribute in the reply list:
%{reply:Token}