freeradius 3.0.17 rlm_rest parsing json response
up vote
0
down vote
favorite
I'm trying to authenticate RADIUS Requests against a RESTful API (provided by Customer) using rlm_rest.
The problem I am facing is that
response JSON format (of REST API provided by Customer), is different from rlm_rest default format (indicated in etc/raddb/mods-enabled/rest).
My Virtual Server configuration as below:
Default
authorize {
...
...
rest
if (ok) {
update control {
Auth-Type := rest
}
}
}
mods-enabled/rest
authorize {
uri = "https://3rd-party-API/auth"
method = 'post'
body = 'json'
chunk = 0
tls = ${..tls}
data = '{
"code": 1,
"identifier": %I,
"avps": {
"User-Name": ["%{User-Name}"],
"NAS-IP-Address": ["%{NAS-IP-Address}"],
"Called-Station-Id": ["%{Called-Station-Id}"],
"Calling-Station-Id": ["%{Calling-Station-Id}"],
"NAS-Identifier": ["%{NAS-Identifier}"]
}
}'
}
Result
/sbin/radiusd -Xxx
HTTP response code
200
JSON Body
{
"code": "2",
"identifier": "91",
"avps": {
"Customer-Attributes": "Hello"
...
...
"Acct-Interim-Interval": "300"
}
}
The JSON structure is different from the example, and xlat parse
"code"
"identifier"
"avps"
And, of course, xlat finds no attributes match with the dictionary, while it cannot find "avps" and won't dig deeper.
So I was wondering is there anyway to either
- Define the response JSON structure for xlat to parsing
- Insert a "is_json" or "do_xlat" flag into the JSON ("avps"), and hope xlat will then dig deeper
- Save the JSON and parse with exec/rlm_exec (using JQ or any other bash/JSON tools)
Please advise if there is any workaround. Thanks!
json rest api restful-authentication freeradius
asked Nov 21 at 13:59
peteeelol
32
add a comment |
up vote
0
down vote
favorite
I'm trying to authenticate RADIUS Requests against a RESTful API (provided by Customer) using rlm_rest.
The problem I am facing is that
response JSON format (of REST API provided by Customer), is different from rlm_rest default format (indicated in etc/raddb/mods-enabled/rest).
My Virtual Server configuration as below:
Default
authorize {
...
...
rest
if (ok) {
update control {
Auth-Type := rest
}
}
}
mods-enabled/rest
authorize {
uri = "https://3rd-party-API/auth"
method = 'post'
body = 'json'
chunk = 0
tls = ${..tls}
data = '{
"code": 1,
"identifier": %I,
"avps": {
"User-Name": ["%{User-Name}"],
"NAS-IP-Address": ["%{NAS-IP-Address}"],
"Called-Station-Id": ["%{Called-Station-Id}"],
"Calling-Station-Id": ["%{Calling-Station-Id}"],
"NAS-Identifier": ["%{NAS-Identifier}"]
}
}'
}
Result
/sbin/radiusd -Xxx
HTTP response code
200
JSON Body
{
"code": "2",
"identifier": "91",
"avps": {
"Customer-Attributes": "Hello"
...
...
"Acct-Interim-Interval": "300"
}
}
The JSON structure is different from the example, and xlat parse
"code"
"identifier"
"avps"
And, of course, xlat finds no attributes match with the dictionary, while it cannot find "avps" and won't dig deeper.
So I was wondering is there anyway to either
- Define the response JSON structure for xlat to parsing
- Insert a "is_json" or "do_xlat" flag into the JSON ("avps"), and hope xlat will then dig deeper
- Save the JSON and parse with exec/rlm_exec (using JQ or any other bash/JSON tools)
Please advise if there is any workaround. Thanks!
json rest api restful-authentication freeradius
asked Nov 21 at 13:59
peteeelol
32
add a comment |
up vote
0
down vote
favorite
up vote
0
down vote
favorite
I'm trying to authenticate RADIUS Requests against a RESTful API (provided by Customer) using rlm_rest.
The problem I am facing is that
response JSON format (of REST API provided by Customer), is different from rlm_rest default format (indicated in etc/raddb/mods-enabled/rest).
My Virtual Server configuration as below:
Default
authorize {
...
...
rest
if (ok) {
update control {
Auth-Type := rest
}
}
}
mods-enabled/rest
authorize {
uri = "https://3rd-party-API/auth"
method = 'post'
body = 'json'
chunk = 0
tls = ${..tls}
data = '{
"code": 1,
"identifier": %I,
"avps": {
"User-Name": ["%{User-Name}"],
"NAS-IP-Address": ["%{NAS-IP-Address}"],
"Called-Station-Id": ["%{Called-Station-Id}"],
"Calling-Station-Id": ["%{Calling-Station-Id}"],
"NAS-Identifier": ["%{NAS-Identifier}"]
}
}'
}
Result
/sbin/radiusd -Xxx
HTTP response code
200
JSON Body
{
"code": "2",
"identifier": "91",
"avps": {
"Customer-Attributes": "Hello"
...
...
"Acct-Interim-Interval": "300"
}
}
The JSON structure is different from the example, and xlat parse
"code"
"identifier"
"avps"
And, of course, xlat finds no attributes match with the dictionary, while it cannot find "avps" and won't dig deeper.
So I was wondering is there anyway to either
- Define the response JSON structure for xlat to parsing
- Insert a "is_json" or "do_xlat" flag into the JSON ("avps"), and hope xlat will then dig deeper
- Save the JSON and parse with exec/rlm_exec (using JQ or any other bash/JSON tools)
Please advise if there is any workaround. Thanks!
json rest api restful-authentication freeradius
asked Nov 21 at 13:59
peteeelol
32
I'm trying to authenticate RADIUS Requests against a RESTful API (provided by Customer) using rlm_rest.
The problem I am facing is that
response JSON format (of REST API provided by Customer), is different from rlm_rest default format (indicated in etc/raddb/mods-enabled/rest).
My Virtual Server configuration as below:
Default
authorize {
...
...
rest
if (ok) {
update control {
Auth-Type := rest
}
}
}
mods-enabled/rest
authorize {
uri = "https://3rd-party-API/auth"
method = 'post'
body = 'json'
chunk = 0
tls = ${..tls}
data = '{
"code": 1,
"identifier": %I,
"avps": {
"User-Name": ["%{User-Name}"],
"NAS-IP-Address": ["%{NAS-IP-Address}"],
"Called-Station-Id": ["%{Called-Station-Id}"],
"Calling-Station-Id": ["%{Calling-Station-Id}"],
"NAS-Identifier": ["%{NAS-Identifier}"]
}
}'
}
Result
/sbin/radiusd -Xxx
HTTP response code
200
JSON Body
{
"code": "2",
"identifier": "91",
"avps": {
"Customer-Attributes": "Hello"
...
...
"Acct-Interim-Interval": "300"
}
}
The JSON structure is different from the example, and xlat parse
"code"
"identifier"
"avps"
And, of course, xlat finds no attributes match with the dictionary, while it cannot find "avps" and won't dig deeper.
So I was wondering is there anyway to either
- Define the response JSON structure for xlat to parsing
- Insert a "is_json" or "do_xlat" flag into the JSON ("avps"), and hope xlat will then dig deeper
- Save the JSON and parse with exec/rlm_exec (using JQ or any other bash/JSON tools)
Please advise if there is any workaround. Thanks!
json rest api restful-authentication freeradius
json rest api restful-authentication freeradius
asked Nov 21 at 13:59
peteeelol
32
asked Nov 21 at 13:59
peteeelol
32
asked Nov 21 at 13:59
peteeelol
32
asked Nov 21 at 13:59
peteeelol
32
asked Nov 21 at 13:59
peteeelol
32
32
add a comment |
add a comment |
1 Answer
1
active
oldest
votes
up vote
0
down vote
accepted
In FreeRADIUS version 4, there's a rlm_json module, which implements a custom node query language based on xpath (jpath), it is extremely limited and only supports some very basic queries (feel free to enhance it via PR :) ).
Below is an example I pulled out of my library of customer configurations. You can see here it's pulling out two keys (externalID and macAddress) from the root level of the JSON doc and assigning them to a couple of custom attributes (Subscriber-ID and Provisioned-MAC).
map json "%{rest_api:https://${modules.rest[rest_api].server}/admin/api/${modules.rest[rest_api].api_key}/external/getDeviceBySerialNumber?certificateSerialNumber=%{lpad:&TLS-Client-Cert-Serial 40 0}}" {
&Subscriber-ID := '$.externalId'
&Provisioned-MAC := '$.macAddress'
}
The xlat expansion can also be modified to send HTTP body data. Just put a space after the URL and pass your custom JSON blob.
answered Nov 21 at 16:33
Arran Cudbard-Bell
3,48111433
This looks great :) However, our team is now using on rlm_rest. The main reason is we had implement curl multi-interface to support HTTP/2 multiplexing in this case. So I guess json must be the output of rlm_rest. Is there a way to pass the result of rlm_rest to rlm_json?
– peteeelol
Nov 22 at 2:43
rest_api is just an instance of rlm_rest. The expansion used there is the expansion from the rlm_rest module. I think rlm_rest will support HTTP/2 fine. Might need an extra option passed to libcurl to enable pipelining but that's about it.
– Arran Cudbard-Bell
Nov 22 at 10:04
Yeah I just checked this. In v4.0.x at least we can add pipelining relatively easily. Just need to set some options on the multi handle and we're good to go.
– Arran Cudbard-Bell
Nov 22 at 15:32
Thanks... I now noticed the implement of rlm_rest change from curl_easy to curl_multi_interface at FreeRADIUS 4.0.x. This does make HTTP/2 multiplexing relatively easy!
– peteeelol
Nov 23 at 3:48
Anothor qeestion, how do i specify the HTTP method if I was gonna use "%{rest_api:REST_URI JSON_BODY"? I notice there is uri and body but no HTTP method.
– peteeelol
Nov 23 at 3:56
|
show 5 more comments
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
accepted
In FreeRADIUS version 4, there's a rlm_json module, which implements a custom node query language based on xpath (jpath), it is extremely limited and only supports some very basic queries (feel free to enhance it via PR :) ).
Below is an example I pulled out of my library of customer configurations. You can see here it's pulling out two keys (externalID and macAddress) from the root level of the JSON doc and assigning them to a couple of custom attributes (Subscriber-ID and Provisioned-MAC).
map json "%{rest_api:https://${modules.rest[rest_api].server}/admin/api/${modules.rest[rest_api].api_key}/external/getDeviceBySerialNumber?certificateSerialNumber=%{lpad:&TLS-Client-Cert-Serial 40 0}}" {
&Subscriber-ID := '$.externalId'
&Provisioned-MAC := '$.macAddress'
}
The xlat expansion can also be modified to send HTTP body data. Just put a space after the URL and pass your custom JSON blob.
answered Nov 21 at 16:33
Arran Cudbard-Bell
3,48111433
This looks great :) However, our team is now using on rlm_rest. The main reason is we had implement curl multi-interface to support HTTP/2 multiplexing in this case. So I guess json must be the output of rlm_rest. Is there a way to pass the result of rlm_rest to rlm_json?
– peteeelol
Nov 22 at 2:43
rest_api is just an instance of rlm_rest. The expansion used there is the expansion from the rlm_rest module. I think rlm_rest will support HTTP/2 fine. Might need an extra option passed to libcurl to enable pipelining but that's about it.
– Arran Cudbard-Bell
Nov 22 at 10:04
Yeah I just checked this. In v4.0.x at least we can add pipelining relatively easily. Just need to set some options on the multi handle and we're good to go.
– Arran Cudbard-Bell
Nov 22 at 15:32
Thanks... I now noticed the implement of rlm_rest change from curl_easy to curl_multi_interface at FreeRADIUS 4.0.x. This does make HTTP/2 multiplexing relatively easy!
– peteeelol
Nov 23 at 3:48
Anothor qeestion, how do i specify the HTTP method if I was gonna use "%{rest_api:REST_URI JSON_BODY"? I notice there is uri and body but no HTTP method.
– peteeelol
Nov 23 at 3:56
|
show 5 more comments
up vote
0
down vote
accepted
In FreeRADIUS version 4, there's a rlm_json module, which implements a custom node query language based on xpath (jpath), it is extremely limited and only supports some very basic queries (feel free to enhance it via PR :) ).
Below is an example I pulled out of my library of customer configurations. You can see here it's pulling out two keys (externalID and macAddress) from the root level of the JSON doc and assigning them to a couple of custom attributes (Subscriber-ID and Provisioned-MAC).
map json "%{rest_api:https://${modules.rest[rest_api].server}/admin/api/${modules.rest[rest_api].api_key}/external/getDeviceBySerialNumber?certificateSerialNumber=%{lpad:&TLS-Client-Cert-Serial 40 0}}" {
&Subscriber-ID := '$.externalId'
&Provisioned-MAC := '$.macAddress'
}
The xlat expansion can also be modified to send HTTP body data. Just put a space after the URL and pass your custom JSON blob.
answered Nov 21 at 16:33
Arran Cudbard-Bell
3,48111433
This looks great :) However, our team is now using on rlm_rest. The main reason is we had implement curl multi-interface to support HTTP/2 multiplexing in this case. So I guess json must be the output of rlm_rest. Is there a way to pass the result of rlm_rest to rlm_json?
– peteeelol
Nov 22 at 2:43
rest_api is just an instance of rlm_rest. The expansion used there is the expansion from the rlm_rest module. I think rlm_rest will support HTTP/2 fine. Might need an extra option passed to libcurl to enable pipelining but that's about it.
– Arran Cudbard-Bell
Nov 22 at 10:04
Yeah I just checked this. In v4.0.x at least we can add pipelining relatively easily. Just need to set some options on the multi handle and we're good to go.
– Arran Cudbard-Bell
Nov 22 at 15:32
Thanks... I now noticed the implement of rlm_rest change from curl_easy to curl_multi_interface at FreeRADIUS 4.0.x. This does make HTTP/2 multiplexing relatively easy!
– peteeelol
Nov 23 at 3:48
Anothor qeestion, how do i specify the HTTP method if I was gonna use "%{rest_api:REST_URI JSON_BODY"? I notice there is uri and body but no HTTP method.
– peteeelol
Nov 23 at 3:56
|
show 5 more comments
up vote
0
down vote
accepted
up vote
0
down vote
accepted
In FreeRADIUS version 4, there's a rlm_json module, which implements a custom node query language based on xpath (jpath), it is extremely limited and only supports some very basic queries (feel free to enhance it via PR :) ).
Below is an example I pulled out of my library of customer configurations. You can see here it's pulling out two keys (externalID and macAddress) from the root level of the JSON doc and assigning them to a couple of custom attributes (Subscriber-ID and Provisioned-MAC).
map json "%{rest_api:https://${modules.rest[rest_api].server}/admin/api/${modules.rest[rest_api].api_key}/external/getDeviceBySerialNumber?certificateSerialNumber=%{lpad:&TLS-Client-Cert-Serial 40 0}}" {
&Subscriber-ID := '$.externalId'
&Provisioned-MAC := '$.macAddress'
}
The xlat expansion can also be modified to send HTTP body data. Just put a space after the URL and pass your custom JSON blob.
answered Nov 21 at 16:33
Arran Cudbard-Bell
3,48111433
In FreeRADIUS version 4, there's a rlm_json module, which implements a custom node query language based on xpath (jpath), it is extremely limited and only supports some very basic queries (feel free to enhance it via PR :) ).
Below is an example I pulled out of my library of customer configurations. You can see here it's pulling out two keys (externalID and macAddress) from the root level of the JSON doc and assigning them to a couple of custom attributes (Subscriber-ID and Provisioned-MAC).
map json "%{rest_api:https://${modules.rest[rest_api].server}/admin/api/${modules.rest[rest_api].api_key}/external/getDeviceBySerialNumber?certificateSerialNumber=%{lpad:&TLS-Client-Cert-Serial 40 0}}" {
&Subscriber-ID := '$.externalId'
&Provisioned-MAC := '$.macAddress'
}
The xlat expansion can also be modified to send HTTP body data. Just put a space after the URL and pass your custom JSON blob.
answered Nov 21 at 16:33
Arran Cudbard-Bell
3,48111433
edited Nov 24 at 21:35
answered Nov 21 at 16:33
Arran Cudbard-Bell
3,48111433
answered Nov 21 at 16:33
Arran Cudbard-Bell
3,48111433
answered Nov 21 at 16:33
Arran Cudbard-Bell
3,48111433
3,48111433
This looks great :) However, our team is now using on rlm_rest. The main reason is we had implement curl multi-interface to support HTTP/2 multiplexing in this case. So I guess json must be the output of rlm_rest. Is there a way to pass the result of rlm_rest to rlm_json?
– peteeelol
Nov 22 at 2:43
rest_api is just an instance of rlm_rest. The expansion used there is the expansion from the rlm_rest module. I think rlm_rest will support HTTP/2 fine. Might need an extra option passed to libcurl to enable pipelining but that's about it.
– Arran Cudbard-Bell
Nov 22 at 10:04
Yeah I just checked this. In v4.0.x at least we can add pipelining relatively easily. Just need to set some options on the multi handle and we're good to go.
– Arran Cudbard-Bell
Nov 22 at 15:32
Thanks... I now noticed the implement of rlm_rest change from curl_easy to curl_multi_interface at FreeRADIUS 4.0.x. This does make HTTP/2 multiplexing relatively easy!
– peteeelol
Nov 23 at 3:48
Anothor qeestion, how do i specify the HTTP method if I was gonna use "%{rest_api:REST_URI JSON_BODY"? I notice there is uri and body but no HTTP method.
– peteeelol
Nov 23 at 3:56
|
show 5 more comments
This looks great :) However, our team is now using on rlm_rest. The main reason is we had implement curl multi-interface to support HTTP/2 multiplexing in this case. So I guess json must be the output of rlm_rest. Is there a way to pass the result of rlm_rest to rlm_json?
– peteeelol
Nov 22 at 2:43
rest_api is just an instance of rlm_rest. The expansion used there is the expansion from the rlm_rest module. I think rlm_rest will support HTTP/2 fine. Might need an extra option passed to libcurl to enable pipelining but that's about it.
– Arran Cudbard-Bell
Nov 22 at 10:04
Yeah I just checked this. In v4.0.x at least we can add pipelining relatively easily. Just need to set some options on the multi handle and we're good to go.
– Arran Cudbard-Bell
Nov 22 at 15:32
Thanks... I now noticed the implement of rlm_rest change from curl_easy to curl_multi_interface at FreeRADIUS 4.0.x. This does make HTTP/2 multiplexing relatively easy!
– peteeelol
Nov 23 at 3:48
Anothor qeestion, how do i specify the HTTP method if I was gonna use "%{rest_api:REST_URI JSON_BODY"? I notice there is uri and body but no HTTP method.
– peteeelol
Nov 23 at 3:56
This looks great :) However, our team is now using on rlm_rest. The main reason is we had implement curl multi-interface to support HTTP/2 multiplexing in this case. So I guess json must be the output of rlm_rest. Is there a way to pass the result of rlm_rest to rlm_json?
– peteeelol
Nov 22 at 2:43
This looks great :) However, our team is now using on rlm_rest. The main reason is we had implement curl multi-interface to support HTTP/2 multiplexing in this case. So I guess json must be the output of rlm_rest. Is there a way to pass the result of rlm_rest to rlm_json?
– peteeelol
Nov 22 at 2:43
rest_api is just an instance of rlm_rest. The expansion used there is the expansion from the rlm_rest module. I think rlm_rest will support HTTP/2 fine. Might need an extra option passed to libcurl to enable pipelining but that's about it.
– Arran Cudbard-Bell
Nov 22 at 10:04
rest_api is just an instance of rlm_rest. The expansion used there is the expansion from the rlm_rest module. I think rlm_rest will support HTTP/2 fine. Might need an extra option passed to libcurl to enable pipelining but that's about it.
– Arran Cudbard-Bell
Nov 22 at 10:04
Yeah I just checked this. In v4.0.x at least we can add pipelining relatively easily. Just need to set some options on the multi handle and we're good to go.
– Arran Cudbard-Bell
Nov 22 at 15:32
Yeah I just checked this. In v4.0.x at least we can add pipelining relatively easily. Just need to set some options on the multi handle and we're good to go.
– Arran Cudbard-Bell
Nov 22 at 15:32
Thanks... I now noticed the implement of rlm_rest change from curl_easy to curl_multi_interface at FreeRADIUS 4.0.x. This does make HTTP/2 multiplexing relatively easy!
– peteeelol
Nov 23 at 3:48
Thanks... I now noticed the implement of rlm_rest change from curl_easy to curl_multi_interface at FreeRADIUS 4.0.x. This does make HTTP/2 multiplexing relatively easy!
– peteeelol
Nov 23 at 3:48
Anothor qeestion, how do i specify the HTTP method if I was gonna use "%{rest_api:REST_URI JSON_BODY"? I notice there is uri and body but no HTTP method.
– peteeelol
Nov 23 at 3:56
Anothor qeestion, how do i specify the HTTP method if I was gonna use "%{rest_api:REST_URI JSON_BODY"? I notice there is uri and body but no HTTP method.
– peteeelol
Nov 23 at 3:56
|
show 5 more comments
Thanks for contributing an answer to Stack Overflow!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Some of your past answers have not been well-received, and you're in danger of being blocked from answering.
Please pay close attention to the following guidance:
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53413728%2ffreeradius-3-0-17-rlm-rest-parsing-json-response%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
