One of our developers asked me a question I thought deserved some investigation.  If we are making an API call through a webseal to some API sitting behind it, and we are authenticating with a bearer token in the authorization header, and that token is invalid (expired, revoked, etc.), webseal returns http status code 200 and the JSON response operation cert_login.  Obviously good tokens work just fine.

The question at hand is, when these tokens are invalid, can webseal do something different than return with a 200 with that operation cert_login?  I see the developer's point in that this is confusing for the client making the call, as it is getting back a 200.

Any thoughts?  Thanks!

------------------------------
Matt Jenkins
------------------------------

Also, to add to this, the developer told me that last year they tested and received the following messages:

• Invalid authorization token (i.e. Bearer 12345) - status code 401 { "error": "Unauthorized, Access token is invalid." }
• No authorization header - status code 400 - { "error": "Bad request, Access token is missing." }

However, I'm wondering if these messages may have been coming from the backend, and maybe the junction to the backend was set to unauthenticated instead of any-auth at the time.  However, my original question still stands, if webseal gets a bad token, is there any way to return a different status code and/or message in that case?

Thanks again!

------------------------------
Matt Jenkins
------------------------------

Original Message:
Sent: Mon May 16, 2022 10:35 AM
From: Matt Jenkins
Subject: Adjusting webseal response to invalid bearer tokens

One of our developers asked me a question I thought deserved some investigation.  If we are making an API call through a webseal to some API sitting behind it, and we are authenticating with a bearer token in the authorization header, and that token is invalid (expired, revoked, etc.), webseal returns http status code 200 and the JSON response operation cert_login.  Obviously good tokens work just fine.

The question at hand is, when these tokens are invalid, can webseal do something different than return with a 200 with that operation cert_login?  I see the developer's point in that this is confusing for the client making the call, as it is getting back a 200.

Any thoughts?  Thanks!

------------------------------
Matt Jenkins
------------------------------

Hello Matt,

Create a template file in the Reverse Proxy management root called 'login.401.json' with the following contents:
{
"operation" : "%TAM_OP%"
}

This will then return a 401 with the above.

You can customize it to however you want using the macros in the following documentation:
https://www.ibm.com/docs/en/sva/10.0.3?topic=modification-macro-resources-customizing-response-pages

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Mon May 16, 2022 10:35 AM
From: Matt Jenkins
Subject: Adjusting webseal response to invalid bearer tokens

One of our developers asked me a question I thought deserved some investigation.  If we are making an API call through a webseal to some API sitting behind it, and we are authenticating with a bearer token in the authorization header, and that token is invalid (expired, revoked, etc.), webseal returns http status code 200 and the JSON response operation cert_login.  Obviously good tokens work just fine.

The question at hand is, when these tokens are invalid, can webseal do something different than return with a 200 with that operation cert_login?  I see the developer's point in that this is confusing for the client making the call, as it is getting back a 200.

Any thoughts?  Thanks!

------------------------------
Matt Jenkins
------------------------------

@JACK YARBOROUGH, how does that 401 in the file name work?  Is there any documentation to describe that?

If we did this, it would also impact ​cases where tokens were not involved, correct?  If that is the case, is there any way to only make this happen if a bearer token is being passed?

Thanks very much for your input!

------------------------------
Matt Jenkins
------------------------------

Original Message:
Sent: Mon May 16, 2022 12:14 PM
From: JACK YARBOROUGH
Subject: Adjusting webseal response to invalid bearer tokens

Hello Matt,

Create a template file in the Reverse Proxy management root called 'login.401.json' with the following contents:
{
"operation" : "%TAM_OP%"
}

This will then return a 401 with the above.

You can customize it to however you want using the macros in the following documentation:
https://www.ibm.com/docs/en/sva/10.0.3?topic=modification-macro-resources-customizing-response-pages

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Mon May 16, 2022 10:35 AM
From: Matt Jenkins
Subject: Adjusting webseal response to invalid bearer tokens

One of our developers asked me a question I thought deserved some investigation.  If we are making an API call through a webseal to some API sitting behind it, and we are authenticating with a bearer token in the authorization header, and that token is invalid (expired, revoked, etc.), webseal returns http status code 200 and the JSON response operation cert_login.  Obviously good tokens work just fine.

The question at hand is, when these tokens are invalid, can webseal do something different than return with a 200 with that operation cert_login?  I see the developer's point in that this is confusing for the client making the call, as it is getting back a 200.

Any thoughts?  Thanks!

------------------------------
Matt Jenkins
------------------------------

Hello Matthew,

Please review the following documentation:
https://www.ibm.com/docs/en/sva/10.0.3?topic=configuration-content-aware-server-responses

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Mon May 16, 2022 01:07 PM
From: Matt Jenkins
Subject: Adjusting webseal response to invalid bearer tokens

@JACK YARBOROUGH, how does that 401 in the file name work?  Is there any documentation to describe that?

If we did this, it would also impact ​cases where tokens were not involved, correct?  If that is the case, is there any way to only make this happen if a bearer token is being passed?

Thanks very much for your input!

------------------------------
Matt Jenkins

Original Message:
Sent: Mon May 16, 2022 12:14 PM
From: JACK YARBOROUGH
Subject: Adjusting webseal response to invalid bearer tokens

Hello Matt,

Create a template file in the Reverse Proxy management root called 'login.401.json' with the following contents:
{
"operation" : "%TAM_OP%"
}

This will then return a 401 with the above.

You can customize it to however you want using the macros in the following documentation:
https://www.ibm.com/docs/en/sva/10.0.3?topic=modification-macro-resources-customizing-response-pages

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Mon May 16, 2022 10:35 AM
From: Matt Jenkins
Subject: Adjusting webseal response to invalid bearer tokens

One of our developers asked me a question I thought deserved some investigation.  If we are making an API call through a webseal to some API sitting behind it, and we are authenticating with a bearer token in the authorization header, and that token is invalid (expired, revoked, etc.), webseal returns http status code 200 and the JSON response operation cert_login.  Obviously good tokens work just fine.

The question at hand is, when these tokens are invalid, can webseal do something different than return with a 200 with that operation cert_login?  I see the developer's point in that this is confusing for the client making the call, as it is getting back a 200.

Any thoughts?  Thanks!

------------------------------
Matt Jenkins
------------------------------