IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Client-side certificate and OAuth Authentication

    Posted Thu September 24, 2020 05:42 PM
    Edited by Piyush Agrawal Thu September 24, 2020 06:24 PM

    Hello,

    We have an proxy configured with Client-side certificate authentication in "Optional" mode.

    It expects Client certificate request or else presents Loginform.

    Now I have enabled oauth also but found that webseal ignores request with "Authorization Bearer *" because cert is missing.

    If i set "accept-client-certs = never" then oauth is working as expected.

    I am looking in to mode "prompt_as_needed" and in documentations it says "prompt for a client-side certificate when the user encounters a resource that requires certificate authentication"
    This leads to question:
    What is the attribute/config needed in ACL/POP which will prompt for Client-Side Certificate?
    There are many resources allready protected by POP and ACL which accessed by Password and Cert Authentication, how I can introduce oauth without updating existing acl and pops?

    This is very important improvment for our Partner APIs as many of them wants to use OAuth to consume services behind proxy.

    I hope someone can help here.

    -----------------------------
    Piyush Agrawal
    ------------------------------


  • 2.  RE: Client-side certificate and OAuth Authentication

    Posted Fri September 25, 2020 09:43 AM
    Hello Piyush,

    I'm not sure why the Reverse Proxy is not allowing you to perform OAuth authentication when certificates are enabled.  I will try to find out.

    In the meantime, the "prompt-as-needed" setting means that when authentication is required, a form-based login page will be displayed which has an option on it to trigger certificate authentication by clicking a button.  If you are using a custom login page perhaps you no longer have that component on your login page.

    It's worth saying that "prompt-as-needed" authentication is not as simple as it used to be because some browsers (Chrome for sure) no longer allow a TLS session to be re-negotiated once it has started.  To work-around this there's an option to switch out to an alternative port to perform the certificate authentication.  This requires some additional configuration work.  See the note on this page: https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/wrp_config/task/tsk_enbl_cert_authe.htm

    I hope this helps.

    Jon.


    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Client-side certificate and OAuth Authentication

    Posted Sat September 26, 2020 03:48 AM
    Hello again,

    I asked around. I can't find a good reason why enabling certificate authentication as optional should block OAuth authentication.

    I suggest you open a support case.  They can validate your configuration and, if necessary, pursue a code fix.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Client-side certificate and OAuth Authentication

    Posted Tue October 06, 2020 06:17 AM

    Hi Jon

    May it be possible to solve this with the branching authentication policies in ISVA 10?

    // Per



    ------------------------------
    Per Oelmunger
    IAM Consultant
    Enfo Sweden
    GOTHENBURG
    (4673) 365-7760
    ------------------------------

    Original Message


  • 5.  RE: Client-side certificate and OAuth Authentication

    Posted Tue October 06, 2020 06:22 AM
    Hi Per,

    Nice idea but I don't think branching AAC policies will help here.  Both the certificate authentication and OAuth (validation) are mechanisms in the Reverse proxy so AAC Authentication Service is not being called.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


Related Content