IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Custom claims on junction JWT

    Posted Thu September 24, 2020 03:41 PM
    Hi,

    I'm using the [jwt:<jct-id>] stanza to generate a JWT on a junction. I know I can use credential attributes and static text as claims but I was wondering if there was a way to pull data from a rest endpoint or data from external files and add those as claims. I don't think it's possible out of the box from what I'm gathering but wanted to see if anyone else has done this. Or if there's a way to modify the generated JWT to add those. I'm trying to just use this rather than diving in to any mapping rules. 

    Thanks,
    Scott

    ------------------------------
    Scott Reichardt
    IBM Security Verify Access v10
    ------------------------------


  • 2.  RE: Custom claims on junction JWT

    Posted Thu September 24, 2020 03:51 PM
    Hello Scott,

    One method would be to add a 'Default Map Module' to your Trust Service Chain that creates the JWT.

    You can then use mapping like in a Federation or OAUTH mapping rule and the HTTPClient class to make HTTP Requests to restful interfaces.

    Please be aware that this will add perceived response time for the end user as your JWT Junction will now depend on an outside service.

    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 3.  RE: Custom claims on junction JWT

    Posted Thu September 24, 2020 04:17 PM
    Hi Scott,

    The new built-in JWT support in Verify Access 10 (using the [jwt...] stanza) only supports building claims from credential attributes or fixed strings.

    If you were to move to using the "TFIM SSO" junction option you would be able to generate the JWT in the federation add-on STS and have full control over content - including call out to external REST services. Bit pretty sure this is not possible in the new built in version.

    One other option would be to have whatever is building the credential at login populate the attributes you need at that point so the built in JWT code can just use them as-is from the credential. Not useful if you are just using built-in authentication though. 

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 4.  RE: Custom claims on junction JWT

    Posted Fri September 25, 2020 01:05 AM
    Scott,
     
    The JWT support within WebSEAL is reasonably simple - it relies on a fixed claims list, and the value of the claims can only come from credential attributes or static strings.  If you need data from additional sources (e.g. a REST endpoint) you will need to either somehow have that data added to the credential (e.g. write an EAI to handle the authentication) or use the STS capability within the Federation offering to construct the JWT.  
     
    I hope that this helps,
     
    Scott.
     
     
     
     
     
     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access
    IBM Master Inventor
    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com
    1 Corporate Court
    Bundall, QLD 4217
    Australia




    Original Message


Related Content