I would like to get some clarification on this.
If you need to send a credential attribute that is an array, why not use a list to return the multi-values.
For example:
- If I want to return the list of groups (e.g. credGroups attribute) a user belongs too. I can send the attribute credGroups:group1,group2,group3 and so on.
- If I want to return the contact information for a user (e.g. credContacts attribute) has, I can send the attribute credContacts:[email: user@example.com],[phone:1234567890]
Isn't this what André needed? The implementation of this, although i have not done, I believe would be something simple.
Even it the attribute needs to be polymorphic, we can always send the metadata info along with the attribute.
For example:
- credFancyAttribute:SINGLE,NUL
- credFancyAttribute:SINGLE,somevalue
- credFancyAttribute:SET,group1,group2,group3
- credFancyAttribute:MAP,[email: user@example.com],[phone:1234567890]
This would also solve his problem!
I just don't get why would you need an array! What am I missing?
------------------------------
Joao Goncalves
Pyxis, Lda.
Sintra
+351 91 721 4994
------------------------------
Original Message:
Sent: Fri October 16, 2020 07:26 PM
From: Sylvain Gilbert
Subject: IBM Security Verify / JWT Token force array
Hi André
Yes, I believe an RFE is relevant here.
We have not moved yet to the ISAM/WebSEAL native JWT capability but it is just a matter of time before we engage in that direction.
Thank you for your time. I would vote for it if this was possible.
(-;
------------------------------
Sylvain Gilbert
Original Message:
Sent: Fri October 16, 2020 02:16 AM
From: André Leruitte
Subject: IBM Security Verify / JWT Token force array
Hi,
We have already falledback to the STS , where we had implemented the transformation first.
So we do not need absolutely to be able to use webseal for jwt generation.
It's just that we wanted to switch to this new jwt generation capability that should be much easier to manage and much faster.
We also thought about always inserting two fake groups so that webseal always considers the attribute as an array, but we don't find that solution very clean.
As this is a problem that we have in most of our reverse proxies (user groups are always inserted in the jwt so that the backends can enforce precise authorization) I will take the time to create an RFE.
------------------------------
André Leruitte
Original Message:
Sent: Fri October 16, 2020 02:08 AM
From: Scott Exton
Subject: IBM Security Verify / JWT Token force array
Andre,
For the time being you will need to make use of the more advanced JWT capabilities offered in the Federation offering. It should be worth raising an RFE for this capability if you still need it.
Thanks.
Scott A. ExtonSenior Software Engineer
Chief Programmer - IBM Security Verify AccessIBM Master Inventor
|
Phone: 61-7-5552-4008
E-mail: scotte@au1.ibm.com |
1 Corporate Court
Bundall, QLD 4217
Australia
|
Original Message:
Sent: 10/16/2020 2:02:00 AM
From: André Leruitte
Subject: RE: IBM Security Verify / JWT Token force array
Hi Scott,
Thank you for your confirmation on this behavior.
It's really unfortunate because it makes the feature unusable for us, as we insert an attribute "groups" that can contain 0, 1 or several groups.
We don't think it's acceptable to tell the applications using those jwt's that that "group" attribute can sometimes be an array, sometimes not.
Do you think it's worth creating an RFE for this asking the implementation of this behavior ?
------------------------------
André Leruitte
Original Message:
Sent: Thu October 15, 2020 03:45 PM
From: Scott Exton
Subject: IBM Security Verify / JWT Token force array
ilyass,
Unfortunately there is no way to force a credential attribute to be added to the JWT as an array. Here is a direct quote from the template configuration file:
If the value is the name of an attribute an array will only be created if the attribute contains multiple values.
Scott A. ExtonSenior Software Engineer
Chief Programmer - IBM Security Verify AccessIBM Master Inventor
|
Phone: 61-7-5552-4008
E-mail: scotte@au1.ibm.com |
1 Corporate Court
Bundall, QLD 4217
Australia
|
Original Message:
Sent: 10/15/2020 10:37:00 AM
From: ilyass togui
Subject: IBM Security Verify / JWT Token force array
Hi folks,
We faced some problems when we tried to generate JWT token using webseal configuration.
The problem concern multi-values claim, let's take an example : In [JWT] stanza we added a claim : "attr::myFancyAttribute"
Depending on the attribute values, we got different types of claim :
- We have no claim when there is no attribute "myFancyAttribute"
- We have a string claim if the attribute exist and it's a mono-value
- We have an array claim if the attribute contains multiple value
So my question is : There is a way to force JWT generation to get a claim as an array, even if the source attribute is a mono value ?
Thanks,
Regards
------------------------------
ilyass togui
------------------------------