IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  OAuth Client Credentials

    Posted Tue May 12, 2020 09:44 AM
    I'm trying to use client credentials flow with ISAM to access a protected resource. However, it seems like after executing the following steps, the user is still unauthenticated to WebSeal.

    1. Get the access token by sending client_id, secret and grant_type in the following command:

    curl -k -d grant_type=client_credentials -d client_id=CLIENT_ID -d client_secret=CLIENT_SECRET -d scope=read https://WEBSEAL_HOST/mga/sps/oauth/oauth20/token

    2. Access protected resource/api with the access_token that I received as a result of first command:

    curl -k -H "Authorization: Bearer Zt9gNVdwXWLyVani49wx" https://WEBSEAL_HOST/ProvService/Search/User/E123456
    OR
    curl -k -H "Authorization: Bearer Zt9gNVdwXWLyVani49wx" "https://WEBSEAL_HOST/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:whoami"

    When I execute the second command, I get webseal login page.

    I didn't find much help or detailed steps on how to setup Client Credentials flow on IBM Infocenter.

    ------------------------------
    Manish
    ------------------------------


  • 2.  RE: OAuth Client Credentials
    Best Answer

    Posted Tue May 12, 2020 11:22 AM

    Hello Manish,

    In the 'client credentials' grant type the OAUTH Access Token is issued to the 'Client', specifically the OAUTH 2.0 client, which is distinct from the end user. Traditionally, the OAUTH 2.0 'Client' is an application working on the user's behalf to perform some task.

    There are a few things to consider here. Are you using OAUTH at the Reverse Proxy tier in 'Authentication' mode ([oauth] oauth-auth = https) or in 'Authorization' mode ([oauth-eas] eas-enabled = true).

    OAUTH Authentication mode actually validates the supplied Bearer token to the AAC module for verification and takes the received username and attempts to authenticate it against the ISAM LDAP repository. It is possible to have an 'external user' for users that do not exist in the repository.

    OAUTH Authorizations mode, which is invoked by attaching an API Protection Definition in the ISAM object space (oauth-pop), validates the supplied Bearer token to either allow or deny the transaction to pass, but does not supply a Reverse Proxy authenticated session.

    If you're looking to perform OAUTH Authentication then the 'client_id' needs to exist as a user in ISAM with the 'client_secret' as his password.

    If your end goal is to get a token and then authenticate as the end user who is using the application which is the OAUTH Client then you are not using the correct grant type. Consider using 'Authorization Code' or 'Resource Owner Password Credentials' (ROPC/Username Password).

    The 'Resource Owner' is the end user in the context of the OAUTH specification.
    ---
    Aside from the above, the '/mga/sps/authsvc' endpoint is supposed to be unauthenticated and realistically if you're making an API call you'll want to use the '/mga/sps/apiauthsvc' endpoint instead as it returns a JSON response.

    When OAUTH Authentication is enabled and the Reverse Proxy receives a bearer token it will attempt to validate that token against AAC regardless of whether the ACL on the resource allows for unauthenticated access.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 3.  RE: OAuth Client Credentials

    Posted Tue May 12, 2020 11:26 AM

    Hello Manish,

    We try to follow the OAUTH specification as well as possible, so all the information you need on client credentials is well defined in the specification itself : 
    https://tools.ietf.org/html/rfc6749#section-4.4

    The variation with ISAM would be the endpoints used to invoke the specification.
    Here is a documented list of our endpoints and their purpose:
    https://www.ibm.com/support/knowledgecenter/en/SSPREK_9.0.7/com.ibm.isam.doc/config/concept/OAuthEndpoints.html#oauthendpoints

    They are RFC 6749 compliant so you can refer to that for the parameters that can be supplied.



    ------------------------------
    JACK YARBOROUGH
    ------------------------------

    Original Message


  • 4.  RE: OAuth Client Credentials

    Posted Tue May 12, 2020 03:56 PM
    Thanks Jack! It makes total sense now. I was little confused about how the client_credentials will map to a Webseal session/credential and your note about OAUTH Authentication and OAUTH Authorization made it quite clear. Really appreciate your response!

    ------------------------------
    Manish Sethi
    ------------------------------

    Original Message


  • 5.  RE: OAuth Client Credentials

    Posted Mon July 06, 2020 09:48 AM
    Hi Manish and Jack,

    How did you end up resolving this? I tried the steps below and my session still seems to be authenticated after presenting the access token.

    I am performing an authorization code grant type:
    1) from browser I request for the authorization code
        https://www.myidp.ibm.com/mga/sps/oauth/oauth20/authorize?client_id=testclient&response_type=code&scope=read
    2) command used to exchange for access token
       curl -k -v -d grant_type=authorization_code -d client_id=testclient -d client_secret=<secret> -d code=<authorization code from step 1> https://www.myidp.ibm.com/mga/sps/oauth/oauth20/token
    3) Request for the protected resource
    curl -k -v -H "Authorization: bearer <access token from step 2>" https://www.myidp.ibm.com/ibm


  • 6.  RE: OAuth Client Credentials

    Posted Mon July 06, 2020 05:21 PM
    Cliff,
    Did you attach the protected resource with the API protection policy  you created for Oauth/Auth flow?

    Auth Code Grant Sample


    ------------------------------
    Manish
    ------------------------------

    Original Message