IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  OAuth for an IVR Client

    Posted Wed March 18, 2020 10:32 AM
    Edited by Biswajit Sahoo Wed March 18, 2020 10:51 AM
    Hi,

    I am trying to build a OAuth2 set-up to issue an Access Token for an IVR client. Since there is no user interface available and the cookies can't be supported, one possible solution would be ROPC grant with OTP verification as the authentication mechanism.

    The solution, that I have in mind,
    1. First, client invokes the OTP authentication policy. ISAM generates the OTP and sends to customer.
    2. Make a token request (ROPC) with username and OTP along with client credentials. ISAM validate the OTP in the pre-token mapping rule, which issued earlier. On success, returns the Access Token.

    Is there any JavaScript module available in ISAM to validate the OTP from the Pre-Token mapping rules (step-2)?  I had a look into the JavaDoc, but didn't get much information though.


    Thanks,
    Biswajit


    ------------------------------
    Biswajit Sahoo
    ------------------------------


  • 2.  RE: OAuth for an IVR Client

    Posted Thu March 19, 2020 04:37 AM
    Hello Biswajit,

    Are the resources that the IVR system will access with the OAuth Access Token also protected by Access Manager?  If so, it might be easier to separate the initial Access Token flow from the OTP flow.  You could do the following:
      1. IVR performs ROPC flow to acquire Access Token for connected user (user provides UID/PW for this or you disable password check)
               - This Access Token does NOT give access to protected APIs because OTP has not yet been completed.
      2. IVR initiates OTP Authentication Policy via REST to ISAM Authentication Service (including Access Token in request)
      3. IVR gets OTP from user and completes OTP Authentication Policy via REST to ISAM Authentication Service
               - The Access Token now has access to protected APIs because OTP has completed
      4. IVR uses Access Token to access APIs on behalf of user.

    Note: As of recent ISAM versions, cookies are not required for use with Access Tokens.  The Access Token can act as the session identifier.

    If you really can't use above approach, you would need to put logic in the pre-token mapping rule which calls Authentication Service via REST (an HTTP client is available in the JavaScript).  In this case, the IVR would need to pass the OTP from user and StateId from the Authentication Service in the OAuth ROPC call to allow the pre-token mapping rule to pick up the flow.  I *think* this is possible (you'd have to extend the message) but I'm not 100% sure.

    I hope this helps.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: OAuth for an IVR Client

    Posted Mon March 23, 2020 12:04 PM
    Hi Jon,

    Thank you for a quick reply. I did few POCs, but without any success, since I am still using a older version (v9.0.3) of ISAM.

    During step-3, IVR gets OTP from user and completes OTP Authentication Policy via REST to ISAM Authentication Service, it seemsISAM require a valid session cookie to complete the OTP verification and could not get a workaround on this.

    Even the HTTP calls in the pre-token mapping script require a cookies for OTP verification, which cannot be passed by the IVR client in a token request. 


    Regards,
    Biswajit

    ------------------------------
    Biswajit Sahoo
    ------------------------------

    Original Message