IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Oauth/OIDC : how to disable private_key_jwt authentification method ?

    Posted Fri July 02, 2021 03:41 AM
    Hello everybody,
    We have set up the standard metadata endpoint for our OAuth server : https://id.post.lu/.well-known/openid-configuration

    Inside that metadata, we have seen that a private_key_jwt authentication is supported by default :
    {
"token_endpoint_auth_methods_supported":["private_key_jwt","client_secret_post","client_secret_basic","tls_client_auth","self_signed_tls_client_auth"]
}​


    -=> How can we disable the private_key_jwt method ?

    I looked around in the Oauth/OICD policy settings but I am unable to found it anywhere.


    Thanks for any help on this



    ------------------------------
    André Leruitte
    ------------------------------


  • 2.  RE: Oauth/OIDC : how to disable private_key_jwt authentification method ?

    Posted Fri July 02, 2021 06:28 AM
    Hi André,

    The private_key_jwt endpoint auth method requires specific STS chains to be in place and so it won't be usable unless you have added the required configuration.  So, you don't need to worry about a client using this method when you don't want them to.

    However, I think your question is more around how to prevent private_key_jwt method from being advertised in the metadata.
    I did some investigation and I have reached the same conclusion as you: it's not possible to set a flag to disable the method and prevent it from appearing.  In fact, it looks like the list of methods returned for the @TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED@ macro in the metadata template file is static.

    If you want to change this list of advertised endpoint auth methods, you'll need to modify the template file and replace the macro with your own text.

    e.g. replace: "token_endpoint_auth_methods_supported":@TOKEN_ENDPOINT_AUTH_METHODS_SUPPORTED@,
    with "token_endpoint_auth_methods_supported": ["client_secret_post","client_secret_basic","tls_client_auth","self_signed_tls_client_auth"],

    The file you need to change is under Template Files.  It is: C > oauth20 > metadata.json

    I hope this helps.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Oauth/OIDC : how to disable private_key_jwt authentification method ?

    Posted Fri July 02, 2021 06:44 AM
    Hi Jon,

    Thanks a lot for your workaround that does exactly what we aimed for.

    Just to give additional background : the issue appeared when trying to integrate one of our IDP's with Apache Knox.
    Knox does not support "private_key_jwt" and it's not smart enough to look at the others supported auth methods in the metadata...
    So being able to remove "private_key_jwt" from our metadata allows Knox to correctly integrate with ISAM via OIDC.

    Have a nice day Jon

    ------------------------------
    André Leruitte
    ------------------------------

    Original Message


  • 4.  RE: Oauth/OIDC : how to disable private_key_jwt authentification method ?

    Posted Fri July 02, 2021 07:31 AM
    Edited by Jon Harry Fri July 02, 2021 07:31 AM
    Hi André,

    Thanks for the feedback; really pleased that you got the result you needed.

    Have a great weekend,

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message