IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Parsing IBM Security Verify Access iv-creds header in Javascript and Python

By Shane Weeden posted Tue August 08, 2023 09:25 PM

  

In the past I've written many times about the value of being able to introspect the IBM Security Verify Access (ISVA) credential. One of the most recent incantations of this message was in the article RIP epac.jsp (2007-2020) which describes how to configure a credential viewer within the ISVA Web Reverse Proxy (WRP).

This is great when you are developing or debugging in an environment where you have a browser session to the WRP, however sometimes that is not the case - for example you might be working on debugging a scenario from collected pdweb.snoop trace or similar. What you might have is trace of the iv-creds HTTP header that is used to downstream the ISVA credential from the WRP to junctioned applications. Such a header value looks something like (this example is an unauthenticated credential):



Version=1, BAKs3DCCA70MADCCA7cwggOzAgIQBgIBADCCA6gwggOkMC8MGEFaTl9DUkVEX0FVVEhfRVBPQ0hfVElNRTATMBECAQQMCjE2OTExMzU3ODAEADCBlwwVQVpOX0NSRURfQlJPV1NFUl9JTkZPMH4wfAIBBAx1TW96aWxsYS81LjAgKE1hY2ludG9zaDsgSW50ZWwgTWFjIE9TIFggMTBfMTVfNykgQXBwbGVXZWJLaXQvNTM3LjM2IChLSFRNTCwgbGlrZSBHZWNrbykgQ2hyb21lLzExNS4wLjAuMCBTYWZhcmkvNTM3LjM2BAAwJgwSQVpOX0NSRURfSVBfRkFNSUxZMBAwDgIBBAwHQUZfSU5FVAQAMCsMEEFaTl9DUkVEX01FQ0hfSUQwFzAVAgEEDA5JVl9VTkFVVEhfVjMuMAQAMDMMHEFaTl9DUkVEX05FVFdPUktfQUREUkVTU19CSU4wEzARAgEEDAoweGMwYTgwMTc2BAAwNgwcQVpOX0NSRURfTkVUV09SS19BRERSRVNTX1NUUjAWMBQCAQQMDTE5Mi4xNjguMS4xMTgEADAtDBlBWk5fQ1JFRF9QUklOQ0lQQUxfRE9NQUlOMBAwDgIBBAwHRGVmYXVsdAQAMDMMF0FaTl9DUkVEX1BSSU5DSVBBTF9OQU1FMBgwFgIBBAwPdW5hdXRoZW50aWNhdGVkBAAwLQwRQVpOX0NSRURfUU9QX0lORk8wGDAWAgEEDA9TU0s6IFRMU1YxMjogMkYEADAuDBJBWk5fQ1JFRF9VU0VSX0lORk8wGDAWAgEEDA91bmF1dGhlbnRpY2F0ZWQEADAnDBBBWk5fQ1JFRF9WRVJTSU9OMBMwEQIBBAwKMHgwMDAwMTAwNgQAMDQMGHRhZ3ZhbHVlX2xvZ2luX3VzZXJfbmFtZTAYMBYCAQQMD3VuYXV0aGVudGljYXRlZAQAMEcMFnRhZ3ZhbHVlX3Nlc3Npb25faW5kZXgwLTArAgEEDCQ2NjJiNDZiZS0zMjljLTExZWUtODA1YS0wMDBjMjk2YzI5ZDUEADCBqQwYdGFndmFsdWVfdXNlcl9zZXNzaW9uX2lkMIGMMIGJAgEEDIGBYkc5allXeG9iM04wTFdSbFptRjFiSFFBX1pNeXZKQUFBQUFJQUFBQXdKSy9NWkFpRkFreUhmd0FBVWxVelV6UTFkbEpTWjNoUVZWWlJNWEpDTUZKaFRuQXRWSFZ1WmxSMGJXeHpPR3c1UzA0NU5GRkpXVzVhWjBaVjpkZWZhdWx0BAA=

Today I'm releasing AS-IS (no waranty, use-at-your-own-risk) Javascript and Python utilities that allows you to parse this structute to a JSON representation of the credential. This is similar in format (actually a bit more detailed) to that of the stsuu context object (STSUniversalUser) that you find in ISVA Javascript contexts such as STS mapping rules. 

The code (incuding some open source libraries) and documented examples of how to use it from Javascript are all contained here: Javascript Credential Parser

A python version which works on the command line and includes some sample PAC values is contained here: Python Credential Parser

Only deeper-dive details of the Javascript version are included in this article. The Python version is very simple - just a function that you can call, with an example included in the README of how to demo it on the command line.

One of the example use cases is a complete local-in-the-browser credential viewer where you can just paste in the value of the iv-creds header, and press a button to display the credential:

The same code can also be used within ISVA Javascript context as well - such as server-side template page scripting and InfoMap mapping rules.

If ISVA is your thing, this may well prove a useful asset.

1 comment
58 views

Permalink

https://community.ibm.com/community/user/blogs/shane-weeden1/2023/08/08/parsing-iv-creds-header-in-javascript

Comments

Wendy Batten
Mon August 14, 2023 10:52 AM

Thank you for posting.