IBM Security Verify

 View Only
  • 1.  Where does ISAM store OIDC Credentials?

    Posted Wed April 14, 2021 11:48 AM

    Had a question asked to me and was not really sure the answer as I never really investigated it.

    Where does ISAM store the OIDC Client_ID and Client_Secret?  My first thought was the Config Database which we have running internally on postgres.  Can someone confirm?

    Troy

    ------------------------------
    Troy Burkle
    ------------------------------


  • 2.  RE: Where does ISAM store OIDC Credentials?

    Posted Thu April 15, 2021 07:17 AM
    Although I am not sure, but I believe it is in the Config Database in one of the following tables:
    OIDC_CLIENT_DEFINITION or OIDC_ATTRIBUTE_SOURCE

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------



  • 3.  RE: Where does ISAM store OIDC Credentials?

    Posted Fri April 16, 2021 04:15 AM
    Edited by Jon Harry Fri April 16, 2021 04:15 AM
    Hi Troy,

    Someone might correct me but I think that OIDC clients may be stored in different places depending on how they are created.

    If you create a static OIDC client in the LMI, I think this will get created in the configuration DB.  This is why you have to deploy the configuration and reload/restart the AAC runtime before they are active.

    If you create a dynamic OIDC client (using APIs or via the .../mga/sps/mga/user/mgmt/html/create_client.html URL) then the client is created in the runtime database and is available for immediate use.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 4.  RE: Where does ISAM store OIDC Credentials?

    Posted Mon April 19, 2021 11:44 AM
    Thanks for the response Jon.

    I find it interesting that you can store the credentials in the runtime and something I was not aware of.  If you do that, will is show up in the LMI similar to when you create the creds in the LMI?

    Troy

    ------------------------------
    Troy Burkle
    ------------------------------



  • 5.  RE: Where does ISAM store OIDC Credentials?

    Posted Fri April 23, 2021 02:38 AM
    Hi Troy, 

    There are a few tables which are relevant when storing oauth clients. Here is a breakdown of whats in the Config DB:

    •  OAUTH_CLIENT_DEFINITION - This is the API protection definition, it contains the enabled grant types, and token settings. All clients reference an OAuth definition
    •  DEFINITION_MAPPING_RULE - This contains the references to the pre and post token mapping rule for a given definition. 
    •  OIDC_CLIENT_DEFINITION - This contains the OIDC specific configurations of an OAuth definition. 
    •  OIDC_ATTRIBUTE_SOURCE - This table stores records relevant to performing attribute mapping on a given OIDC definition
    •  OAUTH_CLIENT_INSTANCE - This is the core OAuth client - it will include the clientId and secret. Records in this table reference an OAUTH_CLIENT_DEFINITION record
    •  OAUTH_CLIENT_INSTANCE_REDIRECT - This table is a reference to the OAUTH_CLIENT_INSTANCE table, and stores additional redirect URIs when a client has more than one configured


    There is one other table related to storing OAuth configuration, which is as Jon mentions in the runtime database for storing OAuth dynamic clients. This table is: OAUTH20_DYNAMIC_CLIENT. For more information on dynamic clients - try this blog

    To answer your question - dynamic clients do not show up in the LMI web view, however there is an LMI API to retrieve dynamic clients available at https://<appliance_hostname>/iam/access/v8/dynamic_clients/ 

    Hope this helps. 



    ------------------------------
    Leo Farrell
    ------------------------------