IBM Security Verify

Hello Community,

I need some ideas to solve an issue related to the use of the ISAM STS to transform the iv_cred into JWT.
The chain is quite simple:
-iv_cred validate module
-javascript map module to add some user information into the jwt
-Default jwt module to issue the jwt

The chain receives a bearer token for the authentication.

Some applications need the use of the method HTTP OPTIONS (unauthenticated) et the configuration to achieve this is in place.
Also the sts.ivcred.unauthenticated.user.name is configured to let the STS in validate mode work even with an unauthenticated request.

The problem is that before the use of unathenticated HTTP OPTIONS and sts.ivcred.unauthenticated.user.name, if the bearer token was not valid or empty the chain will result in an HTTP 500 error and now if the bearer token is invalid or empty a jwt token is generated with the value of the sts.ivcred.unauthenticated.user.name.
How can we restore the HTTP 500 error in case of unauthenticated requests to the chain and maintain the unauthenticated OPTIONS method?
Without the sts.ivcred.unauthenticated.user.name the STS chain in validate mode when receives unauthenticated requests got an error.

Thank you

------------------------------
Natascia Roia
------------------------------

Hi Natascia,

I'm not sure I completely understand your use case but perhaps if you can detect the "bad" state in the mapping rule, you can throw an exception there to force the return of a 500 error instead of continuing to the JWT module and getting back and empty JWT.

Would that work?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Thu December 16, 2021 12:05 PM
From: Natascia Roia
Subject: sps.ivcred.unauthenticated.user.name and STS ivcred to jwt issue

Hello Community,

I need some ideas to solve an issue related to the use of the ISAM STS to transform the iv_cred into JWT.
The chain is quite simple:
-iv_cred validate module
-javascript map module to add some user information into the jwt
-Default jwt module to issue the jwt

The chain receives a bearer token for the authentication.

Some applications need the use of the method HTTP OPTIONS (unauthenticated) et the configuration to achieve this is in place.
Also the sts.ivcred.unauthenticated.user.name is configured to let the STS in validate mode work even with an unauthenticated request.

The problem is that before the use of unathenticated HTTP OPTIONS and sts.ivcred.unauthenticated.user.name, if the bearer token was not valid or empty the chain will result in an HTTP 500 error and now if the bearer token is invalid or empty a jwt token is generated with the value of the sts.ivcred.unauthenticated.user.name.
How can we restore the HTTP 500 error in case of unauthenticated requests to the chain and maintain the unauthenticated OPTIONS method?
Without the sts.ivcred.unauthenticated.user.name the STS chain in validate mode when receives unauthenticated requests got an error.

Thank you

------------------------------
Natascia Roia
------------------------------

Thank you Jon.
The code customization is always an option and I'll try to see if I can add some logic in the trust chain before the jwt issue.
My question was first referred to some configuration options that may exist in ISAM 9.0.7 to solve the issue and block the creation of a JWT with the user configured in sts.ivcred.unauthenticated.user.name for all unauthenticated request that arrives to the STS chain and restore the ootb error management of the AAC.

Thank you

------------------------------
Natascia Roia
------------------------------

Original Message:
Sent: Thu December 16, 2021 02:06 PM
From: Jon Harry
Subject: sps.ivcred.unauthenticated.user.name and STS ivcred to jwt issue

Hi Natascia,

I'm not sure I completely understand your use case but perhaps if you can detect the "bad" state in the mapping rule, you can throw an exception there to force the return of a 500 error instead of continuing to the JWT module and getting back and empty JWT.

Would that work?

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Thu December 16, 2021 12:05 PM
From: Natascia Roia
Subject: sps.ivcred.unauthenticated.user.name and STS ivcred to jwt issue

Hello Community,

I need some ideas to solve an issue related to the use of the ISAM STS to transform the iv_cred into JWT.
The chain is quite simple:
-iv_cred validate module
-javascript map module to add some user information into the jwt
-Default jwt module to issue the jwt

The chain receives a bearer token for the authentication.

Some applications need the use of the method HTTP OPTIONS (unauthenticated) et the configuration to achieve this is in place.
Also the sts.ivcred.unauthenticated.user.name is configured to let the STS in validate mode work even with an unauthenticated request.

The problem is that before the use of unathenticated HTTP OPTIONS and sts.ivcred.unauthenticated.user.name, if the bearer token was not valid or empty the chain will result in an HTTP 500 error and now if the bearer token is invalid or empty a jwt token is generated with the value of the sts.ivcred.unauthenticated.user.name.
How can we restore the HTTP 500 error in case of unauthenticated requests to the chain and maintain the unauthenticated OPTIONS method?
Without the sts.ivcred.unauthenticated.user.name the STS chain in validate mode when receives unauthenticated requests got an error.

Thank you

------------------------------
Natascia Roia
------------------------------