IBM Security Verify

 View Only
  • 1.  OIDC OP

    Posted Wed November 11, 2020 08:21 AM

    Hi,

    I am doing an OIDC configuration for a client with the below configuration. I am able to authenticate the user and via the trace logs see the id_token. Howevr I am unable to pass this token to the back-end junctioned server.

    [oidc:icrypto]
    redirect-uri-host = 35.187.105.16*
    discovery-endpoint = https://oidc-pps-ppd.test.co.za/oidc/.well-known/openid-configuration
    proxy =
    client-id = 934401be-2818-453a-8b0c-2812fd04fee0
    response-type = code
    response-mode = query
    scopes =
    bearer-token-attributes =
    id-token-attributes =
    allowed-query-arg =
    mapped-identity = {iss}/{sub}
    external-user = true
    client-secret =

    The ID Token (JWT payload):

    {
    "at_hash": "MT52Rffi0yq",
    "sub": "ZR3RLnyo7lU5JKbKxNg9Z_cwVVxjtTcmUucoBY3_j24",
    "user_name": "jjacobs",
    "iss": "https://oidc-pps-ppd.pps.co.za",
    "given_name": "jjacobs",
    "locale": "en_US",
    "nonce": "0bd45c45-7ffc-5bd7-80e1-4170953a982a",
    "oxOpenIDConnectVersion": "openidconnect-1.0",
    "aud": "934401be-2818-453a-8b0c-2812fd04fee0",
    "auth_time": 1605081286,
    "exp": 1605097588,
    "iat": 1605093988,
    "family_name": ""
    }

    I need to pass the token as is (I do not know where on the header this is passed).

    Can someone please help.

    Thanks

     




  • 2.  RE: OIDC OP

    Posted Wed November 11, 2020 03:22 PM
    Ntokozo,
     
    There is a two-step process in making the ID token available to downstream applications:
    1. You need to ensure that the ID token, during the OIDC flow, is added to the user credential.  This is handled through the bearer-token-attributes configuration entry.  Based on the configuration which you provided in your original POST the ID token should already be included in the credential.  If you want to double check which attributes are available in the credential you can either enable pdweb.wan.azn tracing, or you can enable the new credential viewer application (available in v10 of the product: https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/wrp_config/concept/con_cred_view_app.html).
    2. You then need to tell WebSEAL to insert the attribute which contains the ID token into the HTTP request which is to be sent to the junctioned server.  The following knowledge centre page provides information on how to do this: https://www.ibm.com/support/knowledgecenter/SSPREK_10.0.0/com.ibm.isva.doc/wrp_config/concept/con_insrt_usr_sess_data_http_hdr.htm
    I hope that this helps.
     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor


    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com
    1 Corporate Court
    Bundall, QLD 4217
    Australia