IBM Security Verify

 View Only
  • 1.  modification of jwt token using mapping rule

    Posted Thu November 26, 2020 10:20 AM

    Hi community,

    (we are on ISVA 10.0.0.1)

    I have created a Trust Chain to generate a jwt token. The last step is to call a default map module because I want to use a mapping rule to inspect & modify the token.

    In particular, I want to scan the attributes in the token and remove a few of them (because we don't use them & they make the token too big)

    I'm struggling to find the correct syntax to achieve this.

    using getRequestedSecurityToken(), I managed to get a Requested Security Token from the RequestSecurityTokenResponse object,.

    (According to Javadoc this is a as an org.w3c.dom.Element)

     

    var tokenResponse = stsresponse.getRequestSecurityTokenResponse();

    var requestedToken = tokenResponse.getRequestedSecurityToken();

     

    I'm afraid my java skills are exhausted as I cannot find what's the next step to actually scan the attributes included in this token, remove the ones I don't want and finally recreate the token.

    Would anybody have a reference to examples that I could use that would do something similar?

    Thanks,

    Louis



    ------------------------------
    Louis Beaudry
    Access Management
    Intact Financial Corporation
    ------------------------------


  • 2.  RE: modification of jwt token using mapping rule

    Posted Thu November 26, 2020 11:07 AM
    Edited by Jon Harry Thu November 26, 2020 11:09 AM
    Hi Louis,

    Perhaps I'm missing something but not sure why you are trying to process  the created token (which is probably signed even if you could change it...).
    If you want to modify the attributes that are included in the JWT you would usually remove these in a mapping rule BEFORE the JWT module is called:

    STSUU (validate) --->JavaScript Mapping (map) --->JWT (create)

    You should find it a lot easier to process the STSUU attributes in the mapping rule because they are provided as a JavaScript object.

    Something like this?

    // mapping rule to filter attributes
    
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
    importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
    
    IDMappingExtUtils.traceString("Mapping rule called with stsuu: " + stsuu.toString());
    
    // keep only the attributes we want
    var keepAttrs = [ "emailAddress", "firstName", "lastName"];
    
    var foundAttrs = [];
    for (var i = 0; i < keepAttrs.length; i++) {
    	var attr = stsuu.getAttributeContainer().getAttributeByName(keepAttrs[i]);
    	if (attr != null) {
    		foundAttrs.push(attr);
    	}
    }
    	
    // empty attrs, then add back what we want
    stsuu.clearAttributeList();
    for (var i = 0; i < foundAttrs.length; i++) {
    	stsuu.addAttribute(foundAttrs[i]);
    }​


    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: modification of jwt token using mapping rule

    Posted Fri November 27, 2020 01:25 PM
    Hi Jon,

    This is exactly what I needed. It all works now.

    A million thanks !!

    (there was no reason to try and process the created token, just ignorance :) I am now doing as you suggested)

    Louis

    ------------------------------
    Louis Beaudry
    Access Management
    Intact Financial Corporation
    ------------------------------