IBM Verify

 View Only

  • 1.  Adding attribute into JWT Token - OpenID Connect Protocol Integration

    Posted Mon July 06, 2020 01:36 AM


    Hi Folks,

    Theoretically understood pretoken mapping rule (Which is created after OpenID Connect Definition) can be used to add if any attribute required for the target application. That will be added into ID_TOKEN. Therefore, end application extracts that ID_TOKEN and retrieve the required attribute for its further processing.

    Can someone help to add the attribute example 'upn' into ID_TOKEN for openid connect based integration.

    I Could see from the logs below 'sub' and etc are getting populated. but i would like to add 'upn' attribute also into ID_TOKEN

    [7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder       > addTokenMap ENTRY

    [7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder       1 addTokenMap Adding claim sub with value: usashaik.c@stc.com.sa

    [7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder       1 addTokenMap Adding claim aud with value: aZ34hE7AIrdPm2s2RDPM

    [7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder       1 addTokenMap Adding claim iat with value: 1593957814

    [7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder       1 addTokenMap Adding claim exp with value: 1593961414

    [7/5/20 17:03:34:301 AST] 0000297b id=00000000 com.tivoli.am.fim.oauth20.util.OAuth20JwtBuilder       < addTokenMap RETURN




    ------------------------------
    UsmanAli Shaik
    ------------------------------


  • 2.  RE: Adding attribute into JWT Token - OpenID Connect Protocol Integration

    Posted Mon July 06, 2020 04:34 AM
    Hi Usman,

    You can add additional attributes to the claims of the ID_TOKEN by adding them to the sts context in the pre-token mapping rule.  The important thing to know is:

    All Attributes with type urn:ibm:jwt:claim will be added as claims

    So, an example of adding upn would look like this:

    var myupn = stsuu.getContextAttributes().getAttributeValueByName("upn_cred_attr")
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("upn","urn:ibm:jwt:claim",myupn));

    This assumes UPN is in a credential attribute named "upn_cred_attr".

    Note that credential attributes are only populated into the context when you hit the /authorize endpoint.  This is fine for "implicit" flow (where ID_TOKEN is returned from /authorize) but doesn't work directly for "Authorization Code" flow (where ID_TOKEN is returned from /token).

    If you're using the "Authorization Code" flow, you'll need to either set up an attribute source (so the attribute can be pulled from LDAP when needed) or store the attribute against the grant in the authorization code part of the flow and then retrieve it again in the token exchange part of the flow.

    There's actually code already in the rules to do this work for attributes the client requests.  I think you could directly add your attribute to this list at the start of processing and have the existing code handle it for you:

    stsuu.setContextAttribute("cred_attr_upn", "urn:ibm:names:ITFIM:oidc:claim:voluntary",null);


    Jon.




    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Adding attribute into JWT Token - OpenID Connect Protocol Integration

    Posted Mon July 06, 2020 09:05 AM
    Hi Jon,

    Thanks. Application is initiating Authorization flow. 

    on Federation partner definition under scopes along with openid added "upn". Then created a new Identity mapping rule of type OIDC. 

    importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.Attribute);
    importClass(Packages.com.tivoli.am.fim.trustserver.sts.uuser.AttributeStatement);

    var myupn = stsuu.getContextAttributes().getAttributeValueByName("idpuserName");
    stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("upn","urn:ibm:jwt:claim",myupn));


    Attached this Identity mapping rule on the partner setup. But, still the application is not getting the upn.

    I tried to find it out in trace logs and did not find it.

    Thanks,
    Usman




    ------------------------------
    Ujjwal Kumar
    ------------------------------

    Original Message


  • 4.  RE: Adding attribute into JWT Token - OpenID Connect Protocol Integration

    Posted Tue January 05, 2021 05:43 PM
    Hi Jon,

    I know this is an old post but I am trying to add custom claims in the oidc token and am going by what you were saying here:

    If you're using the "Authorization Code" flow, you'll need to either set up an attribute source (so the attribute can be pulled from LDAP when needed) or store the attribute against the grant in the authorization code part of the flow and then retrieve it again in the token exchange part of the flow.

    There's actually code already in the rules to do this work for attributes the client requests.  I think you could directly add your attribute to this list at the start of processing and have the existing code handle it for you:

    stsuu.setContextAttribute("cred_attr_upn", "urn:ibm:names:ITFIM:oidc:claim:voluntary",null);​


    Adding that to the pre token mapping rule I get this error in a trace:

    Caused by: org.mozilla.javascript.EcmaError: TypeError: Cannot find function setContextAttribute in object <?xml version="1.0" encoding="UTF-8"?>

    Thanks,
    Scott

    ------------------------------
    Scott Reichardt
    ------------------------------

    Original Message


  • 5.  RE: Adding attribute into JWT Token - OpenID Connect Protocol Integration

    Posted Wed January 06, 2021 02:38 AM
    Hi Scott,

    I didn't find any examples of setContextAttribute in the existing scripts, but plenty of addContextAttribute.
    So try this:

    stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("cred_attr_upn", "urn:ibm:names:ITFIM:oidc:claim:voluntary", false));

    ------------------------------
    Laurent LA Asselborn
    ------------------------------

    Original Message


  • 6.  RE: Adding attribute into JWT Token - OpenID Connect Protocol Integration

    Posted Wed January 06, 2021 11:58 AM
    Thanks Laurent. I did try different variations of stsuu.addContextAttribute with no success. I tried what you suggested but it just sets the value to "false".

    ------------------------------
    Scott Reichardt
    ------------------------------

    Original Message