IBM Security Verify

 View Only
  • 1.  Adjusting webseal response to invalid bearer tokens

    InnerCircle
    Posted Mon May 16, 2022 10:36 AM
    One of our developers asked me a question I thought deserved some investigation.  If we are making an API call through a webseal to some API sitting behind it, and we are authenticating with a bearer token in the authorization header, and that token is invalid (expired, revoked, etc.), webseal returns http status code 200 and the JSON response operation cert_login.  Obviously good tokens work just fine.

    The question at hand is, when these tokens are invalid, can webseal do something different than return with a 200 with that operation cert_login?  I see the developer's point in that this is confusing for the client making the call, as it is getting back a 200.

    Any thoughts?  Thanks!

    ------------------------------
    Matt Jenkins
    ------------------------------


  • 2.  RE: Adjusting webseal response to invalid bearer tokens

    InnerCircle
    Posted Mon May 16, 2022 10:43 AM
    Also, to add to this, the developer told me that last year they tested and received the following messages:
    • Invalid authorization token (i.e. Bearer 12345) - status code 401 { "error": "Unauthorized, Access token is invalid." }
    • No authorization header - status code 400 - { "error": "Bad request, Access token is missing." }
    However, I'm wondering if these messages may have been coming from the backend, and maybe the junction to the backend was set to unauthenticated instead of any-auth at the time.  However, my original question still stands, if webseal gets a bad token, is there any way to return a different status code and/or message in that case?

    Thanks again!

    ------------------------------
    Matt Jenkins
    ------------------------------



  • 3.  RE: Adjusting webseal response to invalid bearer tokens

    Posted Mon May 16, 2022 12:15 PM
    Hello Matt,

    Create a template file in the Reverse Proxy management root called 'login.401.json' with the following contents:
    {
    "operation" : "%TAM_OP%"
    }

    This will then return a 401 with the above.

    You can customize it to however you want using the macros in the following documentation:
    https://www.ibm.com/docs/en/sva/10.0.3?topic=modification-macro-resources-customizing-response-pages

    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 4.  RE: Adjusting webseal response to invalid bearer tokens

    InnerCircle
    Posted Mon May 16, 2022 01:08 PM
    @JACK YARBOROUGH, how does that 401 in the file name work?  Is there any documentation to describe that?

    If we did this, it would also impact ​cases where tokens were not involved, correct?  If that is the case, is there any way to only make this happen if a bearer token is being passed?

    Thanks very much for your input!

    ------------------------------
    Matt Jenkins
    ------------------------------



  • 5.  RE: Adjusting webseal response to invalid bearer tokens

    Posted Mon May 16, 2022 01:18 PM
    Hello Matthew,

    Please review the following documentation:
    https://www.ibm.com/docs/en/sva/10.0.3?topic=configuration-content-aware-server-responses

    ------------------------------
    JACK YARBOROUGH
    ------------------------------