IBM Security Verify

 View Only
  • 1.  fed-id-param

    Posted Mon November 18, 2019 12:30 PM
    Hi everyone,

    I've followed this link and have successfully been able to authenticate using a JWT token that is passed on a junction. 
    https://www.ibm.com/blogs/security-identity-access/oauth-jwt-access-token/

    I'm now wanting to see if there is a way to use different STS chains based on what the federation ID is. 

    The fed-id-param seems to allow this but when I pass a request parameter it doesn't seem to make any difference. It always uses the value of default-fed-id.

    # The Provider ID of the default OAuth federation. If a Provider ID is not
    # provided in the request using the fed-id-param option, this provider ID will
    # be used for OAuth requests. The Provider ID of a federation can be found on
    # the federation properties page.
    default-fed-id = urn:jwt:webseal
    # The name of the request parameter that can be used to override the
    # default-fed-id option configured above. By deleting this configuration
    # option, you can enforce that the default fed id is always used.
    fed-id-param = FederationId

    For example:
    curl -k -s -S https://myurl/myjunction/index.html?FederationId=urn:jwt:websealtest -H "Authorization: Bearer eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ0ZXN0ZGFtYSIsIm.example

    This always uses the STS chain path for urn:jwt:webseal instead of urn:jwt:websealtest.

    Am I not passing the request parameter correctly?

    Thanks,
    Scott



    ------------------------------
    Scott Reichardt.
    ISAM 9.0.6
    ------------------------------


  • 2.  RE: fed-id-param

    Posted Mon November 18, 2019 12:47 PM
    Hello Scott,

    That parameter does not work as expected when using OAUTH Authentication which is the default rule.

    To get around this, I make a 'token router' javascript mapping rule that can be built into a trust chain :
    https://github.com/IBM-Security/isam-support/blob/master/config-example/federation/ws-trust/mapping/token-router.js

    You can use that in conjunction with the following OpenMic presentation to setup a trust chain that will allow you to both service the default OAUTH tokens as well as route to other trust chains.

    Open Mic reference :
    https://www.ibm.com/support/pages/webinar-replay-leveraging-json-web-tokens-ibm-security-access-manager-8-august-2019-presentation-attached

    Hopefully between these two you'll be able to validate the different JWTs seamlessly as per your requirements.

    ------------------------------
    JACK YARBOROUGH
    ------------------------------



  • 3.  RE: fed-id-param

    Posted Mon November 18, 2019 01:55 PM
    Edited by Scott Reichardt Mon November 18, 2019 02:09 PM
    Thanks, Jack! Based on that I ended up simply modifying the jwt_at_common.js and routing based on the junction called (which is what my use case is):

    function validateJwt(atstsuu) {

        // First we need to build a binary security token from the jwt:
        var bst = IDMappingExtUtils.stringToXMLElement('<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="http://ibm.com/2004/01/itfim/base64encode"  wss:ValueType="urn:com:ibm:JWT" >'+at+'</wss:BinarySecurityToken>')    
        var requestedId
        var temp_attr = stsuu.getContextAttributes().getAttributeValuesByNameAndType("path""urn:ibm:names:ITFIM:oauth:request");
        if (temp_attr != null && temp_attr.length > 0) {
            requestedId = temp_attr[0];
        }
        IDMappingExtUtils.traceString("\n\nrequestedId is:\n" + requestedId + "\n");
        // validate the token and check for junction string
        
        if (/myjunction/.test(requestedId )) {
            IDMappingExtUtils.traceString("\n\nCalled validate\n");
            var token = callSts(bst"urn:jwt:validate");
        } else {
            IDMappingExtUtils.traceString("\n\nCalled validate2\n");
            var token = callSts(bst"urn:jwt:validate2");
        }


    ------------------------------
    Scott Reichardt
    ------------------------------