IBM Security Verify

Expand all | Collapse all

IBM Security Verify / JWT Token force array

  • 1.  IBM Security Verify / JWT Token force array

    Posted 16 days ago

    Hi folks,


    We faced some problems when we tried to generate JWT token using webseal configuration.

    The problem concern multi-values claim, let's take an example :  In [JWT] stanza we added a claim : "attr::myFancyAttribute"

    Depending on the attribute values, we got different types of claim :

    • We have no claim when there is no attribute "myFancyAttribute"
    • We have a string claim if the attribute exist and it's a mono-value
    • We have an array claim if the attribute contains multiple value

     

    So my question is : There is a way to force JWT generation to get a claim as an array, even if the source attribute is a mono value ?


    Thanks,
    Regards



    ------------------------------
    ilyass togui
    ------------------------------


  • 2.  RE: IBM Security Verify / JWT Token force array

    Posted 16 days ago
    ilyass,
     
    Unfortunately there is no way to force a credential attribute to be added to the JWT as an array.  Here is a direct quote from the template configuration file:
     
    If the value is the name of an attribute an array will only be created  if the attribute contains multiple values.
     
     
     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor


    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com
    1 Corporate Court
    Bundall, QLD 4217
    Australia
     
     





  • 3.  RE: IBM Security Verify / JWT Token force array

    Posted 15 days ago
    Hi Scott,

    Thank you for your confirmation on this behavior.

    It's really unfortunate because it makes the feature unusable for us, as we insert an attribute "groups" that can contain 0, 1 or several groups.
    We don't think it's acceptable to tell the applications using those jwt's that that "group" attribute can sometimes be an array, sometimes not.

    Do you think it's worth creating an RFE for this asking the implementation of this behavior ?

    ------------------------------
    André Leruitte
    ------------------------------



  • 4.  RE: IBM Security Verify / JWT Token force array

    Posted 15 days ago
    Andre,
     
    For the time being you will need to make use of the more advanced JWT capabilities offered in the Federation offering.  It should be worth raising an RFE for this capability if you still need it.
     
    Thanks.
     
     

    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor


    Phone: 61-7-5552-4008
    E-mail: scotte@au1.ibm.com
    1 Corporate Court
    Bundall, QLD 4217
    Australia
     
     





  • 5.  RE: IBM Security Verify / JWT Token force array

    Posted 15 days ago
    Hi,

    We have already falledback to the STS , where we had implemented the transformation first.
    So we do not need absolutely to be able to use webseal for jwt generation.

    It's just that we wanted to switch to this new jwt generation capability that should be much easier to manage and much faster.

    We also thought about always inserting two fake groups so that webseal always considers the attribute as an array, but we don't find that solution very clean.


    As this is a problem that we have in most of our reverse proxies (user groups are always inserted in the jwt so that the backends can enforce precise authorization) I will take the time to create an RFE.


    ------------------------------
    André Leruitte
    ------------------------------



  • 6.  RE: IBM Security Verify / JWT Token force array

    Posted 15 days ago
    Hi André

    Yes, I believe an RFE is relevant here.
    We have not moved yet to the ISAM/WebSEAL native JWT capability but it is just a matter of time before we engage in that direction.
    Thank you for your time. I would vote for it if this was possible.
    (-;

    ------------------------------
    Sylvain Gilbert
    ------------------------------



  • 7.  RE: IBM Security Verify / JWT Token force array

    Posted 12 days ago
    Edited by Joao Goncalves 12 days ago
    I would like to get some clarification on this.
    If you need to send a credential attribute that is an array, why not use a list to return the multi-values.
    For example:
    • If I want to return the list of groups (e.g. credGroups attribute) a user belongs too. I can send the attribute credGroups:group1,group2,group3 and so on.
    • If I want to return the contact information for a user (e.g. credContacts attribute) has, I can send the attribute credContacts:[email: user@example.com],[phone:1234567890]
    Isn't this what André needed? The implementation of this, although i have not done, I believe would be something simple.

    Even it the attribute needs to be polymorphic, we can always send the metadata info along with the attribute.
    For example:
    • credFancyAttribute:SINGLE,NUL
    • credFancyAttribute:SINGLE,somevalue
    • credFancyAttribute:SET,group1,group2,group3
    • credFancyAttribute:MAP,[email: user@example.com],[phone:1234567890]
    This would also solve his problem!
    I just don't get why would you need an array! What am I missing?

    ------------------------------
    Joao Goncalves
    Pyxis, Lda.
    Sintra
    +351 91 721 4994
    ------------------------------



  • 8.  RE: IBM Security Verify / JWT Token force array

    Posted 10 days ago
    Hi Joao,

    Thank you for your suggestion.
    I'm afraid that entirely changing the format in which we store the user attributes is not an option.

    Today we already have several STS transformations that take specific attributes from the STSUU for building a JWT (tfim-sso feature).
    Our goal is to migrate those simple STS transformations to native webseal JWT generation.
    For doing that in a seamless way the attributes format in the STSUU must not change.

    ------------------------------
    André Leruitte
    ------------------------------