IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  Authorization: Bearer header in junction

    Posted Wed January 16, 2019 12:02 PM
    Hi all,
    We configured a sts chain to send a JWT to a backend server in a junction.
    In the webseal's configuration file I can configure to send the JWT in a cookie or in a Header and i can decide the name of the cookie and the name of the header.
    How can i  send the jwt in a header Authorization : Bearer? (so i need to add Bearer in the value of the header before the JWT)
    if i configure:
    token-transmit-type = header
    token-transmit-name = Authorization
    I have no way to add Bearer in the header's value.
    I tried with 
    token-transmit-name = Authorization : Bearer but it desn't work.


    Is there any parametre or I have to use transformation rules?

    thank you

    ------------------------------
    Ivana Campolongo
    ------------------------------


  • 2.  RE: Authorization: Bearer header in junction

    Posted Thu January 17, 2019 05:52 AM
    I have a solution for this. Add the following Javascript mapping rule to the END of your current STS chain (after the JWT in issue mode). It will pre-pend "Bearer " to the JWT and that's what WebSEAL will downstream.

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);

/*
* This mapping rule is designed to run (in map mode) at the END of an STS chain that already issues a JWT token. 
* What it actually does is take the JWT and re-issue it as a BinarySecurityToken with the string:
* 
*  Bearer <existing_jwt>
*  
*/

var tokenResponse = stsresponse.getRequestSecurityTokenResponse();
var requestedToken = tokenResponse.getRequestedSecurityToken();
if (requestedToken != null) {
	// re-issue with bearer header
	var stringToken = 'Bearer ' + requestedToken.getTextContent();
	
	// create new BST with modified text in it	
	var document          = IDMappingExtUtils.newXMLDocument();
	var myOutputValue     = document.createTextNode(stringToken);
	var myOutputToken     = document.createElementNS("http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd", "wsse:BinarySecurityToken");
	myOutputToken.setAttribute("ValueType","BearerJWT");
	myOutputToken.setAttribute("EncodingType","urn:jwt:with:bearer:header");
	myOutputToken.appendChild(myOutputValue);

	// set to null first to clear out existing JWT, then set our new token
	tokenResponse.setRequestedSecurityToken(null);
	tokenResponse.setRequestedSecurityToken(myOutputToken);
	
	IDMappingExtUtils.traceString("Final token: " + IDMappingExtUtils.xmlElementToString(myOutputToken));
	
} else {
	IDMappingExtUtils.throwSTSException("No requested security token found");
}


    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 3.  RE: Authorization: Bearer header in junction

    Posted Fri January 18, 2019 10:17 AM
    Thank you Shane.

    It works perfectly!

    ------------------------------
    Ivana Campolongo
    ------------------------------

    Original Message