IBM Security Verify

 View Only

  • 1.  OAuth EAS: ISAM OAuth Response 400 Bad Request

    Posted Fri April 16, 2021 09:55 AM
    Hi,

    I follow the Advanced API Protection cookbook.
    To enable OAuth-EAS it is recommended to make following configuration changes to the WebSEAL:

    [oauth]
oauth-auth = none
[oauth-eas]
eas-enabled = true​

    and attach an API Protection policy.

    So i did so. But I get ISAM OAuth Response 400 Bad Request when I try to perform a test Request.

    > POST /api/nf/balance HTTP/1.1
> Host: api-gateway.authsaz.com:444
> User-Agent: insomnia/2021.2.2
> Authorization: bearer XNXg3gRizGoK1jC9y3nx
> Content-Type: application/json
> Accept: */*
> Content-Length: 21

| {"account": "101010"}​

    From High level overview of the OAuth EAS there is only one reason for such a responce:

    If there is missing data, then a 400 response is generated and no further processing takes place. If all of the data is available, then the EAS constructs a Request Security Token (RST) and sends it to the authorization server, which is part of the Advanced Access Control Module.

    So the request is considered to be incorrect and no further processing  should take place.
    But
    1. In the log I see that the desision proccess takes place and the desision ends up with "allow":
    trace.pdweb.oauth:6 /build/isam/src/i4w/pdwebrte/azn/oauth-eas/amw_oauth_eas.cpp:366: Exit azn_svc_decision_access_allowed_ext (0x0)​
    ​2. If I turn on oauth again (oauth-auth = https) then the request ends up with 200 and expected result. So the Rquest shoul be fine indeed.

    Why do I get 400 Bad Request?

    ------------------------------
    Best Regards
    Ivan Yartsev
    ------------------------------


  • 2.  RE: OAuth EAS: ISAM OAuth Response 400 Bad Request

    Posted Fri April 16, 2021 12:52 PM
    Hi Ivan,

    Do you have a link to the cookbook you are following?  I'm surprised to see it using oauth-eas - in most cases oauth-auth provides better capability.

    Jon.

    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 3.  RE: OAuth EAS: ISAM OAuth Response 400 Bad Request

    Posted Mon April 19, 2021 03:37 AM
    Hi Jon,

    the link is https://medium.com/ibm-security-access-manager-recipes/isam-cookebook-for-advanced-api-protection-a780a5af0162
    The Link to the PDF:  https://github.com/authsaz/isambook/blob/1.0.1/Advanced%20API%20Protection%20Using%20ISAM.pdf
    Chapter 6 "Simple API Protection using OAuth-EAS"

    I'm trying to understand, why do I get 400 Bad Request. When I turn oauth-auth off, I expect that the user schould not get a session on the WebSEAL and I would get 401 unauthorized. But i get 400, which I schould see "if there is missing data".



    ------------------------------
    Ivan Yartsev
    ------------------------------

    Original Message


  • 4.  RE: OAuth EAS: ISAM OAuth Response 400 Bad Request

    Posted Mon April 19, 2021 06:05 AM

    Hi Ivan,

    Although this cookbook has some content and styling from my cookbooks, it was created by a 3rd party and so I do not know it.   I  seem to remember that there were some threads related to this cookbook in the past.  Maybe one of those can help?

    I don't know if the authors monitor this forum. Perhaps ask your questions on their GitHub project - or on their Medium post? 

    There's a lab on this subject on IBM Security Learning Academy here.  I think this uses OAuth-auth which is recommended approach:
    https://www.securitylearningacademy.com/course/view.php?id=5218

    Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------

    Original Message


  • 5.  RE: OAuth EAS: ISAM OAuth Response 400 Bad Request

    Posted Mon April 19, 2021 07:22 AM
    Hi Jon,

    Thank you very much for your reply. I understad, that the cookbook is a 3rd party one, but I'd like to understand, how does "API Protection" Policy work or supposed to work.
    I double checked the setup and it looks like I get 400 Bad Request error as soon as I attach the policy. The pdweb.oauth looks fine:
    ...
    /pdwebrte/azn/oauth-eas/AMWOAuthDataEAS.cpp:98: Exit AMWOAuthDataEAS::~AMWOAuthDataEAS
    /pdwebrte/azn/oauth-eas/amw_oauth_eas.cpp:359: azn_svc_decision_access_allowed_ext final *permission[1] (0 is permitted, 1 is not permitted)
    /pdwebrte/azn/oauth-eas/amw_oauth_eas.cpp:366: Exit azn_svc_decision_access_allowed_ext (0x0)

    The desicion of the policy is "Allow". What log could I check to get a clue what is wrong?

    ​​

    ------------------------------
    Ivan Yartsev
    ------------------------------

    Original Message