Thanks. I think I have this close to working as you suggested. Although I'm getting this error when it gets to this part in the pre-token mapping rule:
var res = LocalSTSClient.doRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Validate", grant_type, client_id, base_token, null)
914 Caused by: java.util.MissingResourceException: Can't find resource for bundle com.tivoli.am.fim.i18n.msgs.STMMessages, key ext_util_failed914 Caused by: java.util.MissingResourceException: Can't find resource for bundle com.tivoli.am.fim.i18n.msgs.STMMessages, key ext_util_failed915 at java.util.ResourceBundle.getObject(ResourceBundle.java:461)916 at java.util.ResourceBundle.getObject(ResourceBundle.java:455)917 at java.util.ResourceBundle.getString(ResourceBundle.java:418)918 at com.tivoli.am.fim.exception.ITFIMException.getMessage(ITFIMException.java:165)919 at com.tivoli.am.fim.exception.ITFIMException.<init>(ITFIMException.java:103)920 at com.tivoli.am.fim.trustserver.sts.STSException.<init>(STSException.java:67)921 at com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils.stringToXMLElement(IDMappingExtUtils.java:1752)922 at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)923 at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)924 at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)925 at java.lang.reflect.Method.invoke(Method.java:508)926 at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)927 ... 68 more928
In the trace I can see the token and subject in the token. All of that is looking good.
Any ideas?
------------------------------
Scott Reichardt
------------------------------
Original Message:
Sent: Thu June 11, 2020 07:10 AM
From: Jon Harry
Subject: Best API access oauth2 flow to use for already logged in user
Hi Scott,
If you already have a JWT, you could use the OAuth 2.0 "Bearer Token" flow. This allows a client to present a JWT at the /token endpoint and get back an Access Token for the identified user.
Access Manager supports making this bearer token request to the /token endpoint but there is some additional work to do:
1. You would have to create an custom STS chain (to validate the received JWT and return an STSUU). This requires the federation add-on.
2. You would have to write JavaScript code in the pre-token mapping rule to call the STS chain (using Local STS Helper) and then parse the returned STSUU object and populate the data you want to be associated with the Access Token.
I'm afraid I don't have any guide for this - maybe someone else will know of a resource that explains in more detail how to do this.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Thu June 04, 2020 11:57 AM
From: Scott Reichardt
Subject: Best API access oauth2 flow to use for already logged in user
Developers have already used Spring Security to generate a JWT when a user has logged in. I've configured WebSEAL to validate the JWT. This is all working well.
In our SPA we want to hit back end API's on behalf of the logged in user. Today we are using basic auth service accounts for accessing the API which we are trying to get away from. I'm trying to figure out which oauth2 flow to use for this purpose.
- Don't use any flow – Instead use the existing JWT and verify this on the backend when the API is accessed
- Use application code flow to get a new token and use that on the backend for verification when the API is accessed. Wasn't sure if this made sense since the user is already logged in.
- Use Client Credentials flow. I'm a little confused if this will be good to use since I don't think it would be based on behalf of the user, rather based on the client. Maybe that's fine?
Thanks,
Scott
------------------------------
Scott Reichardt
ISAM - 9.0.6.0
------------------------------