IBM Security Verify

 View Only
  • 1.  Best API access oauth2 flow to use for already logged in user

    Posted Thu June 04, 2020 11:58 AM

    Developers have already used Spring Security to generate a JWT when a user has logged in. I've configured WebSEAL to validate the JWT. This is all working well.

     

    In our SPA we want to hit back end API's on behalf of the logged in user. Today we are using basic auth service accounts for accessing the API which we are trying to get away from. I'm trying to figure out which oauth2 flow to use for this purpose.

     

    1. Don't use any flow – Instead use the existing JWT and verify this on the backend when the API is accessed
    2. Use application code flow to get a new token and use that on the backend for verification when the API is accessed. Wasn't sure if this made sense since the user is already logged in.
    3. Use Client Credentials flow. I'm a little confused if this will be good to use since I don't think it would be based on behalf of the user, rather based on the client. Maybe that's fine?

     

    Thanks,

    Scott



    ------------------------------
    Scott Reichardt
    ISAM - 9.0.6.0
    ------------------------------


  • 2.  RE: Best API access oauth2 flow to use for already logged in user

    Posted Thu June 11, 2020 07:11 AM

    Hi Scott,

    If you already have a JWT, you could use the OAuth 2.0 "Bearer Token" flow.  This allows a client to present a JWT at the /token endpoint and get back an Access Token for the identified user.

    Access Manager supports making this bearer token request to the /token endpoint but there is some additional work to do:

    1. You would have to create an custom STS chain (to validate the received JWT and return an STSUU).  This requires the federation add-on.
    2. You would have to write JavaScript code in the pre-token mapping rule to call the STS chain (using Local STS Helper) and then parse the returned STSUU object and populate the data you want to be associated with the  Access Token.

    I'm afraid I don't have any guide for this - maybe someone else will know of a resource that explains in more detail how to do this.

    Jon.



    ------------------------------
    Jon Harry
    Consulting IT Security Specialist
    IBM
    ------------------------------



  • 3.  RE: Best API access oauth2 flow to use for already logged in user

    Posted Thu June 11, 2020 07:26 AM

    We are doing same as mentioned about by Jon..

    You can follow this https://www.ibm.com/support/pages/sites/default/files/inline-files/$FILE/Leveraging-JWTs_in-ISAM-2019-08-08.pdf to implement JWT bearer Grant



    ------------------------------
    Piyush Agrawal
    ------------------------------



  • 4.  RE: Best API access oauth2 flow to use for already logged in user

    Posted Thu June 11, 2020 05:51 PM
    Thanks. I think I have this close to working as you suggested. Although I'm getting this error when it gets to this part in the pre-token mapping rule:

    var res = LocalSTSClient.doRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Validate", grant_type, client_id, base_token, null)

    914       Caused by: java.util.MissingResourceException: Can't find resource for bundle com.tivoli.am.fim.i18n.msgs.STMMessages, key ext_util_failed914       Caused by: java.util.MissingResourceException: Can't find resource for bundle com.tivoli.am.fim.i18n.msgs.STMMessages, key ext_util_failed915        at java.util.ResourceBundle.getObject(ResourceBundle.java:461)916        at java.util.ResourceBundle.getObject(ResourceBundle.java:455)917        at java.util.ResourceBundle.getString(ResourceBundle.java:418)918        at com.tivoli.am.fim.exception.ITFIMException.getMessage(ITFIMException.java:165)919        at com.tivoli.am.fim.exception.ITFIMException.<init>(ITFIMException.java:103)920        at com.tivoli.am.fim.trustserver.sts.STSException.<init>(STSException.java:67)921        at com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils.stringToXMLElement(IDMappingExtUtils.java:1752)922        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)923        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:90)924        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:55)925        at java.lang.reflect.Method.invoke(Method.java:508)926        at org.mozilla.javascript.MemberBox.invoke(MemberBox.java:126)927        ... 68 more928       

    In the trace I can see the token and subject in the token. All of that is looking good.

    Any ideas?


    ------------------------------
    Scott Reichardt
    ------------------------------