IBM Security Verify

 View Only
  • 1.  A new metadata.json file for API definition

    Posted Wed March 01, 2023 11:34 AM

    Hi all,

     We have a new requirement where we need to have a different authorization url for a specific API definition. So we went ahead and modified the metadata.json file located in Template files -> C -> oauth20 -> metadata.json.

    {"issuer":"@ISSUER_IDENTIFIER@",
    "authorization_endpoint":"@AUTHORIZE_URL@",
    "token_endpoint":"@TOKEN_URL@",
    "userinfo_endpoint":"@USERINFO_URL@",
    "jwks_uri":"@JWKS_URL@",
    "response_types_supported":@RESPONSE_TYPES@,
    "response_modes_supported":@RESPONSE_MODES@,
    "grant_types_supported":@GRANT_TYPES@,
    "id_token_signing_alg_values_supported":@SIGNING_ALG@,
    "id_token_encryption_alg_values_supported":@ENCRYPTION_ALG@,
    "id_token_encryption_enc_values_supported":@ENCRYPTION_ENC@,
    "poc":"@POC_PREFIX@",
    "name":"@OAUTH_DEFINITION@",
    "introspect_endpoint":"@INTROSPECT_URL@",
    "revocation_endpoint":"@REVOKE_URL@",
    "registration_endpoint":"@REGISTER_URL@",
    "device_authorize_endpoint":"@DEVICE_AUTHORIZE_URL@",
    "user_authorize_endpoint":"@USER_AUTHORIZE_URL@"}

     Now since its the master file we modified that the hard coded authorization endpoint (

    "authorization_endpoint":

    )

    is being displayed for all API definitions. Is there a way we can customize this metadata.json per API definition please.

    As an effort tried creating a new metadata file ( metadataQT.json) and copied at the same location and added the HTTP transformation on webseal for that file

    ( <xsl:with-param name="replace" select="'API-DEF/.well-known/openid-configuration'" />
                <xsl:with-param name="by" select="'/oauth20/metadataQT'" />)

    )

    webseal config entry

    ([http-transformations:updateuri]
    request-match = request:GET /API-DEF/.well-known/openid-configuration*)

    If there is a way to do this in any other way possible, do let us know. Thanks for your time.

    Thanks

    Madhu K

        



    ------------------------------
    Madhu Kolli
    ------------------------------


  • 2.  RE: A new metadata.json file for API definition

    Posted Mon November 06, 2023 07:46 PM

    Hi Madhu,

    I am looking for same exact scenario, did you have any solution as of now?

    Thanks,

    Bipin



    ------------------------------
    Bipin Dash
    ------------------------------



  • 3.  RE: A new metadata.json file for API definition

    IBM Champion
    Posted Tue November 07, 2023 08:42 AM

    You can write Javascript in that metadata.json file.  So for example, if you have sps.httpRequestClaims.enabled set to true, and you are sending the X-Forwarded-Host header from WebSEAL, you can use something like at the top of the metadata.json before the {} metadata block:

    <%

    fHost = templateContext.request.headers["x-forwarded-host"][0];

    %>

    Beware I had to do some other coding because the headers can come in any cAsE if you do go that route.  But the point is, you can set variables from javascript.  Then use them later in your metadata:

    "authorization_endpoint": "<%=fHost%>",

    You can also call functions you have defined up above for the variables, so what I do is something like

    "authorization_endpoint": "<%=changePath('@AUTHORIZE_URL@')%>",

    Then that will send the original URL from the API definition into your function which can do whatever manipulation and then return the proper path as a string.  In your function use templateContext.macros[myMacro] to fetch the original macro contents.

    I customize all my metadata URLs by the incoming host headers because we have some pools that some customers use different hostnames for.  Granted, the OIDC issuer is the hardest thing to overcome since it cannot change and many libraries use it as a starting point to fetch the well-known configuration metadata file, but at least when the metadata is returned the paths are updated for us.

    Hope this helps.  Bottom line use javascript and look at that templateContext class.



    ------------------------------
    Matt Jenkins
    ------------------------------



  • 4.  RE: A new metadata.json file for API definition

    Posted Tue November 07, 2023 09:20 AM

    Hi Matt, thanks for the detail explanation.. I was able to figure out as per my requirement.. I am using ISVA 10.0.4

    In mobile AAC templates, you can create metadata.json after creating a folder name as your OIDC federation name in "oauth20"



    ------------------------------
    Bipin Dash
    ------------------------------



  • 5.  RE: A new metadata.json file for API definition

    IBM Champion
    Posted Tue November 07, 2023 09:57 AM

    Nice, I forgot about that!  Our requirement was to vary the URLs by incoming request regardless of the definition so hence the reason for the javascript.  But what you describe is a lot easier if you just need static values different for each definition!  Thanks for sharing!



    ------------------------------
    Matt Jenkins
    ------------------------------