IBM Security Verify

Hi all,

 We have a new requirement where we need to have a different authorization url for a specific API definition. So we went ahead and modified the metadata.json file located in Template files -> C -> oauth20 -> metadata.json.

{"issuer":"@ISSUER_IDENTIFIER@",
"authorization_endpoint":"@AUTHORIZE_URL@",
"token_endpoint":"@TOKEN_URL@",
"userinfo_endpoint":"@USERINFO_URL@",
"jwks_uri":"@JWKS_URL@",
"response_types_supported":@RESPONSE_TYPES@,
"response_modes_supported":@RESPONSE_MODES@,
"grant_types_supported":@GRANT_TYPES@,
"id_token_signing_alg_values_supported":@SIGNING_ALG@,
"id_token_encryption_alg_values_supported":@ENCRYPTION_ALG@,
"id_token_encryption_enc_values_supported":@ENCRYPTION_ENC@,
"poc":"@POC_PREFIX@",
"name":"@OAUTH_DEFINITION@",
"introspect_endpoint":"@INTROSPECT_URL@",
"revocation_endpoint":"@REVOKE_URL@",
"registration_endpoint":"@REGISTER_URL@",
"device_authorize_endpoint":"@DEVICE_AUTHORIZE_URL@",
"user_authorize_endpoint":"@USER_AUTHORIZE_URL@"}

 Now since its the master file we modified that the hard coded authorization endpoint (

"authorization_endpoint":

)

is being displayed for all API definitions. Is there a way we can customize this metadata.json per API definition please.

As an effort tried creating a new metadata file ( metadataQT.json) and copied at the same location and added the HTTP transformation on webseal for that file

( <xsl:with-param name="replace" select="'API-DEF/.well-known/openid-configuration'" />
            <xsl:with-param name="by" select="'/oauth20/metadataQT'" />)

)

webseal config entry

([http-transformations:updateuri]
request-match = request:GET /API-DEF/.well-known/openid-configuration*)

If there is a way to do this in any other way possible, do let us know. Thanks for your time.

Thanks

Madhu K

Hi Madhu,

I am looking for same exact scenario, did you have any solution as of now?

Thanks,

Bipin

Hi all,

 We have a new requirement where we need to have a different authorization url for a specific API definition. So we went ahead and modified the metadata.json file located in Template files -> C -> oauth20 -> metadata.json.

{"issuer":"@ISSUER_IDENTIFIER@",
"authorization_endpoint":"@AUTHORIZE_URL@",
"token_endpoint":"@TOKEN_URL@",
"userinfo_endpoint":"@USERINFO_URL@",
"jwks_uri":"@JWKS_URL@",
"response_types_supported":@RESPONSE_TYPES@,
"response_modes_supported":@RESPONSE_MODES@,
"grant_types_supported":@GRANT_TYPES@,
"id_token_signing_alg_values_supported":@SIGNING_ALG@,
"id_token_encryption_alg_values_supported":@ENCRYPTION_ALG@,
"id_token_encryption_enc_values_supported":@ENCRYPTION_ENC@,
"poc":"@POC_PREFIX@",
"name":"@OAUTH_DEFINITION@",
"introspect_endpoint":"@INTROSPECT_URL@",
"revocation_endpoint":"@REVOKE_URL@",
"registration_endpoint":"@REGISTER_URL@",
"device_authorize_endpoint":"@DEVICE_AUTHORIZE_URL@",
"user_authorize_endpoint":"@USER_AUTHORIZE_URL@"}

 Now since its the master file we modified that the hard coded authorization endpoint (

"authorization_endpoint":

)

is being displayed for all API definitions. Is there a way we can customize this metadata.json per API definition please.

As an effort tried creating a new metadata file ( metadataQT.json) and copied at the same location and added the HTTP transformation on webseal for that file

( <xsl:with-param name="replace" select="'API-DEF/.well-known/openid-configuration'" />
            <xsl:with-param name="by" select="'/oauth20/metadataQT'" />)

)

webseal config entry

([http-transformations:updateuri]
request-match = request:GET /API-DEF/.well-known/openid-configuration*)

If there is a way to do this in any other way possible, do let us know. Thanks for your time.

Thanks

Madhu K

You can write Javascript in that metadata.json file.  So for example, if you have sps.httpRequestClaims.enabled set to true, and you are sending the X-Forwarded-Host header from WebSEAL, you can use something like at the top of the metadata.json before the {} metadata block:

<%

fHost = templateContext.request.headers["x-forwarded-host"][0];

%>

Beware I had to do some other coding because the headers can come in any cAsE if you do go that route.  But the point is, you can set variables from javascript.  Then use them later in your metadata:

"authorization_endpoint": "<%=fHost%>",

You can also call functions you have defined up above for the variables, so what I do is something like

"authorization_endpoint": "<%=changePath('@AUTHORIZE_URL@')%>",

Then that will send the original URL from the API definition into your function which can do whatever manipulation and then return the proper path as a string.  In your function use templateContext.macros[myMacro] to fetch the original macro contents.

I customize all my metadata URLs by the incoming host headers because we have some pools that some customers use different hostnames for.  Granted, the OIDC issuer is the hardest thing to overcome since it cannot change and many libraries use it as a starting point to fetch the well-known configuration metadata file, but at least when the metadata is returned the paths are updated for us.

Hope this helps.  Bottom line use javascript and look at that templateContext class.

Hi Madhu,

I am looking for same exact scenario, did you have any solution as of now?

Thanks,

Bipin

Hi all,

 We have a new requirement where we need to have a different authorization url for a specific API definition. So we went ahead and modified the metadata.json file located in Template files -> C -> oauth20 -> metadata.json.

{"issuer":"@ISSUER_IDENTIFIER@",
"authorization_endpoint":"@AUTHORIZE_URL@",
"token_endpoint":"@TOKEN_URL@",
"userinfo_endpoint":"@USERINFO_URL@",
"jwks_uri":"@JWKS_URL@",
"response_types_supported":@RESPONSE_TYPES@,
"response_modes_supported":@RESPONSE_MODES@,
"grant_types_supported":@GRANT_TYPES@,
"id_token_signing_alg_values_supported":@SIGNING_ALG@,
"id_token_encryption_alg_values_supported":@ENCRYPTION_ALG@,
"id_token_encryption_enc_values_supported":@ENCRYPTION_ENC@,
"poc":"@POC_PREFIX@",
"name":"@OAUTH_DEFINITION@",
"introspect_endpoint":"@INTROSPECT_URL@",
"revocation_endpoint":"@REVOKE_URL@",
"registration_endpoint":"@REGISTER_URL@",
"device_authorize_endpoint":"@DEVICE_AUTHORIZE_URL@",
"user_authorize_endpoint":"@USER_AUTHORIZE_URL@"}

 Now since its the master file we modified that the hard coded authorization endpoint (

"authorization_endpoint":

)

is being displayed for all API definitions. Is there a way we can customize this metadata.json per API definition please.

As an effort tried creating a new metadata file ( metadataQT.json) and copied at the same location and added the HTTP transformation on webseal for that file

( <xsl:with-param name="replace" select="'API-DEF/.well-known/openid-configuration'" />
            <xsl:with-param name="by" select="'/oauth20/metadataQT'" />)

)

webseal config entry

([http-transformations:updateuri]
request-match = request:GET /API-DEF/.well-known/openid-configuration*)

If there is a way to do this in any other way possible, do let us know. Thanks for your time.

Thanks

Madhu K

Hi Matt, thanks for the detail explanation.. I was able to figure out as per my requirement.. I am using ISVA 10.0.4

In mobile AAC templates, you can create metadata.json after creating a folder name as your OIDC federation name in "oauth20"

You can write Javascript in that metadata.json file.  So for example, if you have sps.httpRequestClaims.enabled set to true, and you are sending the X-Forwarded-Host header from WebSEAL, you can use something like at the top of the metadata.json before the {} metadata block:

<%

fHost = templateContext.request.headers["x-forwarded-host"][0];

%>

Beware I had to do some other coding because the headers can come in any cAsE if you do go that route.  But the point is, you can set variables from javascript.  Then use them later in your metadata:

"authorization_endpoint": "<%=fHost%>",

You can also call functions you have defined up above for the variables, so what I do is something like

"authorization_endpoint": "<%=changePath('@AUTHORIZE_URL@')%>",

Then that will send the original URL from the API definition into your function which can do whatever manipulation and then return the proper path as a string.  In your function use templateContext.macros[myMacro] to fetch the original macro contents.

I customize all my metadata URLs by the incoming host headers because we have some pools that some customers use different hostnames for.  Granted, the OIDC issuer is the hardest thing to overcome since it cannot change and many libraries use it as a starting point to fetch the well-known configuration metadata file, but at least when the metadata is returned the paths are updated for us.

Hope this helps.  Bottom line use javascript and look at that templateContext class.

Hi Madhu,

I am looking for same exact scenario, did you have any solution as of now?

Thanks,

Bipin

Hi all,

 We have a new requirement where we need to have a different authorization url for a specific API definition. So we went ahead and modified the metadata.json file located in Template files -> C -> oauth20 -> metadata.json.

{"issuer":"@ISSUER_IDENTIFIER@",
"authorization_endpoint":"@AUTHORIZE_URL@",
"token_endpoint":"@TOKEN_URL@",
"userinfo_endpoint":"@USERINFO_URL@",
"jwks_uri":"@JWKS_URL@",
"response_types_supported":@RESPONSE_TYPES@,
"response_modes_supported":@RESPONSE_MODES@,
"grant_types_supported":@GRANT_TYPES@,
"id_token_signing_alg_values_supported":@SIGNING_ALG@,
"id_token_encryption_alg_values_supported":@ENCRYPTION_ALG@,
"id_token_encryption_enc_values_supported":@ENCRYPTION_ENC@,
"poc":"@POC_PREFIX@",
"name":"@OAUTH_DEFINITION@",
"introspect_endpoint":"@INTROSPECT_URL@",
"revocation_endpoint":"@REVOKE_URL@",
"registration_endpoint":"@REGISTER_URL@",
"device_authorize_endpoint":"@DEVICE_AUTHORIZE_URL@",
"user_authorize_endpoint":"@USER_AUTHORIZE_URL@"}

 Now since its the master file we modified that the hard coded authorization endpoint (

"authorization_endpoint":

)

is being displayed for all API definitions. Is there a way we can customize this metadata.json per API definition please.

As an effort tried creating a new metadata file ( metadataQT.json) and copied at the same location and added the HTTP transformation on webseal for that file

( <xsl:with-param name="replace" select="'API-DEF/.well-known/openid-configuration'" />
            <xsl:with-param name="by" select="'/oauth20/metadataQT'" />)

)

webseal config entry

([http-transformations:updateuri]
request-match = request:GET /API-DEF/.well-known/openid-configuration*)

If there is a way to do this in any other way possible, do let us know. Thanks for your time.

Thanks

Madhu K