IBM Security Verify

We are attempting to trigger an access policy and get a JSON return as is documented here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/develop/concept/con_use_curl_access_token.html

When we trigger the access policy in PostMan, it returns the html page rather than the json response as the 1st command does.  We are passing in the accept: application/json and content-type: application/json headers and I can see them in the pdweb.debug trace.  What are we missing to get a json return?

------------------------------
Angela Klein
------------------------------

Hello Angela,

What is the full request that returns HTML instead of JSON?

------------------------------
JACK YARBOROUGH
------------------------------

Original Message:
Sent: Wed February 12, 2020 05:11 PM
From: Angela Klein
Subject: HTML coming back in response instead of JSON

We are attempting to trigger an access policy and get a JSON return as is documented here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/develop/concept/con_use_curl_access_token.html

When we trigger the access policy in PostMan, it returns the html page rather than the json response as the 1st command does.  We are passing in the accept: application/json and content-type: application/json headers and I can see them in the pdweb.debug trace.  What are we missing to get a json return?

------------------------------
Angela Klein
------------------------------

The domain is a virtual host junction and the /static/mfa.json is on that backend server.  We have the access policy attached to the VHJ/static/mfa.json.  It is returning the HTML of the MFA selection page, so the access policy is triggering as expected.  Based on the link I had posted above, it appears like we should be able to get the json back that would help us decide if we need to do API calls for MFA.

curl --location --request GET 'https://<domain>/static/mfa.json' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <JWT access_token>' \

------------------------------
Angela Klein
------------------------------

Original Message:
Sent: Wed February 12, 2020 06:00 PM
From: JACK YARBOROUGH
Subject: HTML coming back in response instead of JSON

Hello Angela,

What is the full request that returns HTML instead of JSON?

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Wed February 12, 2020 05:11 PM
From: Angela Klein
Subject: HTML coming back in response instead of JSON

We are attempting to trigger an access policy and get a JSON return as is documented here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/develop/concept/con_use_curl_access_token.html

When we trigger the access policy in PostMan, it returns the html page rather than the json response as the 1st command does.  We are passing in the accept: application/json and content-type: application/json headers and I can see them in the pdweb.debug trace.  What are we missing to get a json return?

------------------------------
Angela Klein
------------------------------

Hello,

There are two Access Manager components that can return pages to the client.  One is the Reverse Proxy and the other is the AAC Authentication Service.

The Reverse Proxy (WebSEAL) will respond with JSON if the incoming request has application/json in the content-type or accept headers.

The AAC Authentication Service doesn't work this way (unfortunately).  It decides whether to return JSON or HTML based on which Authentication Service endpoint is called.  If the /sps/authsvc endpoint is used, it will return HTML. If the /sps/apiauthsvc endpoint is used it will return JSON.

When triggering the Authentication Service from an AAC Authorization Policy, it returns an obligation to the Reverse Proxy which redirects to the Authentication Service based on the obligation mappings in the Reverse Proxy configuration file.  If you want to get JSON back, make sure the mapping for TOTP obligation is mapping to the apiauthsvc endpoint.

I hope this helps.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
------------------------------

Original Message:
Sent: Wed February 12, 2020 09:54 PM
From: Angela Klein
Subject: HTML coming back in response instead of JSON

The domain is a virtual host junction and the /static/mfa.json is on that backend server.  We have the access policy attached to the VHJ/static/mfa.json.  It is returning the HTML of the MFA selection page, so the access policy is triggering as expected.  Based on the link I had posted above, it appears like we should be able to get the json back that would help us decide if we need to do API calls for MFA.

curl --location --request GET 'https://<domain>/static/mfa.json' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <JWT access_token>' \

------------------------------
Angela Klein

Original Message:
Sent: Wed February 12, 2020 06:00 PM
From: JACK YARBOROUGH
Subject: HTML coming back in response instead of JSON

Hello Angela,

What is the full request that returns HTML instead of JSON?

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Wed February 12, 2020 05:11 PM
From: Angela Klein
Subject: HTML coming back in response instead of JSON

We are attempting to trigger an access policy and get a JSON return as is documented here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/develop/concept/con_use_curl_access_token.html

When we trigger the access policy in PostMan, it returns the html page rather than the json response as the 1st command does.  We are passing in the accept: application/json and content-type: application/json headers and I can see them in the pdweb.debug trace.  What are we missing to get a json return?

------------------------------
Angela Klein
------------------------------

Jon,
Thank you!  That was it! 

Now onto the next challenge of always returning that and not automatically sending the MFA OTP if there is only 1 option registered.

------------------------------
Angela Klein
------------------------------

Original Message:
Sent: Thu February 13, 2020 08:49 AM
From: Jon Harry
Subject: HTML coming back in response instead of JSON

Hello,

There are two Access Manager components that can return pages to the client.  One is the Reverse Proxy and the other is the AAC Authentication Service.

The Reverse Proxy (WebSEAL) will respond with JSON if the incoming request has application/json in the content-type or accept headers.

The AAC Authentication Service doesn't work this way (unfortunately).  It decides whether to return JSON or HTML based on which Authentication Service endpoint is called.  If the /sps/authsvc endpoint is used, it will return HTML. If the /sps/apiauthsvc endpoint is used it will return JSON.

When triggering the Authentication Service from an AAC Authorization Policy, it returns an obligation to the Reverse Proxy which redirects to the Authentication Service based on the obligation mappings in the Reverse Proxy configuration file.  If you want to get JSON back, make sure the mapping for TOTP obligation is mapping to the apiauthsvc endpoint.

I hope this helps.

Jon.

------------------------------
Jon Harry
Consulting IT Security Specialist
IBM

Original Message:
Sent: Wed February 12, 2020 09:54 PM
From: Angela Klein
Subject: HTML coming back in response instead of JSON

The domain is a virtual host junction and the /static/mfa.json is on that backend server.  We have the access policy attached to the VHJ/static/mfa.json.  It is returning the HTML of the MFA selection page, so the access policy is triggering as expected.  Based on the link I had posted above, it appears like we should be able to get the json back that would help us decide if we need to do API calls for MFA.

curl --location --request GET 'https://<domain>/static/mfa.json' \
--header 'accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <JWT access_token>' \

------------------------------
Angela Klein

Original Message:
Sent: Wed February 12, 2020 06:00 PM
From: JACK YARBOROUGH
Subject: HTML coming back in response instead of JSON

Hello Angela,

What is the full request that returns HTML instead of JSON?

------------------------------
JACK YARBOROUGH

Original Message:
Sent: Wed February 12, 2020 05:11 PM
From: Angela Klein
Subject: HTML coming back in response instead of JSON

We are attempting to trigger an access policy and get a JSON return as is documented here: https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.7/com.ibm.isam.doc/develop/concept/con_use_curl_access_token.html

When we trigger the access policy in PostMan, it returns the html page rather than the json response as the 1st command does.  We are passing in the accept: application/json and content-type: application/json headers and I can see them in the pdweb.debug trace.  What are we missing to get a json return?

------------------------------
Angela Klein
------------------------------