IBM Security Verify

 View Only
  • 1.  ISVA 9 - InfoMap lose session info after POST to TOTP policy

    Posted Thu March 30, 2023 09:19 AM

    Good morning,

    we're implementing an InfoMap with the aim to verify a TOTP. We retrieve all required information from the Session, as follows:

    var username = context.get(Scope.SESSION, "urn:ibm:security:asf:response:token:attributes", "username");

    and everything works fine.

    Then, we prepare a JSON like the following:

        var jsonRequest = {
                "otp":""+otp,
                "operation":"verify"
            };

    to perform a Post to /apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:totp in order to verify the TOTP.

    The headers we add are:

            headers.addHeader("Content-Type", "application/json");
            headers.addHeader("Accept", "application/json");
            headers.addHeader("Cookie", cookiesArray[0]);

    But when we perform the POST using this method:

    com.ibm.security.access.httpclient.HttpClient.httpPost(url, headers, JSON.stringify(jsonRequest), "", "", "", "", "");

    we get the correct TOTP validation but after the post all the session info is lost and even if TOTP was verified with success, then authentication does not end well and we get the HPDIA0114E Could not acquire a client credential error. 

    We checked that it is because responseToken in session info is missing, but this is strange since we added "operation":"verify" and everything should work well.



    ------------------------------
    Marco Smorti
    ------------------------------


  • 2.  RE: ISVA 9 - InfoMap lose session info after POST to TOTP policy

    Posted Fri March 31, 2023 09:07 AM

    We solved with the following workaround (that I leave here for reference)

    The PUT/POST made to /apiauthsvc?PolicyId=urn:ibm:security:authentication:asf:totp for check on success returns 204 No Content. This means that all the application state is resetted. 

    To solve this problem, after TOTP check just perform a GET to the same API which will return 200 OK and will recover again the session state.



    ------------------------------
    Marco Smorti
    ------------------------------