IBM Security Verify

 View Only

ISVA Error Customisations

  • 1.  ISVA Error Customisations

    InnerCircle
    Posted Mon September 26, 2022 11:48 PM
    Hi Team,

    I'm looking at options to customise the error messages returned by the Fed/ACC ISVA module for OIDC Federations/Definitions. This is for ISVA 10.0.4.

    I'm aware of and use custom errors that can be returned in the mapping scripts by using the method throwSTSCustomUserMessageException, and that the error templates can be customised. However, there are a number of scenarios that directly return errors that I can't see how to customise, and errors returned from an OIDC Provider don't appear to be directly accessible to tailor the error template pages.

    In the first case, when ISVA is acting as the OIDC Provider, with a client registered for PKCE (on authorization code flow), if the request does not include the "code_challenge" request parameter, ISVA will directly return the error "error=invalid_request&error_description=FBTOAU202E+The+required+parameter%3A+%5Bcode_challenge%5D+was+not+found+in+the+request.". Is there any option to set our own content in the error_description parameter or not send the error_description parameter?

    Similarly this also occurs for the client credentials grant if the request does not include a basic authentication header (as an example), ISVA will directly return the error "{"error_description":"FBTOAU202E The required parameter: [client_id] was not found in the request.","error":"invalid_request"}". Is there any option to set our own content on this error_description parameter too?

    Finally, when ISVA is acting as an OIDC Relying Party, with an error response back from the OIDC Provider (either in the redirect_uri or from the token endpoint), the error templates oidc/rp/error.html and oidc/rp/access_denied.html are returned; however, the only way I can see to process the response is to parse the ERROR_MESSAGE or MSG_EXCEPTION macros, but that is challenging to extract all the required inputs to make a decision.  Examples of this macro content is "FBTOIC116E There was an error contacting the [token]. The HTTP Status was: [400]. The JSON error code was: [invalid_request], with the description [FBTOAU202E The required parameter: [code_verifier] was not found in the request.]" and "FBTOIC110E The OpenID provider returned the following error code: [invalid_request].\nDescription: [Authentication Failed].\nError Uri: [null]\nOp Endpoint: [authorize]"

    Any thoughts or considerations on the above most welcome.

    As a final statement, I did look at Reverse Proxy HTTP Transformation Lua scripts to rewrite the content for the ISVA responses (eg if response includes error_description=FBT*, remove error_description), but it doesn't seem like the right way.

    ------------------------------
    Thanks,
    Andrew Bidwell
    ------------------------------