Original Message:
Sent: Tue May 12, 2020 01:33 AM
From: Shane Weeden
Subject: OAuth for External Users
I'm a little concerned by this line (within the request_type == "authorization") block:
var username = stsuu.getContextAttributes().getAttributeValuesByNameAndType("username", "urn:ibm:names:ITFIM:oauth:request")
I'm fairly sure you should be extracting username from the Principal stsuu attributes (which represent the logged in user), rather than a parameter which might be available in ContextAttributes.
------------------------------
Shane Weeden
IBM
Original Message:
Sent: Mon May 11, 2020 03:57 PM
From: Piyush Agrawal
Subject: OAuth for External Users
Thank you very much for all helps.
Now I have added support for both External as well as internal users and also able to pupulate groups for external users.
Here is little code..
config :
[oauth]
external-user-identity-attribute = username
user-identity-attribute = ext-username
external-group-attribute : groups
if (request_type == "authorization") {
var registray_id = stsuu.getAttributeContainer().getAttributeValueByName("AZN_CRED_REGISTRY_ID");
if(registray_id!=null && registray_id.indexOf("ExternalUser") !== -1){
var username = stsuu.getContextAttributes().getAttributeValuesByNameAndType("username", "urn:ibm:names:ITFIM:oauth:request")
OAuthMappingExtUtils.associate(state_id, "extuser", true);
var groups = stsuu.getAttributeContainer().getAttributeValueByName("AZN_CRED_GROUPS");
OAuthMappingExtUtils.associate(state_id, "groups", groups);
}
} else if (request_type == "resource") {
var extuser = OAuthMappingExtUtils.getAssociation(state_id, "extuser");
var groups = OAuthMappingExtUtils.getAssociation(state_id, "groups");
var username_response = stsuu.getContextAttributes().getAttributeValuesByNameAndType("username", "urn:ibm:names:ITFIM:oauth:response:attribute")
if (username_response != null && username_response.length > 0 && extuser) {
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("ext-username" ,"urn:ibm:names:ITFIM:oauth:response:attribute", username_response[0]));
}
if (groups != null && extuser) {
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("groups" ,"urn:ibm:names:ITFIM:oauth:response:attribute", groups));
}
}
------------------------------
Piyush Agrawal
Original Message:
Sent: Mon May 11, 2020 03:57 AM
From: Shane Weeden
Subject: OAuth for External Users
During the request_type == "authorization" flow, use the OAuthMappingExtUtils.associate() method to associate what type of user you have with the stateid of the grant. You can do this for any "attribute" of a user - as you are correct, you only have access to the user credential during /authorize.
Later during request_type == "resource" you can use OAuthMappingExtUtils.getAssociation() to retrieve that information and set the headers that you want.
------------------------------
Shane Weeden
IBM
Original Message:
Sent: Fri May 08, 2020 05:53 AM
From: Piyush Agrawal
Subject: OAuth for External Users
Hello Shane,
User credentials like AZN_CRED_REGISTRY_ID is available at (request_type == "authorization") over there I can decide if this user is External or coming from Registry with if(registray_id!=null && registray_id.indexOf("ExternalUser") !== -1)
After decision, I want to push userId as ext-username or usrename so that RSTR Response contains correct attribute information during request_type == "resource"
On WebsealD conf I have following.
[oauth]
external-user-identity-attribute = username
user-identity-attribute = ext-username
------------------------------
Piyush Agrawal
Original Message:
Sent: Fri May 08, 2020 01:49 AM
From: Shane Weeden
Subject: OAuth for External Users
You need (request_type == "resource") to affect what happens when an access token is presented for a resource request.
------------------------------
Shane Weeden
IBM
Original Message:
Sent: Thu May 07, 2020 04:36 PM
From: Piyush Agrawal
Subject: OAuth for External Users
Hello Jon,
I have added following code in bottom of post token mapping rule.
[oauth]
external-user-identity-attribute = username
user-identity-attribute = dummy
if (request_type == "authorization") {
var location_to_save = "Norway";
OAuthMappingExtUtils.associate(state_id, "location", location_to_save);
var registray_id = stsuu.getAttributeContainer().getAttributeValueByName("AZN_CRED_REGISTRY_ID");
if(registray_id!=null && registray_id.indexOf("ExternalUser") !== -1){
var ext_username = stsuu.getAttributeContainer().getAttributeValueByName("AZN_CRED_AUTHZN_ID");
IDMappingExtUtils.traceString("Posttoken debug :: This is a External Username " + ext_username)
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("ext-username" ,"urn:ibm:names:ITFIM:oauth:request", ext_username));
stsuu.addGroup(new com.tivoli.am.fim.trustserver.sts.uuser.Group("min_oversikt","urn:ibm:names:ITFIM:5.1:accessmanager",null));
}else {
IDMappingExtUtils.traceString("Posttoken debug :: This is a Internal User " + registray_id)
}
} else if (request_type == "access_token") {
var loc = OAuthMappingExtUtils.getAssociation(state_id, "location");
var username = stsuu.getContextAttributes().getAttributeValuesByNameAndType("username", "urn:ibm:names:ITFIM:oauth:response:attribute")
var ext_username = stsuu.getContextAttributes().getAttributeValuesByNameAndType("ext-username", "urn:ibm:names:ITFIM:oauth:response:attribute")
IDMappingExtUtils.traceString("Posttoken debug :: access_token :: location value from associations: " + loc);
// IDMappingExtUtils.traceString("Posttoken debug :: access_token :: This is a External User with Registry " + registray_id)
IDMappingExtUtils.traceString("Posttoken debug :: access_token :: This is a External Username " + ext_username)
IDMappingExtUtils.traceString("Posttoken debug :: access_token :: This is a External Username " + username)
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("ext-username" ,"urn:ibm:names:ITFIM:oauth:response:attribute", "121212121212"));
stsuu.addContextAttribute(new com.tivoli.am.fim.trustserver.sts.uuser.Attribute("LOCATION", "urn:ibm:names:ITFIM:oauth:response:attribute", loc));
}
I get access token response like
{access_token=pCILqFq77uUPw18yKaxJ&LOCATION=Norway&ext-username=121212112&refresh_token=hIIkBp3sjAnvH7dLMMaefSNEkzpBoqMhDsy1&scope=read groups location email&token_type=bearer&expires_in=3599}
However there is no change RSTR respone.
And I do not get these custom attributes in respone from https://portal/app/mobile-demo/diag/rest.jsp with access.
Regards,
------------------------------
Piyush Agrawal
Original Message:
Sent: Tue April 28, 2020 11:55 AM
From: Piyush Agrawal
Subject: OAuth for External Users
Thank you for quick help Jon, I have tested following and it works without any changes on mapping rules
user-identity-attribute = dummy
external-user-identity-attribute = username
Now to support both ext and inter user I need to do map the external-user-identity-attribute to a different attribute name and then modify the post-token mapping rule for the OAuth definition to return this attribute name (instead of username) when returning an external user.
I also need to store groups so that it is present in RSTR.
I need to do following:
1. Check if user is ExternalUser.
2. Extract groups then store username and groups with ext-username and ext-groups attribute.
3. map both attributes
4. Modify the post-token mapping rule to return groups using the attribute name specified
------------------------------
Piyush Agrawal
Original Message:
Sent: Fri April 24, 2020 07:11 AM
From: Jon Harry
Subject: OAuth for External Users
Hi Piyush,
When the Reverse Proxy receives an OAuth Access Token, it passes this to the AAC Runtime for validation. It is the attributes in the token returned from this call (an STSUUser object if I remember correctly) which are being referred to in the OAuth configuration stanza. Nothing to do with EAI HTTP headers in this case.
By default, the AAC validation always returns the username in the "username" attribute which means WebSEAL consumes it as an internal user (as a result of user-identity-attribute = username). In order for WebSEAL to treat the user as an external user, you must map the external-user-identity-attribute to a different attribute name and then modify the post-token mapping rule for the OAuth definition to return this attribute name (instead of username) when returning an external user.
As a simple fix (without modifying post-token mapping rule) you can have WebSEAL treat ALL OAuth users as external users by setting:
user-identity-attribute = dummy
external-user-identity-attribute = username
In this case though, internal user group membership will not be reflected in the credential.
It's also worth noting that it is currently not possible to assert group memberships for external users during OAuth Access Token processing.
I hope this helps you to understand the current capabilities.
Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: Fri April 24, 2020 12:41 AM
From: Piyush Agrawal
Subject: OAuth for External Users
Hello,
I am trying to setup api-protection on our Reverse Proxy on ISAM(9.0.6). EAI is configured which creats session for internal as well as external users.
Response Headers added by EAI java application:
- Common Headers:
- am-eai-auth-level, am-eai-redir-url, am-eai-xattrs(Name, systemid,tagvalues)
- Internal User:
- External User:
- am-eai-ext-user-id, am-eai-ext-user-groups
Demo app is enabled as explained on MMFA cookbook and junction is created with iv-creds.
Now I am trying to consume resource like https://portal/app/mobile-demo/diag/rest.jsp with access_token received from /token endpoint.
It works for Internal User but fails for External User and I am redirected to /eai/login for authentication. when I try https://portal/mga/sps/oauth/oauth20/userinfo for same user that it works.
RSTR in Trace log has response: https://drive.google.com/open?id=1Vt6Vltl-D9ik-ThaPU6ZZU6EmpjYeldE
authorized = TRUE and
username = EXTUSER_01
Secure Federation - Global Settings - Point of Contact has "Non-Access Manager, Access Manager Groups and extened attributes" selected
[oauth]
oauth-auth = https
default-fed-id = https://localhost/sps/oauth/oauth20
user-identity-attribute = username
#external-user-identity-attribute =
I also read Allowing external users to perform OAuth authentication
and tried external-user-identity-attribute = am-eai-ext-user-id but that also didn't worked
------------------------------
Piyush Agrawal
------------------------------