IBM Security Verify

 View Only
  • 1.  Oauth-introspect in Webseal

    Posted Fri December 09, 2022 02:30 PM
    I was looking through a blog post on the Oauth-introspect stanza in Webseal which allows Webseal to introspect a bearer token with an external provider and provide access to protect resources- 
    However I am missing the part on how to protect the junction so that it can use this flow . The blog post says the oauth-introspection can be configured for a particular junction but is there an additional POP that is needed?

    I basically have a currently unprotected junction that I want to protect - ie users will request this junction with a bearer token and looking to see if Webseal can introspect this with an external ( another ISAM domain ) provider and allow access if the introspect returns active .

    OAuth: WebSEAL and Cloud Identity

    Y V

  • 2.  RE: Oauth-introspect in Webseal

    Posted Sun December 11, 2022 04:35 PM



    The standard authorization model (i.e. ACLs/POPs) are used to tell WebSEAL that an authentication is required.  When authentication is required for a request, and the OAuth introspect endpoint has been configured, WebSEAL will search the request for the OAuth token (embedded within the authorization header), and use this to trigger an OAuth introspection of the token.  The per-junction configuration option simply means that you can configure different introspect endpoints for different junctions.


    I hope that this helps.



    Scott A. Exton
    Senior Software Engineer
    Chief Programmer - IBM Security Verify Access

    IBM Master Inventor

    cid4122760825*<a href=image002.png@01D85F83.85516C50">



  • 3.  RE: Oauth-introspect in Webseal

    Posted Tue January 31, 2023 09:57 PM
    yes , that definitely helps ! Sorry for the late reply - just wanted to thank you !

    Y V