Hello Ujjwal
what you miss probably is a transformation rule on response that set correct application/json content-type
so create a file named openid-configuration under /.well-known directory ( that also need to be created ) with the json object you need .. like this
create a transformation rule for Response that has the following content ( you can name it oauth-info-transf.xslt ) :
<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0">
<xsl:strip-space elements="*" />
<xsl:template match="/">
<HTTPResponseChange>
<xsl:apply-templates />
</HTTPResponseChange>
</xsl:template>
<xsl:template match="//HTTPResponse/Headers/Header">
<xsl:choose>
<xsl:when test="Header/@name='content-type'"/>
<xsl:otherwise>
<Header action="update" name="content-type">application/json</Header>
</xsl:otherwise>
</xsl:choose>
</xsl:template>
</xsl:stylesheet>and in the webseal conf add the following :
[http-transformations]
oauth-infoservice = oauth-info-transf.xslt
[http-transformations:oauth-infoservice]
request-match = response:GET /.well-known/*
this will create a response like if you go to the metadata endpoint :
------------------------------
Gianluca Gargaro
IBM
Roma
------------------------------
Original Message:
Sent: Thu April 30, 2020 05:09 AM
From: Ujjwal Kumar
Subject: OIDC - Discovery endpoint
Hi Peter,
I have two instances of ISAM 9.0.3 and 9.0.7
From 9.0.7 instance downloaded oidc_op_conformance.zip and from there took metadata.json file
Then went to 9.0.3 and followed your steps by pasting the metadata.json file content into it.
Created openID connect provider ISAMOP and partner in it also. Tried to access the url
------------------------------
Ujjwal Kumar
Original Message:
Sent: Thu April 30, 2020 03:30 AM
From: Peter Volckaert
Subject: OIDC - Discovery endpoint
Hi Usman,
Yes, this work-around will also work on 9.0.0 since it's just a file exposed in the WebSEAL's web space.
Kind regards, Peter
------------------------------
Peter Volckaert
Senior Sales Engineer
Authentication and Access
IBM Security
Original Message:
Sent: Tue April 28, 2020 07:34 AM
From: UsmanAli Shaik
Subject: OIDC - Discovery endpoint
Hi peter/Folks,
I am working on 9.0.0 where Discovery is under limitation. But, the solution peter is saying would work in 9.0.0 ?
It would be helpful to integrate an Application which supports only OpenID Connect. We have ISAM 9.0.0 version upgrade but it would take considerable amount of time
Thanks,
Usman
------------------------------
UsmanAli Shaik
Original Message:
Sent: Mon January 14, 2019 02:43 AM
From: Peter Volckaert
Subject: OIDC - Discovery endpoint
Hi,
Or alternatively, as a quick-but-not-so-dirty-fix, you can simply put the openid_configuration where you want it to be and how you want it to be. So in: https://web-reverse-proxy.com/.well-known/openid-configuration. I have noticed that the openid_configuration generated by ISAM may lack certain fields and/or has too much entries (for example when talking about keys). So it is likely you will end up changing the openid_configuration to your likings anyway.
== Update ==
To do this you must create a extra folder in the management root of your Reverse Proxy. So using Secure Web Settings -> Manage Reverse Proxy -> Manage Management Root -> select "Junction Root" -> File/New/Directory to create the directory .well_known directory. And then similarly create a file openid_configuration where you put exactly what you want openid_configuration to be. And of course you must set the ACL's right so that the file is e.g. publicly available.
== End of Update ==
Kind regards, Peter.
------------------------------
Peter Volckaert
Sales Engineer
IBM Security
Original Message:
Sent: 01-11-2019 05:47 AM
From: Jon Harry
Subject: OIDC - Discovery endpoint
Hello,
You should use the HTTP Transformation capability in the SAM Reverse Proxy to match on the "well known" endpoint and modify the request so that it ends up at the SAM-specific endpoint on AAC junction.
I'm afraid I don't have example XSL for this to hand but perhaps someone else on this forum can provide for us.
Cheers... Jon.
------------------------------
Jon Harry
Consulting IT Security Specialist
IBM
Original Message:
Sent: 01-11-2019 02:49 AM
From: Magnus Bengtsson
Subject: OIDC - Discovery endpoint
The OpenID Connect Discovery 1.0 incorporating errata set 1 reference:
https://openid.net/specs/openid-connect-discovery-1_0.html
------------------------------
Magnus Bengtsson
Original Message:
Sent: 01-11-2019 02:37 AM
From: Magnus Bengtsson
Subject: OIDC - Discovery endpoint
Hello,
I have a question regarding the OpenID Connect Spec in ISAM for a OP scenario where ISAM is acting as a OP Provider against Amazon web services.
Do anybody know how to enable or configure the ISAM OIDC discovery endpoint so it comforts the /.well-known/openid-configuration requirements? When you configure a OIDC endpoint via API protection the metadiscovery endpoint is automatically set in ISAM but a requirement from AwS IAM is to have the metadata endpoint as:
https://web-reverse-proxy.com/.well-known/openid-configuration
Has anybody in the community successfully setup and configured this? Any assistance would be appreciated.
Thanks
Best regards
Magnus
------------------------------
Magnus
------------------------------