Thank you Scott and Philip for your replies.
In my scenario i need cc tokens to work and to segment each junction to each client.
ClientA only access to JunctionA
ClientB only access to JunctionB
The easiest way to do it is by creating a user to match the client and give that user ACL access to JunctionA.I can confirm it works.
Probably it is possible via external users and mapping rules but i seems complicated. Might be interesting to brainstorm how to do it.
Thanks for your precious support both.
S.
Original Message:
Sent: Thu July 25, 2024 02:12 AM
From: Philip Nye
Subject: WebSeal bearer oauth authentication
At a high level - there is no difference to how the reverse proxy perceives the OAuth AT whether it was an ROPC or CC flow.
the RP will call the OAuth Mapping rules to validate the tokens, and it will return a username associated.
Usually with ROPC - you'll get a username - and it will then build the credential based on that username from LDAP.
For CC - I *think* you'll get a username that is the client ID. Which WON'T be in LDAP.
So you can do one of two things,
1) you can define a user that is the ClientID, and you might find thats sufficient to allow you to proceed,
2) You can configure OAuth for 'external' users - or users that aren't in LDAP.
https://community.ibm.com/community/user/security/discussion/oauth-for-external-users
is an indepth conversation on this topic.
Where you might want to apply logic to only do this for a client_credentials generated credential.
------------------------------
Philip Nye
IBM
Gold Coast
Original Message:
Sent: Wed July 24, 2024 05:59 AM
From: Sascha W
Subject: WebSeal bearer oauth authentication
Hi,
i'm trying to protect an API on webseal with OAUTH.
It only works OOTB with ROPC tokens (probably because they can be linked to a stssu user).
Reading documentation i can't find a complete guide to enable bearer tokens (from client_credential flow specifically) to work.
I believe it need an STS chains and mapping rule to be configure but i can't find it.
I know it can be done with JWTs (OAuth: JWT as an Access Token) but in this scenario i need just bearers.
Documentation says nothing specific or technical on how to achieve it (OAuth Authentication)
Since my environment is upgraded from very old versions maybe this feature is now enable by default on newer releases but need to be manually configured on older ones?
Thanks to anyone who will help.
Sascha