Hi,

The idea is simple.

I want to be able to call the Verify API's during an authentication flow in ISVA.

To authenticate toward the API I would need to use an access token since this seems to be the only supported way.

But the question is how I get ahold of one via InfoMap.

I thought about using the already built in PIP API function in ISVA, but it only supports certificate or basic login.

I also thought about trying to get the access token that is already being used by ISVA to communicate with Verify, and I just happen to stumble upon this inside the ISVA JavaDoc:

Under com.ibm.security.access.ciclient.CiClientV2

This is great! Apart from the fact that it's not allowed to use inside InfoMap, since it's prohibited. The IBM documentation whitelists the ciclient for InfoMap so I'm not sure what's going on here.

Any ideas of what the best approach would be here for me to be able to call Verify API's via InfoMap? Or any other way during authentication flow?

I honestly don't think that function should be exposed at all. Try this:

importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);importClass(Packages.com.ibm.security.access.server_connections.ServerConnectionFactory);importClass(Packages.com.ibm.security.access.httpclient.HttpClientV2);importClass(Packages.com.ibm.security.access.httpclient.Headers);importClass(Packages.com.ibm.security.access.httpclient.Parameters);function includesAll(o, keys) {	let result = true;	keys.forEach(k => {		if (result && Object.keys(o).indexOf(k) < 0) {			result = false;		}	});	return result;}function getAccessToken() {    // assumes a server connection of type "IBM Security Verify" has been created with name "myconnection"    let conn = ServerConnectionFactory.getCiConnectionByName​("myconnection");    let tokenEndpoint = "https://" + conn.getAdminHost() + "/v1.0/endpoint/default/token";    IDMappingExtUtils.traceString("Using tokenEndpoint: " + tokenEndpoint);    let headers = new Headers();	headers.addHeader("Accept", "application/json");	let params = new Parameters();	params.addParameter("grant_type", "client_credentials");	params.addParameter("client_id", conn.getClientId());	params.addParameter("client_secret", conn.getClientSecret());		let httpClient = new HttpClientV2();	let httpResponse = httpClient.httpPost(		tokenEndpoint, 		headers, 		params, 		null, 		null, 		null, 		null, 		null);	if (httpResponse != null && httpResponse.getCode() == 200) {		let res = JSON.parse(''+httpResponse.getBody());		// sanity check that this is JSON with the fields we need		if (!(res != null && includesAll(res, ["access_token", "token_type", "expires_in"]))) {			throw "Response from token endpoint does not contain required fields";		} else {			return res["access_token"];        }	} else {		throw "Invalid HTTP response obtaining access_token";	}}

Hi,

The idea is simple.

I want to be able to call the Verify API's during an authentication flow in ISVA.

To authenticate toward the API I would need to use an access token since this seems to be the only supported way.

But the question is how I get ahold of one via InfoMap.

I thought about using the already built in PIP API function in ISVA, but it only supports certificate or basic login.

I also thought about trying to get the access token that is already being used by ISVA to communicate with Verify, and I just happen to stumble upon this inside the ISVA JavaDoc:

Under com.ibm.security.access.ciclient.CiClientV2

This is great! Apart from the fact that it's not allowed to use inside InfoMap, since it's prohibited. The IBM documentation whitelists the ciclient for InfoMap so I'm not sure what's going on here.

Any ideas of what the best approach would be here for me to be able to call Verify API's via InfoMap? Or any other way during authentication flow?

Thanks Shane your code works flawlessy.

So am I correct to assume that the recommended approach here is to build our own "API client" inside InfoMap?  I am thinking I need to supplement with storing the access token in some cache, checking if it is valid, add functionality for refresh token, also store it etc.. Eventually building the functionality from scratch.
Well not entirely from scratch since you provided some foundation already, but you get the point.

I honestly don't think that function should be exposed at all. Try this:

importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);importClass(Packages.com.ibm.security.access.server_connections.ServerConnectionFactory);importClass(Packages.com.ibm.security.access.httpclient.HttpClientV2);importClass(Packages.com.ibm.security.access.httpclient.Headers);importClass(Packages.com.ibm.security.access.httpclient.Parameters);function includesAll(o, keys) {	let result = true;	keys.forEach(k => {		if (result && Object.keys(o).indexOf(k) < 0) {			result = false;		}	});	return result;}function getAccessToken() {    // assumes a server connection of type "IBM Security Verify" has been created with name "myconnection"    let conn = ServerConnectionFactory.getCiConnectionByName​("myconnection");    let tokenEndpoint = "https://" + conn.getAdminHost() + "/v1.0/endpoint/default/token";    IDMappingExtUtils.traceString("Using tokenEndpoint: " + tokenEndpoint);    let headers = new Headers();	headers.addHeader("Accept", "application/json");	let params = new Parameters();	params.addParameter("grant_type", "client_credentials");	params.addParameter("client_id", conn.getClientId());	params.addParameter("client_secret", conn.getClientSecret());		let httpClient = new HttpClientV2();	let httpResponse = httpClient.httpPost(		tokenEndpoint, 		headers, 		params, 		null, 		null, 		null, 		null, 		null);	if (httpResponse != null && httpResponse.getCode() == 200) {		let res = JSON.parse(''+httpResponse.getBody());		// sanity check that this is JSON with the fields we need		if (!(res != null && includesAll(res, ["access_token", "token_type", "expires_in"]))) {			throw "Response from token endpoint does not contain required fields";		} else {			return res["access_token"];        }	} else {		throw "Invalid HTTP response obtaining access_token";	}}

Hi,

The idea is simple.

I want to be able to call the Verify API's during an authentication flow in ISVA.

To authenticate toward the API I would need to use an access token since this seems to be the only supported way.

But the question is how I get ahold of one via InfoMap.

I thought about using the already built in PIP API function in ISVA, but it only supports certificate or basic login.

I also thought about trying to get the access token that is already being used by ISVA to communicate with Verify, and I just happen to stumble upon this inside the ISVA JavaDoc:

Under com.ibm.security.access.ciclient.CiClientV2

This is great! Apart from the fact that it's not allowed to use inside InfoMap, since it's prohibited. The IBM documentation whitelists the ciclient for InfoMap so I'm not sure what's going on here.

Any ideas of what the best approach would be here for me to be able to call Verify API's via InfoMap? Or any other way during authentication flow?