IBM Security Verify and generating JWT Token using Open ID Connect (OIDC)
Use OpenID Connect for single sign-on to allow applications to verify the identity of its users based on the authentication that is performed by Verify.
Pre-requisite:
We need to have an IBM Security Verify (30 days free trial)
https://www.ibm.com/in-en/products/verify-for-workforce-iam
Setup:-
Login to IBM Security Verify administration console: https://<your-name>.verify.ibm.com/ui/admin
- Select the application from the 100's of connectors or Click on Custom Application
We can use the Custom Application template to configure an application to act as an OpenID Connect relying party or client application that delegates users authentication to Verify
Under Custom Application mention the Application Name
Settings -> Enabled -> Enabled
Show on Launchpad -> Checked
Go to Sign-on -> Select the Sign-on method
Select Open ID Connect for JWT Token Generation
Select the Grant types ->
- Authorization code
- Implicit
- Device flow
- Resource owner password credentials (ROPC)
Resource Owner Password Credentials (ROPC) is the main grant type we have used for JWT token generation here.
All the grant types can generate JWT access tokens. The grant types to select should be dependent on the type of application and what the RP supports, and ideally we should not be selecting more grant types than what is needed by the application.
Checkout all the grant types supported by Verify :-https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/concepts/grant_types.html
Client ID and Client Secret will be generated as soon as we save the configuration
- Proof key for code exchange (PKCE) is used to mitigate authorization code interception attacks. It requires a code challenge before the authorization code flow can proceed. This option is displayed only when the authorization code grant flow is selected.
- User consent -> Choose to ask for consent, If ROPC is the only grant type that is selected for the application, the User Consentoption is hidden
- Redirect URL -> This is a callback URL, you can provide multiple call back URL's for an application. Users will be redirected to this URL after they are authenticated and authorized by Verify.
Token Generation
Define the Token Expiry and Access token format -> JWT
Specify the Signature Algorithm
Choose from the following hashing algorithms to verify the signature:
- HS256
- HS384
- HS512
- RS256 (default value)
- RS384
- RS512
Select the Access Policies -> Choose from the policies or define a policy under policy section
I have selected "Allow access from all devices"
Click Save.
Now Select the API Access tab -> Edit the policies based on the requirement
Note: After API is created, click on edit and get Client ID and Client Secret. Do not share this with anyone. Regarding the screenshot below it, while we do offer a "select all", the best practice would be to only select the ones that you need and nothing more.
Click on Entitlements Tab :- Select the entitlements for users or groups or all
Creation of user
Go to "Users and groups" on IBM Security Identity site
Add a user -> Select the Identity Source
Create the user -> e.g "jwttest"
Work e-mail -> working email address to receive the password
"jwttest" User is created
Test the Configuration:-
We will test the configuration using the user jwttest
1. We will enter the user name and password on a form at the relying party.2. The client sends the user name, password, client ID, and client secret to the token endpoint.
e.g. https://<your-tenantname>.verify.ibm.com/oidc/endpoint/default/token
For the older tenants
https://<your-tenantname>.ice.ibmcloud.com/oidc/endpoint/default/token
client_id : <from the tenant API>
client_secret: <from the tenant API>
username : jwttest (user on the cloud directory)
password : user credentials
grant_type : password
Scope : openid
3. The username and password is validated against Cloud Directory.
4. The Client receives a response that contains an ID token and access token in the response body. Access Token is the JWT token which can be used in the application.
Check out all the response codes from the Verify APIs at
https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/references/r_api_response_messages.html
5. We can also run the following curl command (<your-tenantname>, <client-id> and <client-secret>) for generating the access token
curl -X POST --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json' -d 'username=<myusername>&password=<mypassword>&client_id=<from the tenant API>&client_secret=<from the tenant API>&grant_type=password&scope=openid' 'https://<your-tenantname>/v1.0/endpoint/default/token'
Access Token (JWT) is generated
- The access token verifies that the application is authorized to access the requested resource.
The API is able to generate the JSON Web Token (JWT) for the application to use it for authorization. Each JWT carries a signature that can be verified for legitimacy using the corresponding public key of the private key used to sign the token.
We can also validate if the JWT is valid or not -> Go to https://jwt.io to validate the token
Thanks to Product support team (Vivek Jain), Victor soon and Ramesh Yadav for the help
Conclusion:
IBM Security Verify is an easy to use Identity Management Solution which can be used for JWT Token generation.
References:-
https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/tasks/oidc_app_sso.html
https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/concepts/custom_application.html
https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/concepts/apis.html
https://www.ibm.com/support/knowledgecenter/SSCT62/com.ibm.iamservice.doc/concepts/api_request_examples.html
------------------------------
Vandana Verma Sehgal
Security Solutions Architect, GSI Labs
------------------------------