IBM Security Verify

 View Only
  • 1.  OAuth: JWT as an Access Token

    Posted Wed March 22, 2023 09:19 AM

    Hi all,

    I would like to modify the configuration of IBM Security Verify Access 10.0.5.0 to have Access Token as JWT instead of opaque token. I found this documentation:

    https://www.ibm.com/blogs/security-identity-access/oauth-jwt-access-token/

    There is an URL in it, which is unfortunately broken: "The contents of the files are available here", and I got "This shared file or folder has been removed" message.

    Can you please help me where can I download the jwt_at_common.js and the jwt_at_pre.js files, or is there a newer version of this documentation?

    Thank you in advance,

    Gyula



    ------------------------------
    Gyula Domonkos
    ------------------------------


  • 2.  RE: OAuth: JWT as an Access Token
    Best Answer

    Posted Thu March 23, 2023 04:05 AM

    Hi Gyula,

    Can you try again with the following link.

    https://community.ibm.com/community/user/security/blogs/sumana-narasipur/2018/07/19/oauth-jwt-access-token



    ------------------------------
    Sumana Narasipur
    ------------------------------



  • 3.  RE: OAuth: JWT as an Access Token

    Posted Thu March 23, 2023 05:19 AM

    Hi Sumana,

    thank you for the quick reply.

    Perfect! I was able to download the files from this link.



    ------------------------------
    Gyula Domonkos
    ------------------------------



  • 4.  RE: OAuth: JWT as an Access Token

    Posted Tue April 18, 2023 07:58 AM

    Hi Sumana
    In the article is a link to the jwt_at_common.js and jwt_at_pre.js  
    The contents of the files are available here however I dont get access even when logging in to Box. Can the content be accessed elsewhere?



    ------------------------------
    Kim Petersen
    Specialist
    ATP
    ------------------------------



  • 5.  RE: OAuth: JWT as an Access Token

    Posted Tue April 18, 2023 07:26 PM

    Hi Kim,

    I have updated the link, please let me know if you still have issues.



    ------------------------------
    Sumana Narasipur
    ------------------------------



  • 6.  RE: OAuth: JWT as an Access Token

    Posted Wed April 19, 2023 03:02 AM

    Hi Sumana
    Thanks a lot for a prompt reply - the link is working



    ------------------------------
    Kim Petersen
    Specialist
    ATP
    ------------------------------



  • 7.  RE: OAuth: JWT as an Access Token

    Posted Tue June 06, 2023 07:41 AM

    Hello Sumana, 

    in your article Reverse proxy authentication with OAuth you mentioned a mapping rule called " jwt_at_validate.js". Where can I find this mapping rule? 

    Best regards

    Thomas



    ------------------------------
    Thomas Renner
    ------------------------------



  • 8.  RE: OAuth: JWT as an Access Token

    Posted Tue June 06, 2023 09:04 PM

    Hi Thomas, 

    Thank you for pointing it out, I have uploaded it here

    https://ibm.ent.box.com/s/zh7pqxaumx37te4xshzbktovk8rjrum7



    ------------------------------
    Sumana Narasipur
    ------------------------------



  • 9.  RE: OAuth: JWT as an Access Token

    Posted Wed June 07, 2023 07:41 AM
    Edited by Thomas Renner Wed June 07, 2023 07:46 AM

    Hi Sumana, 

    doing a Reverse Proxy authentication with JWT in Authorization Bearer is working for me now, thanks a lot.
    I was also trying to check access token as JWT via introspection endpoint, but I still get following error message in CURL: 

    CURL Request (access token and endpoint URL are not real data):

    curl -k -v  -H "Content-Type: application/x-www-form-urlencoded" -H "Accept: application/json" -d "token=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c&client_id=tui-testJWT" https://Webseal.domain/mga/sps/oauth/oauth20/introspect

    CURL error:

    {"error_description":"Client not found in response","error":"mapping_error"}* Connection #0 to host proxy.in.audi.vwg left intact

    My assumption is that the snippet

    importMappingRule("jwt_at_pre");

    was included at the wrong position in my pre-token-mapping rule. I added it at the end of my pre-token-mapping rule. Do I include this snippet at a fixed position?

    It seems there is no call to the new introspection endpoint validating this access token as JWT. Instead of, the validation of access token as obaque string via introspection endpoint is still working.

    Best regards

    Thomas



    ------------------------------
    Thomas Renner
    ------------------------------