IBM Security Verify

 View Only
  • 1.  Special pre-populated variables in OAuth pre/post mapping rules like stsuu - Need current token value in post

    IBM Champion
    Posted Wed May 18, 2022 11:03 AM
    Is there a list of special variables in the oauth pre and post mapping rules?  For example, stsuu is pre-populated.  I thought there were others that I had found before, perhaps the client and/or the token in an already set variable?  I can't find a list, and I could have sworn I had seen documentation on this once.

    At the moment, what I need is is a way to find the current token value, in its hashed format, in the post mapping rule.  The reason why is I have logic that cleans up all previous tokens for the client when a new token is generated with a specific scope.  I am currently using the new OAuthMappingExtUtils.deleteHashedToken function, which is working fine.  However, when I call OAuthMappingExtUtils.getTokens(client_id, client_id) (where client_id is obviously set to the client the token is being generated for) it is returning all tokens INCLUDING the token that was just generated in the premapping rule (but has not yet been returned to the client).  Hence, I am deleting the token that is being created and making it invalid.

    I need a way to get this token value, hopefully in a hashed format, because getTokens() is returning all the tokens for the client in their hashed format.  That way I can do a compare before I delete each one and not delete the most recent.  Worse case, I figure I may be able to obtain the token value from the STSUU and rehash it, but this seems really dirty, and I am not sure how reliable it will be long term.

    My only other thought was maybe to move this logic to the pre-mapping rule.  But a long time ago, for whatever reason, I felt it best to take care of this in the post mapping rule, and I am now coming back to finish this task.  Also, you might be wondering why I just simply don't use OAuthMappingExtUtils.deleteTokens in the pre-mapping rule.  Well, I don't want all the tokens deleted, only ones with this specific scope set.  So that is why I just don't simply delete them all.  In the past, this is what I was doing, but there is a need not to remove tokens only unless they have this specific scope set.

    Thanks for any input!

    ------------------------------
    Matt Jenkins
    ------------------------------


  • 2.  RE: Special pre-populated variables in OAuth pre/post mapping rules like stsuu - Need current token value in post

    Posted Thu May 19, 2022 03:45 AM
    Hi Matt,

    You can get the new tokens generated in the post mapping rule with the following code:

    var state_id = null;
    
    var global_temp_attr = stsuu.getContextAttributes().getAttributeValuesByNameAndType("state_id", "urn:ibm:names:ITFIM:oauth:state");
    if (global_temp_attr != null && global_temp_attr.length > 0) {
      state_id = global_temp_attr[0];
    }
    
    var tokens = OAuthMappingExtUtils.getTokens(state_id);​


    This will be an array with the access token and possible refresh token. You can check the types using "tokens[i].getType()".

    Using "token.getId()" will be the hashed version if I remember correctly.

    You can find these functions and return types in the ISAM javadocs downloaded from your appliance.

    Hope this helps,

    Niel



    ------------------------------
    Niel Verheire
    ------------------------------



  • 3.  RE: Special pre-populated variables in OAuth pre/post mapping rules like stsuu - Need current token value in post

    IBM Champion
    Posted Thu May 19, 2022 05:18 PM
    @Niel Verheire Many thanks.  I was hoping there was already something defined, but I went with your suggestion.  I have used state_id in other places in the mapping rule so I assumed I must have figured there was no better way in the past.  I also had in one place used access_token_id with getToken(), so I ended up going that route since I done it in the code logic block I was working in.  Then when you get the Token back if you call getId()​ then you get the hashed value back when the hashed tokens are enabled.

    Thanks for your suggestion, much appreciated!  All is working well now!

    ------------------------------
    Matt Jenkins
    ------------------------------



  • 4.  RE: Special pre-populated variables in OAuth pre/post mapping rules like stsuu - Need current token value in post

    Posted Fri May 20, 2022 04:29 AM
    Edited by Niel Verheire Fri May 20, 2022 04:29 AM
    Great to hear it is working now!
    I'm no expert in this either and there is probably a better way. Maybe someone from IBM can still jump in ;)

    ------------------------------
    Niel Verheire
    ------------------------------



  • 5.  RE: Special pre-populated variables in OAuth pre/post mapping rules like stsuu - Need current token value in post

    Posted Mon May 23, 2022 06:40 AM
    Hi Niel, Matt,

    In the Post Token mapping rule there's an example (related to deleting tokens) where the token IDs are obtained with this code:

    	//access_token_id
    	temp_attr = stsuu.getContextAttributes().getAttributeValuesByNameAndType("access_token_id", "urn:ibm:names:ITFIM:oauth:response:metadata");
    	if (temp_attr != null && temp_attr.length > 0) {
    		access_token_id = temp_attr[0];
    	}
    
    	//refresh_token_id
    	temp_attr = stsuu.getContextAttributes().getAttributeValuesByNameAndType("refresh_token_id", "urn:ibm:names:ITFIM:oauth:response:metadata");
    	if (temp_attr != null && temp_attr.length > 0) {
    		refresh_token_id = temp_attr[0];
    	}​


    So, if you just want the token IDs related to what is being returned in the response, this is probably more efficient.

    If you want to get ALL the tokens associated with the grant (state_id) then the previous method is better.

    Jon.



    ------------------------------
    Jon Harry
    Senior Technical Sales Enablement Specialist
    Identity and Access Management
    IBM Technology, Worldwide
    ------------------------------



  • 6.  RE: Special pre-populated variables in OAuth pre/post mapping rules like stsuu - Need current token value in post

    IBM Champion
    Posted Mon May 23, 2022 08:11 AM
    Ah many thanks @Jon Harry that must have been where I had gotten the idea from in the past.  I did end up using the access_token_id, as I had wondered about what you said about state_id.

    Just for my knowledge, other than the access token, refresh token, and ID token, would there be any other tokens associated with a particular grant?  I am just trying to wrap my head around that for potential future use, as I'm thinking that may be useful to keep in my back pocket.

    Thanks again!​

    ------------------------------
    Matt Jenkins
    ------------------------------