IBM Verify

Hi,

i'm trying to protect an API on webseal with OAUTH.

It only works OOTB with ROPC tokens (probably because they can be linked to a stssu user).

Reading documentation i can't find a complete guide to enable bearer tokens (from client_credential flow specifically) to work.

I believe it need an STS chains and mapping rule to be configure but i can't find it.

I know it can be done with JWTs  (OAuth: JWT as an Access Token) but in this scenario i need just bearers.

Documentation says nothing specific or technical on how to achieve it (OAuth Authentication)

Since my environment is upgraded from very old versions maybe this feature is now enable by default on newer releases but need to be manually configured on older ones?

Thanks to anyone who will help.

Sascha

Hi,

i'm trying to protect an API on webseal with OAUTH.

It only works OOTB with ROPC tokens (probably because they can be linked to a stssu user).

Reading documentation i can't find a complete guide to enable bearer tokens (from client_credential flow specifically) to work.

I believe it need an STS chains and mapping rule to be configure but i can't find it.

I know it can be done with JWTs  (OAuth: JWT as an Access Token) but in this scenario i need just bearers.

Documentation says nothing specific or technical on how to achieve it (OAuth Authentication)

Since my environment is upgraded from very old versions maybe this feature is now enable by default on newer releases but need to be manually configured on older ones?

Thanks to anyone who will help.

Sascha

At a high level - there is no difference to how the reverse proxy perceives the OAuth AT whether it was an ROPC or CC flow. 

the RP will call the OAuth Mapping rules to validate the tokens, and it will return a username associated. 
Usually with ROPC - you'll get a username - and it will then build the credential based on that username from LDAP. 
For CC - I *think* you'll get a username that is the client ID. Which WON'T be in LDAP. 

So you can do one of two things,
1) you can define a user that is the ClientID, and you might find thats sufficient to allow you to proceed,
2) You can configure OAuth for 'external' users - or users that aren't in LDAP. 
https://community.ibm.com/community/user/security/discussion/oauth-for-external-users 
is an indepth conversation on this topic. 

Where you might want to apply logic to only do this for a client_credentials generated credential. 

------------------------------
Philip Nye
IBM
Gold Coast

Original Message:
Sent: Wed July 24, 2024 05:59 AM
From: Sascha W
Subject: WebSeal bearer oauth authentication

Hi,

i'm trying to protect an API on webseal with OAUTH.

It only works OOTB with ROPC tokens (probably because they can be linked to a stssu user).

Reading documentation i can't find a complete guide to enable bearer tokens (from client_credential flow specifically) to work.

I believe it need an STS chains and mapping rule to be configure but i can't find it.

I know it can be done with JWTs  (OAuth: JWT as an Access Token) but in this scenario i need just bearers.

Documentation says nothing specific or technical on how to achieve it (OAuth Authentication)

Since my environment is upgraded from very old versions maybe this feature is now enable by default on newer releases but need to be manually configured on older ones?

Thanks to anyone who will help.

Sascha

You might also want to  look at the API access control capabilities, where you can configure introspection at a path level:

Thank you, theres a cookbook or some useful resource for the API Access Control part?

You might also want to  look at the API access control capabilities, where you can configure introspection at a path level: