Guides
Start typing to search…

Consuming JWT userinfo response

Suggest Edits

Consuming JWT userinfo response as IBM Verify Identity Access relying party

IBM Verify Identity Access (IVIA) Federation module acts as a OpenID Relying party, it can consume only JSON format userinfo response.

This article goes through steps required for a IVIA Relying party to consume a JWT format userinfo response.

Pre-requisites

  • IBM Verify Identity Access configured as OIDC Relying party.

Details required from the OpenID Provider

  • .well-known endpoint or userinfo endpoint
  • JWT Signing Algorithm
  • JWKS URL
  • JWT Encryption Algorithm and Key Transport Algorithm

Verify Identity Access Configuration

  1. Login as admin user to the Verify Identity Access local management interface.
  2. Navigate to Federation -> Secure Token Service
1648
  • Configure a Template with Default JWT Module (Validate Mode) and Default STSUU(Issue Mode).
1648
  • Configure an STS Chain with the template created in the previous step. Configure the Lookup tab and Properties tab with JWT Signing and JWT Encryption settings.
1648 1648 1648
  • Save and deploy the pending changes.

  1. Navigate to Federation -> Mapping rule. Edit the OIDCRP mapping rule and copy the following snippet.

    importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);
importPackage(Packages.com.ibm.security.access.httpclient);
importClass(Packages.com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient);
IDMappingExtUtils.traceString("oidc_rp mapping rule called with stsuu: " + stsuu.toString());

/*
* Construct a basic identity made up of iss and sub
*/ 

var iss = stsuu.getAttributeContainer().getAttributeValueByName("iss");
var sub = stsuu.getAttributeContainer().getAttributeValueByName("sub");

/*
* This code builds a principal name from the iss and sub fields of the id_token. If
* this user does not exist in the IVIA registry, either modify to map to a
* local user that is in the registry, or change the EAI authentication
* settings of the federation runtime to use PAC authentication. To use PAC
* authentication, modify the following Federation -> Advanced Configuration:  
*
* poc.signIn.credResponseHeader = am-eai-pac 
*/
stsuu.setPrincipalName(iss + "/" + sub);

/*
* Attributes from id_token come as attributes. 
* Copy those attributes that you want to be built into the credential to the AttributeList. 
* You can add to this list if you know what is in the id_token you expect. 
* Only those attributes with values are copied.
*/
var attrNames = [ 
    // these are standard claims
    "given_name", 
    "family_name",
    "name",
    "email",
    "access_token"
];
var finalAttrs = [];

for (var i = 0; i < attrNames.length; i++) {
    var attr = stsuu.getAttributeContainer().getAttributeByName(attrNames[i]);
    if (attr != null) {
        finalAttrs.push(attr);
    }
}
stsuu.clearAttributeList();

/*
* Add back in the final attributes
*/
for (var i = 0; i < finalAttrs.length; i++) {
    stsuu.addAttribute(finalAttrs[i]);
}

let token =  stsuu.getContextAttributes().getAttributeValueByName("access_token");
/*
* Also pull these from context attributes (these are not available in the id_token)
*/
var contextAttrNames = [
    "access_token",
    "expires_in", 
    "scope"
];

for (var i = 0; i < contextAttrNames.length; i++) {
    var attr = stsuu.getContextAttributes().getAttributeByName(contextAttrNames[i]);
    if (attr != null) {
            stsuu.addAttribute(attr);
            stsuu.getContextAttributes().removeAttribute(attr);
    }
}



//IDMappingExtUtils.traceString("oidc_rp mapping rule finished with new stsuu: " + stsuu.toString());

var headers = new Headers();

headers.addHeader("Authorization", "Bearer "+token);
var endpoint = null;
var httpsTrustStore = "rt_profile_keys";
var clientKeyStore = null;
var clientKeyAlias = null;

endpoint = "https://www.myidp.ibm.com/isam/sps/oauth/oauth20/userinfo";

/* hr will be a com.ibm.security.access.httpclient.HttpResponse */
IDMappingExtUtils.traceString("endpoint: " + endpoint + " httpsTrustStore: " + httpsTrustStore );

var hr = HttpClientV2.httpGet(endpoint, headers, httpsTrustStore, null, null, clientKeyStore, clientKeyAlias);

if(hr.getCode() == 200){
    IDMappingExtUtils.traceString(" body" + hr.getBody());
    var body = hr.getBody();
    var base_token = IDMappingExtUtils.stringToXMLElement('<wss:BinarySecurityToken	xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="http://ibm.com/2004/01/itfim/base64encode" 	wss:ValueType="urn:com:ibm:JWT">' +  body+ '</wss:BinarySecurityToken>');

    var res = LocalSTSClient.doRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Validate", "urn:appliesto", "urn:issuer", base_token, null)
    var assertionValid = (res.errorMessage == null);
    if (!assertionValid) {
    OAuthMappingExtUtils.throwSTSUserMessageException("Invalid Assertion. Authentication failed [" + res.errorMessage + "].");
    }
    var assertion_stsuu = new STSUniversalUser();
    assertion_stsuu.fromXML(res.token);
    IDMappingExtUtils.traceString(" jsonToken" + assertion_stsuu.toString());
    var jsonObj = JSON.parse(assertion_stsuu.getContextAttributes().getAttributeValueByName("claim_json"));

    IDMappingExtUtils.traceString(" json.sub" + jsonObj["sub"]);
}

  2. Navigate to Federation -> Federations. Edit the OpenID Connect Relying Party federation. [block:image]
    {
    "images": [
    {
    "image": [
    "https://files.readme.io/389691e3b2cc8d89fc9e219c19706668cea4933139e9a3693230197cf6de1d93-federation.png",
    "389691e3b2cc8d89fc9e219c19706668cea4933139e9a3693230197cf6de1d93-federation.png",
    1648,
    700,
    "#e2e3e3",
    null,
    "67b806259d53900010956f83"
    ]
    }
    ]
    }
    [/block]
    .
    * Navigate to Identity Mapping -> Use JavaScript transformation for identity mapping. [block:image]
    {
    "images": [
    {
    "image": [
    "https://files.readme.io/63c1baf8e5b48d27f91692673738fa23cef91eee01b06149af4ce87d4adb490f-federation2.png",
    "63c1baf8e5b48d27f91692673738fa23cef91eee01b06149af4ce87d4adb490f-federation2.png",
    1648,
    829,
    "#c6c6d1",
    null,
    "67b80626980450003d48859f"
    ]
    }
    ]
    }
    [/block]

    * Select the identity mapping rule **OIDCRP**. [block:image]

    {
    "images": [
    {
    "image": [
    "https://files.readme.io/b16f7919fb1c0b1d7c39d37076fb4bfa6bf57f9c0d415794696bcf1722f7ea80-federation3.png",
    "b16f7919fb1c0b1d7c39d37076fb4bfa6bf57f9c0d415794696bcf1722f7ea80-federation3.png",
    1648,
    823,
    "#efefef",
    null,
    "67b80627190c770018ae09f1"
    ]
    }
    ]
    }
    [/block]

    * Save and deploy pending changes.

  3. Navigate to Federation -> Federations. Select the federation and click Partners. [block:image]
    {
    "images": [
    {
    "image": [
    "https://files.readme.io/9f360804e66fc55e9404e5af475228e9502e2896cd6bb30754c8c8d2dbb2428c-partner.png",
    "9f360804e66fc55e9404e5af475228e9502e2896cd6bb30754c8c8d2dbb2428c-partner.png",
    1648,
    700,
    "#e2e3e3",
    null,
    "67b80627fa664d001930ee8a"
    ]
    }
    ]
    }
    [/block]

    * Select the partner and edit.
* Navigate to Scope configuration and uncheck Perform userinfo request automatically [block:image]

    {
    "images": [
    {
    "image": [
    "https://files.readme.io/a3268600c794fc5e764b4a35689cd96d1f3fafb84fd01f9c25477043ba84ccbb-partner1.png",
    "a3268600c794fc5e764b4a35689cd96d1f3fafb84fd01f9c25477043ba84ccbb-partner1.png",
    1648,
    813,
    "#1a2ea7",
    null,
    "67b806289d53900010956f87"
    ]
    }
    ]
    }
    [/block]
    .
    * Save and deploy pending changes.

Updated 9 days ago

Did this page help you?