Consuming JWT userinfo response
Consuming JWT userinfo response as IBM Security Verify Access relying party
IBM Security Verify Access (ISVA) Federation module acts as a OpenID Relying party, it can consume only JSON format userinfo response.
This article goes through steps required for a ISVA Relying party to consume a JWT format userinfo response.
Pre-requisites
- IBM Security Verify Access configured as OIDC Relying party.
Details required from the OpenID Provider
- .well-known endpoint or userinfo endpoint
- JWT Signing Algorithm
- JWKS URL
- JWT Encryption Algorithm and Key Transport Algorithm
Verify Access Configuration
- Login as admin user to the Verify Access local management interface.
- Navigate to Federation -> Secure Token Service
- Configure a Template with Default JWT Module (Validate Mode) and Default STSUU(Issue Mode).
- Configure an STS Chain with the template created in the previous step. Configure the Lookup tab and Properties tab with JWT Signing and JWT Encryption settings.
- Save and deploy the pending changes.
-
Navigate to Federation -> Mapping rule. Edit the OIDCRP mapping rule and copy the following snippet.
importPackage(Packages.com.tivoli.am.fim.trustserver.sts); importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser); importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities); importPackage(Packages.com.ibm.security.access.httpclient); importClass(Packages.com.tivoli.am.fim.fedmgr2.trust.util.LocalSTSClient); IDMappingExtUtils.traceString("oidc_rp mapping rule called with stsuu: " + stsuu.toString()); /* * Construct a basic identity made up of iss and sub */ var iss = stsuu.getAttributeContainer().getAttributeValueByName("iss"); var sub = stsuu.getAttributeContainer().getAttributeValueByName("sub"); /* * This code builds a principal name from the iss and sub fields of the id_token. If * this user does not exist in the ISVA registry, either modify to map to a * local user that is in the registry, or change the EAI authentication * settings of the federation runtime to use PAC authentication. To use PAC * authentication, modify the following Federation -> Advanced Configuration: * * poc.signIn.credResponseHeader = am-eai-pac */ stsuu.setPrincipalName(iss + "/" + sub); /* * Attributes from id_token come as attributes. * Copy those attributes that you want to be built into the credential to the AttributeList. * You can add to this list if you know what is in the id_token you expect. * Only those attributes with values are copied. */ var attrNames = [ // these are standard claims "given_name", "family_name", "name", "email", "access_token" ]; var finalAttrs = []; for (var i = 0; i < attrNames.length; i++) { var attr = stsuu.getAttributeContainer().getAttributeByName(attrNames[i]); if (attr != null) { finalAttrs.push(attr); } } stsuu.clearAttributeList(); /* * Add back in the final attributes */ for (var i = 0; i < finalAttrs.length; i++) { stsuu.addAttribute(finalAttrs[i]); } let token = stsuu.getContextAttributes().getAttributeValueByName("access_token"); /* * Also pull these from context attributes (these are not available in the id_token) */ var contextAttrNames = [ "access_token", "expires_in", "scope" ]; for (var i = 0; i < contextAttrNames.length; i++) { var attr = stsuu.getContextAttributes().getAttributeByName(contextAttrNames[i]); if (attr != null) { stsuu.addAttribute(attr); stsuu.getContextAttributes().removeAttribute(attr); } } //IDMappingExtUtils.traceString("oidc_rp mapping rule finished with new stsuu: " + stsuu.toString()); var headers = new Headers(); headers.addHeader("Authorization", "Bearer "+token); var endpoint = null; var httpsTrustStore = "rt_profile_keys"; var clientKeyStore = null; var clientKeyAlias = null; endpoint = "https://www.myidp.ibm.com/isam/sps/oauth/oauth20/userinfo"; /* hr will be a com.ibm.security.access.httpclient.HttpResponse */ IDMappingExtUtils.traceString("endpoint: " + endpoint + " httpsTrustStore: " + httpsTrustStore ); var hr = HttpClientV2.httpGet(endpoint, headers, httpsTrustStore, null, null, clientKeyStore, clientKeyAlias); if(hr.getCode() == 200){ IDMappingExtUtils.traceString(" body" + hr.getBody()); var body = hr.getBody(); var base_token = IDMappingExtUtils.stringToXMLElement('<wss:BinarySecurityToken xmlns:wss="http://docs.oasis-open.org/wss/2004/01/oasis-200401-wss-wssecurity-secext-1.0.xsd" wss:EncodingType="http://ibm.com/2004/01/itfim/base64encode" wss:ValueType="urn:com:ibm:JWT">' + body+ '</wss:BinarySecurityToken>'); var res = LocalSTSClient.doRequest("http://schemas.xmlsoap.org/ws/2005/02/trust/Validate", "urn:appliesto", "urn:issuer", base_token, null) var assertionValid = (res.errorMessage == null); if (!assertionValid) { OAuthMappingExtUtils.throwSTSUserMessageException("Invalid Assertion. Authentication failed [" + res.errorMessage + "]."); } var assertion_stsuu = new STSUniversalUser(); assertion_stsuu.fromXML(res.token); IDMappingExtUtils.traceString(" jsonToken" + assertion_stsuu.toString()); var jsonObj = JSON.parse(assertion_stsuu.getContextAttributes().getAttributeValueByName("claim_json")); IDMappingExtUtils.traceString(" json.sub" + jsonObj["sub"]); }
-
Navigate to Federation -> Federations. Edit the OpenID Connect Relying Party federation. [block:image]
{
"images": [
{
"image": [
"https://files.readme.io/7872fe3939cce8b0a0ee57289b70644c42354898d2116e11b783ca2faa7c0906-federation.png",
"7872fe3939cce8b0a0ee57289b70644c42354898d2116e11b783ca2faa7c0906-federation.png",
1648,
700,
"#e2e3e3",
null,
"676568b6d12fd50011e8f825"
]
}
]
}
[/block]
.
* Navigate to Identity Mapping -> Use JavaScript transformation for identity mapping. [block:image]
{
"images": [
{
"image": [
"https://files.readme.io/ab6d60cf53ff6e489d599a5871a47dc24c41da92a16fcc916eb668ae932eefa3-federation2.png",
"ab6d60cf53ff6e489d599a5871a47dc24c41da92a16fcc916eb668ae932eefa3-federation2.png",
1648,
829,
"#c6c6d1",
null,
"676568b763d2f8004471cf4b"
]
}
]
}
[/block]* Select the identity mapping rule **OIDCRP**. [block:image]
{
"images": [
{
"image": [
"https://files.readme.io/ba30557d05a13896cdff5afde026a505e33cb3be7d143426c5c5d07724ee6c71-federation3.png",
"ba30557d05a13896cdff5afde026a505e33cb3be7d143426c5c5d07724ee6c71-federation3.png",
1648,
823,
"#efefef",
null,
"676568b8d7f558004da2f9fe"
]
}
]
}
[/block]* Save and deploy pending changes.
-
Navigate to Federation -> Federations. Select the federation and click Partners. [block:image]
{
"images": [
{
"image": [
"https://files.readme.io/ead3c21f83d2e1eafebdd1bd9e93e9e5e5691f724cdf5136531f75d86b5c8a1d-partner.png",
"ead3c21f83d2e1eafebdd1bd9e93e9e5e5691f724cdf5136531f75d86b5c8a1d-partner.png",
1648,
700,
"#e2e3e3",
null,
"676568b9b2547e0043299dd2"
]
}
]
}
[/block]* Select the partner and edit. * Navigate to Scope configuration and uncheck Perform userinfo request automatically [block:image]
{
"images": [
{
"image": [
"https://files.readme.io/22a230b15fc157b58cca53e9b42dd8282dfe4f14e3fd21caeb11ce264af912f7-partner1.png",
"22a230b15fc157b58cca53e9b42dd8282dfe4f14e3fd21caeb11ce264af912f7-partner1.png",
1648,
813,
"#1a2ea7",
null,
"676568bacbaab900741f18f4"
]
}
]
}
[/block]
.
* Save and deploy pending changes.
Updated 1 day ago