Access Policy Reference

Suggest Edits

JavaScript access policies

This document covers all the interfaces for access policy JavaScript.

The two main objects supported for access policy JavaScript are context and Decision.

1. Context

The context object represents an access policy context. It has four main methods.

Return typeMethodDescriptionArguments
ProtocolContextgetProtocolContext()Get the protocol context.
RequestgetRequest()Get the request.
PolicyUsergetUser()Get the user.
SessiongetSession()Get the session.
setDecision(decision)Set the access policy decision.Decision

1.1. ProtocolContext

This object represents a protocol context and allows access to OAuth/OIDC protocol context, such as client, definition, and request parameters.

Return typeMethodDescriptionArguments
AuthenticationRequestgetAuthenticationRequest()Get the authentication request.
DefinitiongetDefinition()Return the definition object.
stringgetDefinitionID()Return the definition ID.
stringgetDefinitionName()Return the definition name.
ClientgetClient()Return the client object.
stringgetClientId()Return the client ID.
stringgetClientName()Return the client name.
setConsentDecision(scopes)Sets the external consent decision.string[]
string[] or nullgetConsentDecision()Get the external consent decision.;

1.1.1. AuthenticationRequest

This object represents an authentication request.

Return typeMethodDescription
AuthenticationContextgetAuthenticationContext()Get the authentication request context.
stringtoString()Return url encoded string of all request parameters

1.1.2. AuthenticationContext

This object represents an authentication context and allows access to selected authorization request parameters.

Return typeMethodDescription
string[]getResponseType()Return response_type request parameter, which is separated by a space.
stringgetIdTokenHint()Return id_token_hint request parameter, if any.
stringgetLoginHint()Return login_hint request parameter, if any.
integergetMaxAge()Return max_age request parameter, if any.
string[]getPrompt()Return prompt request parameter, which is separated by a space.
string[]getScope()Return the scope request parameter, which is separated by a space.
Claim[]getIdTokenClaims()Return id_token claims of claims request parameter, if any.
Claim[]getUserInfoClaims()Return userinfo claims of claims request parameter, if any.
string[]getAuthenticationClassReference()Return the acr_values request parameter, which is separated by a space. Note: The acr claim that comes in the claims request parameter is retrievable with getIdTokenClaims() or getUserInfoClaims() methods.

1.1.3. Claim

This object represents a particular claim under the claims request parameter.

Return typeMethodDescription
stringgetName()Get the name of the claim.
BooleanisEssential()Return true if the claim is an essential claim.
stringgetValue()Return the first value of the claim. If no value associated with this claim, it returns undefined.
string[]getValues()Return the values associated with the claim, if any.

1.2. Request

This object represents the request of the current user interaction and allows access to the incoming HTTP request.

Return typeMethodDescription
Cookie[]getCookies()Get the cookies.
string[]getHeaderNames()Get the header names.
string[]getHeaders(name)Get the values of the header with the specified name.
stringgetHeader(name)Get the first value of the header with the specified name.
string[]getParameterNames()Get the (GET and POST) parameter names.
string[]getParameters(name)Get the values of the (GET and POST) parameter with the specified name.
stringgetParameter(name)Get the first value of the (GET and POST) parameter with the specified name.

1.2.1. Cookie

This object represents an HTTP cookie.

Return typeMethodDescription
stringgetComment()Returns the comment that describes the purpose of this cookie, or undefined if the cookie has no comment.
stringgetDomain()Gets the domain name of this Cookie.
BooleanisHttpOnly()Checks whether this Cookie was marked as HttpOnly.
integergetMaxAge()Gets the maximum age in seconds of this cookie.
stringgetName()Returns the name of the cookie.
stringgetPath()Returns the path on the server to which the browser returns this cookie.
BooleanisSecure()Returns true if the browser is sending cookies only over a secure protocol, or false if the browser can send cookies with any protocol.
stringgetValue()Gets the current value of this Cookie.
integergetVersion()Returns the version of the protocol that this cookie complies with.

1.3. PolicyUser

This object allows access to the authenticated user information.

Return typeMethodDescription
AttributegetAttribute(name)Get a particular attribute associated with the specified name.
Attribute[]getAttributes()Get all the user attributes.
GroupgetGroup(name)Get a particular group associated with the specified name.
Group[]getGroups()Get all the user groups.
stringgetUsername()Get the username.

1.3.1. Attribute

This object represents a user attribute.

Return typeMethodDescription
stringgetName()Return the attribute name.
anygetValue()Return the attribute value.

Note: since the getValue() return any type, including JS slices or JS object, the getValues() is no longer supported.

1.3.2. Group

This object represents a user group.

Return typeMethodDescription
stringgetName()Return the group name.

1.4. Session

This interface represents the session of the current user access. By storing data in the session, the data is available even after a redirection.

Return typeMethodDescriptionArguments
anygetAttribute(name)Get the value of the attribute with the specified name.string
anyremoveAttribute(name)Remove the attribute with the specified name, and return the value of the removed attribute.string
setAttribute(name, value)Set the value of the attribute with the specified name.string, any

Example of usage:

  var guessedNumber = context.getRequest().getParameter("user_guess");
  if (guessedNumber == undefined || guessedNumber == null) { // Challenge user
    context.getSession().setAttribute("storedNumber", 75);
    ...
    context.setDecision(Decision.challenge(handler)); // send challenge handler to guess the storedNumber
  } else {
    var storedNumber = context.getSession().removeAttribute("storedNumber"); // load number
    if (storedNumber == guessedNumber) { // guessed correctly, allow it
      context.setDecision(Decision.allow());
    } else {
      ...
      context.setDecision(Decision.deny(handler)); // send deny response
    }
  }

2. Decision

The Decision object represents a decision. It has three main methods.

MethodDescriptionArguments
allow()Use this method when the access policy decision is to allow or proceed with the request.
deny(handler)Use this method when the access policy decision is to deny or stop the flow.RedirectDenyDecisionHandler or HtmlPageDenyDecisionHandler
challenge(handler)Use this method when the access policy decision is to challenge the user by collecting more information or for a second factor challenge.RedirectChallengeDecisionHandler or HtmlPageChallengeDecisionHandler.

The decision is then passed to the context object by calling the context.setDecision() method. This statement is the last statement of any path in the access policy JavaScript.

Typically, Decision object is created (by calling one of the methods) just before it is set into the context. As such, ISVA OIDC Provider does not support getType() and getHandler() methods.

2.1. HtmlPageDenyDecisionHandler

Use this handler to do deny decision by showing a template page.

Example usage:

  var handler = new HtmlPageDenyDecisionHandler();
  handler.setMacro("@MESSAGE@", "The request is denied.");
  handler.setPageId("error.html");
  context.setDecision(Decision.deny(handler));
Return typeMethodDescriptionArguments
setPageId(pageId)Set the template page name to be used.string
stringgetPageId()Return template page ID.
setMacro(key, value)Set a macro replacement.string, string
JS objectgetMacros()Return template macros.

2.2. HtmlPageChallengeDecisionHandler

Use this handler to do challenge decision by showing a template page.

Example usage:

  var handler = new HtmlPageChallengeDecisionHandler();
  handler.setMacro("@MESSAGE@", "Please guess a number between 0 and 99");
  handler.setMacro("@ACTION@", "https://myidp.com/oauth2/authorize");
  handler.setPageId("challenge.html");
  context.setDecision(Decision.challenge(handler));
Return typeMethodDescriptionArguments
setPageId(pageId)Set the template page name to be used.string
stringgetPageId()Return template page ID.
setMacro(key, value)Set a macro replacement.string, string
JS objectgetMacros()Return template macros.

2.3. RedirectDenyDecisionHandler

Use this handler to do deny decision by redirection.

Example usage:

  var handler = new RedirectDenyDecisionHandler();
  handler.setRedirectUri("https://www.tpp.com/denied.html");
  context.setDecision(Decision.deny(handler));
Return typeMethodDescriptionArguments
setRedirectUri(redirectUri)Set the redirection information.url string
stringgetRedirectUri()Return redirection information.

2.4. RedirectChallengeDecisionHandler

Use this handler to do challenge decision by redirection.

Example usage:

  var handler = new RedirectChallengeDecisionHandler();
  handler.setRedirectUri("https://www.myidp.com?PolicyId=urn:ibm:security:authentication:asf:totp");
  context.setDecision(Decision.challenge(handler));
Return typeMethodDescriptionArguments
setRedirectUri(redirectUri)Set the redirection information.url string
stringgetRedirectUri()Return redirection information.

3. Differences with ISVA Java implementation

Some differences exist in the methods that are supported for Attribute and Decision between ISVA OIDC Provider and ISVA.
The ISVA OIDC Provider implementation uses a JS object and slices instead of java.util.Map or java.util.List. Methods that are associated with java.util.Map or java.util.List are not available.

4. Redirection and Page Challenge Callback URL

Currently, in ISVA during a page challenge or redirection, users are expected to form the callback URL themselves.

  // Redirect challenge with Target URL
  var handler = new RedirectChallengeDecisionHandler(); 
  handler.setRedirectUri("https://www.myidp.com?PolicyId=urn:ibm:security:authentication:asf:totp&Target=https%3A%2F%2Fwww.myidp.com%2Foauth2%2Fauthorize?stateId=abcdefghijklmnopq");

  // Html challenge with Action macro
  var handler = new HtmlPageChallengeDecisionHandler();
  handler.setMacro("@MESSAGE@", "Please guess a number between 0 and 99");
  handler.setMacro("@ACTION@", "https://myidp.com/oauth2/authorize?stateId=abcdeghijklmnopq");

In ISVA OIDC Provider, users do not need to do so. For redirection, the Target is added automatically as one of the query strings.
For page handlers, two extra macros that are called @SELF_URL@ and @SELF_ENCODED_URL@ are added automatically. The difference between these two macros is that @SELF_ENCODED_URL@ is URL-encoded can be added into query string. These two macros can be used in the template page like any other macro.

For example,:

<html>
    <body>
        <h1>Page Challenge:</h1>
        <form method="POST" action="@SELF_URL@">
            @MESSAGE@ : <input type="number" name="guess">
            <br>
            <input type="submit" value="Submit">
        </form>
        <form method="GET" action="https://www.challenge.com?Target=@SELF_ENCODED_URL@">
            @MESSAGE@ : <input type="number" name="guess">
            <br>
            <input type="submit" value="Submit">
        </form>
    </body>
</html>

Updated over 1 year ago