Retrieving and Deleting tokens belonging to a user

Scenarios exist where the number of grants that belong to certain users needs to be limited. In the following example, OAuthMappingExtUtils.getGrants is used to demonstrate the scenario.

Configuration

Mapping rule snippet to be added into the pre token mapping rule

importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.ibm.security.access.user.UserLookupHelper);

IDMappingExtUtils.traceString("Entering pre token mapping rule")
IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());
var client = stsuu.getContextAttributes().getAttributeValueByName("client_id");
var grants = OAuthMappingExtUtils.getGrants(stsuu.getPrincipalName());
var grants_per_user_per_client=0 ;
for(let i=0; i< grants.length; i++){
    var grant = grants[i];
    if(grant["ClientID"] ==  client){
        grants_per_user_per_client ++
    }
    
}
IDMappingExtUtils.traceString("grants_per_user_per_client: " + grants_per_user_per_client);
if (grants_per_user_per_client > 40){
    OAuthMappingExtUtils.throwSTSException("Number of grant per user per cleint exceeded")
}

Output

ristretto_1              | [08/21/2024 13:07:07.866 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-3b684133-2cb9-490d-bd2e-107bf1feb5c5] "JS: grants_per_user_per_client: 56"
ristretto_1              | [08/21/2024 13:07:07.867 UTC] (internal.errors.ParseJSError) I [CORR_ID-3b684133-2cb9-490d-bd2e-107bf1feb5c5] "Javascript throw OAuth/OIDC error."
ristretto_1              | [08/21/2024 13:07:07.867 UTC] (internal.javascript.worker.workOnTask) E [CORR_ID-3b684133-2cb9-490d-bd2e-107bf1feb5c5] "Encounter error execute script: server_error."
ristretto_1              | [08/21/2024 13:07:07.867 UTC] (TokenHandler.HandlerFunc) E [CORR_ID-3b684133-2cb9-490d-bd2e-107bf1feb5c5] "EnrichSession failed: server_error"

Scenarios exist where tokens and grants that belong to certain users need to be deleted based on user inactivity. In the following example, an LDAP connection is established by using UserLookupHelper.

Configuration

LDAP Configuration

Server connection to connect to an LDAP instance.

server_connections:
  name: ldap_test
  type: ldap
  hosts:
    - hostname: isva-openldap
      hostport: 636
      credential:
        bind_dn: 'cn=root,secAuthority=default'
        bind_password: "OBF:U2FsdGVkX19iBhl53QkybjO6RjFHhSbz4VRudYHA="  
      ssl:
        certificate:
          - ks:ldap_keystore
        disable_hostname_verification: true
  conn_settings:
    max_pool_size: 50
    connect_timeout: 3

LDAP connection certificate added to the keystore.

keystore:
  - name: ldap_keystore
    type: pem
    certificate:
      - label: ldap
        content: |
          -----BEGIN CERTIFICATE-----
          MIIDGDCCAgCgAwIBAgIIZAWdygzDfYMwDQYJKoZIhvcNAQELBQAwKjELMAkGA1UE
          BhMCdXMxDDAKBgNVBAoTA2libTENMAsGA1UEAxMEaXNhbTAeFw0yMTA4MzAxMDU4
          MDhaFw0zMTA4MjkxMDU4MDhaMCoxCzAJBgNVBAYTAnVzMQwwCgYDVQQKEwNpYm0x
          DTALBgNVBAMTBGlzYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB
          /a4qF23bWGkc5p9P/9RzfdSV8jMW6nKOA04/64H4O8JyNtCOC4vd/4Malkd1YZD8
          Rb9ikGma5dEOsNu4zE2wP9/twnGLbFKeVI/ZHodJ8lANnf5vpdJUaMyTEyVlIFQE
          AJfeA8M02UhM49A6VUvfwnx58+QvN1dgmLktNcY6B03m5wdTLId4eSqypVuGn02/
          qKukeBg+ZxzxzCKsHDxiKEWghN3EHOR34oOifgmNPtRWoNWi8rH2f0XpObhboQW8
          43AVmK7VRwSvNvtfMuCOGkUcWyMKdvXIy5PVQs4b7t8m7kM1za5DUhTMIJ+FTHpK
          1IBs26y+tpDDdobrQt3dAgMBAAGjQjBAMB0GA1UdDgQWBBSMBiXM/22qeLEmXN72
          UM1yRcQ7+zAfBgNVHSMEGDAWgBSMBiXM/22qeLEmXN72UM1yRcQ7+zANBgkqhkiG
          9w0BAQsFAAOCAQEAjlZeaQAeunUnNMIgPfIB2dv4ydOxQ1fCvAKubfEGt+fQqM2R
          McEMEyerhDqbKgpn7/0znOnYX7wiN6ROw1Jh/f9Okf2B/k3zdVa8kx50PF5YKwyA
          lR8zAyMhfLIg/KbZed7gJidExrPzjl+ym8DLSbDVddzIw6bQxtzLloZWTdIa2oj0
          GojEnRdv5ixTmh23abN5+GkWyLFoqOMjFMM8AV3OX3WMbPnxqUd21g0DckVlaSco
          3m1l+Maq8oxBXWZO/k1U1Xao3OkvaYmtK3kWTqik1qPrM2M01AEY5R02jYAGyAo3
          Uy5pvMl246wfM7qvRq9tQuVFkUDkqVM6R9m5dg==
          -----END CERTIFICATE-----

LDAP configuration for UserLookupHelper.

ldapcfg:
  - name: ldapServer1
    scope: subtree
    user_object_classes: top,Person,organizationalPerson,inetOrgPerson
    filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
    selector: objectClass,cn,sn,givenName,userPassword,max_inactive_time
    srv_conn: ldap_test
    attribute: uid
    baseDN: dc=ibm,dc=com

The ldapcfg stanza srv_conn must match the server_connections name that is defined for the LDAP type.
The mapping rule must use the ldapcfg configuration name ldapServer1 to initialize the connection.

Mapping rule snippet

importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.ibm.security.access.user.UserLookupHelper);

IDMappingExtUtils.traceString("Entering pre token mapping rule")
IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());
var client = stsuu.getContextAttributes().getAttributeValueByName("client_id");
var userLookupHelper = new UserLookupHelper("ldapServer1");

if(userLookupHelper.isReady()){
    var user = userLookupHelper.getUser(stsuu.getPrincipalName());
    if(user.getId() != null){
        var inactivity = user.getAttribute("max_inactive_time");
        if(inactivity > "90"){
            OAuthMappingExtUtils.deleteToken(stsuu.getPrincipalName(),client)
        }
    }
}

The mapping rule connects to an LDAP instance by using UserLookupHelper, retrieves a user, and checks for a specific attribute. Based on the attribute, it determines whether the tokens that are related to that user need to be deleted.