Retrieving and Deleting tokens belonging to a user
Retrieving and Deleting tokens belonging to a user
Scenarios exist where the number of grants that belong to certain users needs to be limited. In the following example, OAuthMappingExtUtils.getGrants is used to demonstrate the scenario.
Configuration
Mapping rule snippet to be added into the pre token mapping rule
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
IDMappingExtUtils.traceString("Entering pre token mapping rule")
IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());
var client = stsuu.getContextAttributes().getAttributeValueByName("client_id");
var grants = OAuthMappingExtUtils.getGrants(stsuu.getPrincipalName());
var grants_per_user_per_client=0 ;
for(let i=0; i< grants.length; i++){
var grant = grants[i];
if(grant["ClientID"] == client){
grants_per_user_per_client ++
}
}
IDMappingExtUtils.traceString("grants_per_user_per_client: " + grants_per_user_per_client);
if (grants_per_user_per_client > 40){
OAuthMappingExtUtils.throwSTSException("Number of grant per user per cleint exceeded")
}
Output
ristretto_1 | [08/21/2024 13:07:07.866 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-3b684133-2cb9-490d-bd2e-107bf1feb5c5] "JS: grants_per_user_per_client: 56"
ristretto_1 | [08/21/2024 13:07:07.867 UTC] (internal.errors.ParseJSError) I [CORR_ID-3b684133-2cb9-490d-bd2e-107bf1feb5c5] "Javascript throw OAuth/OIDC error."
ristretto_1 | [08/21/2024 13:07:07.867 UTC] (internal.javascript.worker.workOnTask) E [CORR_ID-3b684133-2cb9-490d-bd2e-107bf1feb5c5] "Encounter error execute script: server_error."
ristretto_1 | [08/21/2024 13:07:07.867 UTC] (TokenHandler.HandlerFunc) E [CORR_ID-3b684133-2cb9-490d-bd2e-107bf1feb5c5] "EnrichSession failed: server_error"
Scenarios exist where tokens and grants that belong to certain users need to be deleted based on user inactivity. In the following example, an LDAP connection is established by using UserLookupHelper.
Configuration
LDAP Configuration
- Server connection to connect to an LDAP instance.
server_connections:
name: ldap_test
type: ldap
hosts:
- hostname: isva-openldap
hostport: 636
credential:
bind_dn: 'cn=root,secAuthority=default'
bind_password: "OBF:U2FsdGVkX19iBhl53QkybjO6RjFHhSbz4VRudYHA="
ssl:
certificate:
- ks:ldap_keystore
disable_hostname_verification: true
conn_settings:
max_pool_size: 50
connect_timeout: 3
- LDAP connection certificate added to the keystore.
keystore:
- name: ldap_keystore
type: pem
certificate:
- label: ldap
content: |
-----BEGIN CERTIFICATE-----
MIIDGDCCAgCgAwIBAgIIZAWdygzDfYMwDQYJKoZIhvcNAQELBQAwKjELMAkGA1UE
BhMCdXMxDDAKBgNVBAoTA2libTENMAsGA1UEAxMEaXNhbTAeFw0yMTA4MzAxMDU4
MDhaFw0zMTA4MjkxMDU4MDhaMCoxCzAJBgNVBAYTAnVzMQwwCgYDVQQKEwNpYm0x
DTALBgNVBAMTBGlzYW0wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDB
/a4qF23bWGkc5p9P/9RzfdSV8jMW6nKOA04/64H4O8JyNtCOC4vd/4Malkd1YZD8
Rb9ikGma5dEOsNu4zE2wP9/twnGLbFKeVI/ZHodJ8lANnf5vpdJUaMyTEyVlIFQE
AJfeA8M02UhM49A6VUvfwnx58+QvN1dgmLktNcY6B03m5wdTLId4eSqypVuGn02/
qKukeBg+ZxzxzCKsHDxiKEWghN3EHOR34oOifgmNPtRWoNWi8rH2f0XpObhboQW8
43AVmK7VRwSvNvtfMuCOGkUcWyMKdvXIy5PVQs4b7t8m7kM1za5DUhTMIJ+FTHpK
1IBs26y+tpDDdobrQt3dAgMBAAGjQjBAMB0GA1UdDgQWBBSMBiXM/22qeLEmXN72
UM1yRcQ7+zAfBgNVHSMEGDAWgBSMBiXM/22qeLEmXN72UM1yRcQ7+zANBgkqhkiG
9w0BAQsFAAOCAQEAjlZeaQAeunUnNMIgPfIB2dv4ydOxQ1fCvAKubfEGt+fQqM2R
McEMEyerhDqbKgpn7/0znOnYX7wiN6ROw1Jh/f9Okf2B/k3zdVa8kx50PF5YKwyA
lR8zAyMhfLIg/KbZed7gJidExrPzjl+ym8DLSbDVddzIw6bQxtzLloZWTdIa2oj0
GojEnRdv5ixTmh23abN5+GkWyLFoqOMjFMM8AV3OX3WMbPnxqUd21g0DckVlaSco
3m1l+Maq8oxBXWZO/k1U1Xao3OkvaYmtK3kWTqik1qPrM2M01AEY5R02jYAGyAo3
Uy5pvMl246wfM7qvRq9tQuVFkUDkqVM6R9m5dg==
-----END CERTIFICATE-----
- LDAP configuration for UserLookupHelper.
ldapcfg:
- name: ldapServer1
scope: subtree
user_object_classes: top,Person,organizationalPerson,inetOrgPerson
filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
selector: objectClass,cn,sn,givenName,userPassword,max_inactive_time
srv_conn: ldap_test
attribute: uid
baseDN: dc=ibm,dc=com
- The ldapcfg stanza srv_conn must match the server_connections name that is defined for the LDAP type.
- The mapping rule must use the ldapcfg configuration name ldapServer1 to initialize the connection.
Mapping rule snippet
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
IDMappingExtUtils.traceString("Entering pre token mapping rule")
IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());
var client = stsuu.getContextAttributes().getAttributeValueByName("client_id");
var userLookupHelper = new UserLookupHelper("ldapServer1");
if(userLookupHelper.isReady()){
var user = userLookupHelper.getUser(stsuu.getPrincipalName());
if(user.getId() != null){
var inactivity = user.getAttribute("max_inactive_time");
if(inactivity > "90"){
OAuthMappingExtUtils.deleteToken(stsuu.getPrincipalName(),client)
}
}
}
- The mapping rule connects to an LDAP instance by using UserLookupHelper, retrieves a user, and checks for a specific attribute. Based on the attribute, it determines whether the tokens that are related to that user need to be deleted.
Updated 4 months ago