Test JavaScript mapping rules
Test JavaScript mapping rules (runjs)
Mapping rules in Verify Access OIDC Provider are used to enrich grants and responses. No easy way exists to test the JavaScript mapping rules other than mounting them into the container and performing a runtime flow, where the mapping rules are invoked. Compile time or runtime errors in the mapping rule must be fixed iteratively.
Syntax of the runjs command
docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:23.12 /app/runjs premappingrule isvaop_pretoken.js input.json
For details about the parameter look here.
Format of the input
- The input is expected in JSON format.
- The JSON contains three top level keys
client_id,claimjsonandstsuujson.
{
"clientID": "client01",
"claimjson": {
"userinfo": {
"given_name": {
"essential": true
}
},
"id_token": {
"auth_time": {
"essential": true
}
}
},
"stsuujson": {
"uid": "john",
"attributeContainer": [
{
"name": "AUTHENTICATION_LEVEL",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
"1"
]
}],
"contextAttributes": [
{
"name": "client_assertion_alg",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"PS256"
]
}]
}
}
- If the input is not provided, a sample input.json is used to test the mapping rule.
- The sample input.json
{
"clientID": "client01",
"claimjson": {
"userinfo": {
"given_name": {
"essential": true
},
"nickname": null,
"email": {
"essential": true
},
"email_verified": {
"essential": true
},
"picture": null,
"http://example.info/claims/groups": null
},
"id_token": {
"auth_time": {
"essential": true
},
"acr": {
"values": [
"urn:mace:incommon:iap:silver"
]
}
}
},
"stsuujson": {
"uid": "john",
"attributeContainer": [
{
"name": "AUTHENTICATION_LEVEL",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
"1"
]
},
{
"name": "AZN_CRED_AUTH_EPOCH_TIME",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
"1689835718"
]
},
{
"name": "exp",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
1689839302
]
},
{
"name": "iat",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
1689835719
]
},
{
"name": "jti",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
"757f585a-26c9-11ee-a674-0a5d59d77e68"
]
},
{
"name": "name",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
"john"
]
},
{
"name": "nbf",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
1689835582
]
},
{
"name": "sub",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
"john"
]
},
{
"name": "uid",
"type": "urn:ibm:names:ITFIM:5.1:accessmanager",
"values": [
"john"
]
}
],
"contextAttributes": [
{
"name": "claims",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
{
"userinfo": {
"openbanking_intent_id": {
"value": "edbade6a-d194-4552-8efb-8c078ab605dd",
"essential": true
}
},
"id_token": {
"openbanking_intent_id": {
"value": "edbade6a-d194-4552-8efb-8c078ab605dd",
"essential": true
}
}
}
]
},
{
"name": "client_assertion_alg",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"PS256"
]
},
{
"name": "client_assertion_type",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
]
},
{
"name": "client_id",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"client_ksa02"
]
},
{
"name": "codeChallengeExist",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
true
]
},
{
"name": "code_challenge_method",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"S256"
]
},
{
"name": "content-length",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"59"
]
},
{
"name": "origin",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"https://acme.ibm.com:6443"
]
},
{
"name": "redirectUriScheme",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"http"
]
},
{
"name": "referer",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"https://acme.ibm.com:6443/isvaop/oauth2/authorize?stateId=a4fd1d69-ba2b-4cd6-9457-d2bac2e596f0"
]
},
{
"name": "requestId",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"6ae94587-5ec8-4bc8-8c69-debb3a68c288"
]
},
{
"name": "request_type",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"authorize"
]
},
{
"name": "response_type",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"code"
]
},
{
"name": "scope",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"openid",
"profile"
]
},
{
"name": "sec-fetch-dest",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"document"
]
},
{
"name": "sec-fetch-mode",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"navigate"
]
},
{
"name": "sec-fetch-site",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"same-origin"
]
},
{
"name": "sec-fetch-user",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"?1"
]
},
{
"name": "state",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"c4874f4d-fd35-4f09-9557-251261361e88"
]
},
{
"name": "upgrade-insecure-requests",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"1"
]
},
{
"name": "user-agent",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0"
]
},
{
"name": "x-forwarded-for",
"type": "urn:ibm:names:ITFIM:oauth:body:param",
"values": [
"101.67.92.81"
]
}
]
}
}
Testing a premappingrule rule type
-
The
premappingrulerule type is used to enrich grants. The mapping rule can retrieve information from an LDAP or an HTTP Client to enrich grants or it can use session information available in the stsuujson object to enrich grants. -
An example mapping rule which uses LDAP attributes to enrich grants
-
Prerequisistes
- LDAP connection defined in the
server_connectionsstanza.
... server_connections: # Server connections - name: ldap_srvconn # Connection name type: ldap # Connection type hosts: # List of host information (IP and port) - hostname: openldap # Server's hostname hostport: 636 # Server's host port credential: # Credential information to connect to the host. bind_dn: cn=root,secAuthority=Default # Specifies the binding credential for the LDAP server connection. bind_password: "OBF:U2FsdGVkX1+BPKsUsh0oGSsNNr1HSsAQWwPLB30MyDs=" # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this. ssl: certificate: # The SSL connection certificate array. - ks:ldap_keys # The SSL keystore to be used for SSL connections. ks: indicates keystore. disable_hostname_verification: false # The SSL connection validates the hostname. conn_settings: # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts. max_pool_size: 50 # Maximum connection pool size. connect_timeout: 3 # Connect timeout, in seconds. aged_timeout: 5 # Aged timeout, in seconds.ldapcfgstanza defined.
ldapcfg: - name: ldap_configuration scope: subtree user_object_classes: top,Person,organizationalPerson,inetOrgPerson filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User)) selector: objectClass,cn,sn,givenName,userPassword srv_conn: ldap_srvconn attribute: uid baseDN: dc=ibm,dc=com - LDAP connection defined in the
-
-
Mapping rule snippet
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils); importClass(Packages.com.ibm.security.access.user.UserLookupHelper); var attrUtil = new LdapAttributeUtil("ldap_configuration"); var outJSON = []; let result = attrUtil.init(); if(result.isSuccessful()) { IDMappingExtUtils.traceString("attrUtil.init() OK"); } else { OAuthMappingExtUtils.throwSTSException("LDAP connection fail"); } if(attrUtil.isReady()){ let resultSearchAttr = attrUtil.search("cn=john,dc=ibm,dc=com", "(objectclass=*)"); IDMappingExtUtils.traceString("resultSearchAttr seaching for john:"+JSON.stringify(resultSearchAttr)); if(!resultSearchAttr.hasError()){ let searchResultItr = resultSearchAttr.getNamingEnumeration(); while (searchResultItr.hasMore()) { let searchResult = searchResultItr.next(); idtokenData[searchResult.getName()] = searchResult.getAttributes() } } }- Response
appuser| → docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:23.12 /app/runjs premappingrule ldapenrich.js input.json [09/14/2023 06:11:17.698 UTC] (internal.config.parseStagingFiles) I [CORR_ID-1c14c2b8-6a71-4752-a37a-04dfa9f2a651] "Loading ... [09/14/2023 06:11:17.903 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "JS mapping rule is ldapenrich.js" Input is : { "clientID": "client01", ... } [09/14/2023 06:11:17.932 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "Claims is {\"id_token\":{\"acr\":{\"values\":[\"urn:mace:incommon:iap:silver\"]},\"auth_time\":{\"essential\":true}},\"userinfo\":{\"email\":{\"essential\":true},\"email_verified\":{\"essential\":true},\"given_name\":{\"essential\":true},\"http://example.info/claims/groups\":null,\"nickname\":null,\"picture\":null}}" [09/14/2023 06:11:17.932 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "scope is [openid profile]" ... JS file content is : importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils); importClass(Packages.com.ibm.security.access.user.UserLookupHelper); var attrUtil = new LdapAttributeUtil("ldap_configuration"); var outJSON = []; let result = attrUtil.init(); if(result.isSuccessful()) { IDMappingExtUtils.traceString("attrUtil.init() OK"); } else { OAuthMappingExtUtils.throwSTSException("LDAP connection fail"); } if(attrUtil.isReady()){ let resultSearchAttr = attrUtil.search("cn=john,dc=ibm,dc=com", "(objectclass=*)"); IDMappingExtUtils.traceString("resultSearchAttr seaching for john:"+JSON.stringify(resultSearchAttr)); if(!resultSearchAttr.hasError()){ let searchResultItr = resultSearchAttr.getNamingEnumeration(); while (searchResultItr.hasMore()) { let searchResult = searchResultItr.next(); idtokenData[searchResult.getName()] = searchResult.getAttributes() } } } [09/14/2023 06:11:18.026 UTC] (internal.modules.ldap.GetAttributeUtil) D [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "get LdapAttributeUtil for 'ldap_configuration'" [09/14/2023 06:11:18.026 UTC] (internal.modules.ldap.newProvider) I [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "Building LDAP Provider: 'ldap_srvconn'" ... Final result: idtoken_data is {"__$idt.ess$__":["auth_time"],"cn=john,dc=ibm,dc=com":{"attrs":{"cn":{"attr":["john"],"id":"cn"},"objectClass":{"attr":["top","person","organizationalPerson","inetOrgPerson"],"id":"objectClass"},"sn":{"attr":["a"],"id":"sn"},"uid":{"attr":["john"],"id":"uid"},"userPassword":{"attr":["{SSHA}hiGP/XPFUpmS4PfrywxVo15BUShnmgsC"],"id":"userPassword"}}}} -
An example-mapping rule that uses session information available in the stsuujson object to enrich grants
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName()); var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type"); IDMappingExtUtils.traceString("requestType is " + requestType); var authnLevel = stsuu.getAttributeContainer().getAttributeValueByName("AUTHENTICATION_LEVEL"); var authnTime = stsuu.getAttributeContainer().getAttributeValueByName("AZN_CRED_AUTH_EPOCH_TIME"); IDMappingExtUtils.traceString("AUTHENTICATION_LEVEL is " + authnLevel); IDMappingExtUtils.traceString("AZN_CRED_AUTH_EPOCH_TIME is " + authnTime); tokenData["AUTHENTICATION_LEVEL"] = authnLevel; idtokenData["auth_time"] = authnTime; -
Response
appuser| → docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:23.12 /app/runjs premappingrule pretokenmap.js input.json [09/14/2023 03:40:12.929 UTC] (internal.config.parseStagingFiles) I [CORR_ID-3c949cc1-44f2-4437-85ee-075a481b6b5f] "Loading configuration files." [09/14/2023 03:40:12.929 UTC] (internal.config.parseStagingFile) I [CORR_ID-3c949cc1-44f2-4437-85ee-075a481b6b5f] "Processing config file provider.yml" ... [09/14/2023 03:40:14.161 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS mapping rule is pretokenmap.js" Input is : { "clientID": "client01", "claimjson": { "userinfo": { "given_name": { "essential": true } }, "id_token": { "auth_time": { "essential": true } ... } }, "stsuujson": { "uid": "john", "attributeContainer": [ { "name": "AUTHENTICATION_LEVEL", "type": "urn:ibm:names:ITFIM:5.1:accessmanager", "values": [ "1" ] } ... ], "contextAttributes": [ { "name": "client_assertion_alg", "type": "urn:ibm:names:ITFIM:oauth:body:param", "values": [ "PS256" ] } ... } [09/14/2023 03:40:14.249 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "Claims is {\"id_token\":{\"acr\":{\"values\":[\"urn:mace:incommon:iap:silver\"]},\"auth_time\":{\"essential\":true}},\"userinfo\":{\"email\":{\"essential\":true},\"email_verified\":{\"essential\":true},\"given_name\":{\"essential\":true},\"http://example.info/claims/groups\":null,\"nickname\":null,\"picture\":null}}" [09/14/2023 03:40:14.25 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "scope is [openid profile]" ... JS file content is : importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName()); var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type"); IDMappingExtUtils.traceString("requestType is " + requestType); var authnLevel = stsuu.getAttributeContainer().getAttributeValueByName("AUTHENTICATION_LEVEL"); var authnTime = stsuu.getAttributeContainer().getAttributeValueByName("AZN_CRED_AUTH_EPOCH_TIME"); IDMappingExtUtils.traceString("AUTHENTICATION_LEVEL is " + authnLevel); IDMappingExtUtils.traceString("AZN_CRED_AUTH_EPOCH_TIME is " + authnTime); tokenData["AUTHENTICATION_LEVEL"] = authnLevel; idtokenData["auth_time"] = authnTime; [09/14/2023 03:40:14.375 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS: Principal name is john" [09/14/2023 03:40:14.376 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS: requestType is authorize" [09/14/2023 03:40:14.376 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS: AUTHENTICATION_LEVEL is 1" [09/14/2023 03:40:14.376 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS: AZN_CRED_AUTH_EPOCH_TIME is 1689835718" Final result: stsuu is ... Final result: token_data is {"AUTHENTICATION_LEVEL":"1"} Final result: idtoken_data is {"__$idt.ess$__":["auth_time"],"auth_time":"1689835718"}
Testing a postmappingrule rule type
-
The
postmappingrulerule type is used to enrich the response. The mapping rule can update the response headers and parameters. -
An example mapping rule which enriches headers and parmaeters
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type"); headersOverride["x-fapi-interaction-id"] = "interactionID"; headersOverride["cnpj-value"] = "cnpj-505"; paramsOverride["interactionID"] = "interactionID"; paramsOverride["fapi-param"] = "fapi-param"; IDMappingExtUtils.traceString("requestType is " + requestType); IDMappingExtUtils.traceString("issuer is " + oauth_definition.getOidc().getIss());- Response
appuser | → docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:latest /app/runjs postmappingrule posttokenmap.js [09/14/2023 06:33:15.604 UTC] (internal.config.parseStagingFiles) I [CORR_ID-d3704478-ee43-42d4-a4b6-d2a9b68a9d19] "Loading configuration files." ... [09/14/2023 06:33:15.826 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "JS mapping rule is posttokenmap.js" [09/14/2023 06:33:15.827 UTC] (cmd.runjs.main) I [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "Input parameter is empty, will use the default file /var/isvaop/input.json " Input is : { "clientID": "client01", "claimjson": { "userinfo": { "given_name": { "essential": true }, ... [09/14/2023 06:33:15.853 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "Claims is {\"id_token\":{\"acr\":{\"values\":[\"urn:mace:incommon:iap:silver\"]},\"auth_time\":{\"essential\":true}},\"userinfo\":{\"email\":{\"essential\":true},\"email_verified\":{\"essential\":true},\"given_name\":{\"essential\":true},\"http://example.info/claims/groups\":null,\"nickname\":null,\"picture\":null}}" [09/14/2023 06:33:15.853 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "scope is [openid profile]" The inputs fed to engine is map[claimsJson: ... JS file content is : importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type"); headersOverride["x-fapi-interaction-id"] = "interactionID"; headersOverride["cnpj-value"] = "cnpj-505"; paramsOverride["interactionID"] = "interactionID"; paramsOverride["fapi-param"] = "fapi-param"; IDMappingExtUtils.traceString("requestType is " + requestType); IDMappingExtUtils.traceString("issuer is " + oauth_definition.getOidc().getIss()); [09/14/2023 06:33:15.973 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "JS: requestType is authorize" [09/14/2023 06:33:15.973 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "JS: issuer is https://www.ibm.com" Final result: stsuu is {"attributeContainer":[{"name":"AUTHENTICATION_LEVEL","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1"]...} Final result: override_parameters is {"fapi-param":"fapi-param","interactionID":"interactionID"} Final result: override_headers is {"cnpj-value":"cnpj-505","x-fapi-interaction-id":"interactionID"}
How to retrieve the context during a runtime flow
-
During a runtime flow, the context of the runtime flow can be used as sample input to a subsequent runjs utility.
-
A mapping rule global variable
mappingrule_contextexists that can be used to print the context of an on-going runtime flow.importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName()); IDMappingExtUtils.stdoutPrintln("runJSContext : \n\n" + mappingrule_context); -
Response
appuser | → docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjsjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:23.12 /app/runjs premappingrule isvaop_premap.js input.json [09/14/2023 06:57:16.584 UTC] (internal.config.parseStagingFiles) I [CORR_ID-7baf5755-9fe5-4096-9e9d-1862da9df434] "Loading configuration files." ... [09/14/2023 06:57:16.864 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-c843676c-f103-42c1-bb75-f8cf23fa0cbb] "JS mapping rule is isvaop_premap.js" Input is : { ... [09/14/2023 06:57:16.944 UTC] (internal.javascript.worker.startWorker) D [__jsengine__] "Isolate ID: 42fbefa9-ab26-447d-8623-076caf626e3d pick up a job." JS file content is : importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils); IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName()); IDMappingExtUtils.stdoutPrintln("runJSContext : \n\n" + mappingrule_context); [09/14/2023 06:57:16.955 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-c843676c-f103-42c1-bb75-f8cf23fa0cbb] "JS: Principal name is john" runJSContext : {"clientID":"client01","stsuujson":{"uid":"john","attributeContainer":[{"name":"AUTHENTICATION_LEVEL","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1"]},{"name":"AZN_CRED_AUTH_EPOCH_TIME","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1689835718"]},{"name":"exp","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1689839302"]},{"name":"iat","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1689835719"]},{"name":"jti","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["757f585a-26c9-11ee-a674-0a5d59d77e68"]},{"name":"name","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["john"]},{"name":"nbf","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1.689835582e+09"]},{"name":"sub","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["john"]},{"name":"uid","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["john"]}],"contextAttributes":[{"name":"client_assertion_alg","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["PS256"]},{"name":"client_assertion_type","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"]},{"name":"client_id","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["client_ksa02"]},{"name":"codeChallengeExist","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["true"]},{"name":"code_challenge_method","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["S256"]},{"name":"content-length","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["59"]},{"name":"grant_types","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["authorization_code","refresh_token"]},{"name":"origin","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["https://isamfed.com:6443"]},{"name":"redirectUriScheme","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["http"]},{"name":"referer","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["https://isamfed.com:6443/isvaop/oauth2/authorize?stateId=a4fd1d69-ba2b-4cd6-9457-d2bac2e596f0"]},{"name":"requestId","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["6ae94587-5ec8-4bc8-8c69-debb3a68c288"]},{"name":"request_type","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["authorize"]},{"name":"response_type","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["code"]},{"name":"scope","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["openid","profile"]},{"name":"sec-fetch-dest","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["document"]},{"name":"sec-fetch-mode","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["navigate"]},{"name":"sec-fetch-site","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["same-origin"]},{"name":"sec-fetch-user","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["?1"]},{"name":"state","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["c4874f4d-fd35-4f09-9557-251261361e88"]},{"name":"testAttr","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["value1"]},{"name":"upgrade-insecure-requests","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["1"]},{"name":"user-agent","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0"]},{"name":"x-forwarded-for","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["10.67.92.81"]}]},"claimjson":{"id_token":{"acr":{"values":["urn:mace:incommon:iap:silver"]},"auth_time":{"essential":true}},"userinfo":{"email":{"essential":true},"email_verified":{"essential":true},"given_name":{"essential":true},"http://example.info/claims/groups":null,"nickname":null,"picture":null}}} Final result: stsuu is ... Final result: idtoken_data is {"__$idt.ess$__":["auth_time"]}
Updated 8 months ago