Test JavaScript mapping rules

Test JavaScript mapping rules (runjs)

Mapping rules in Verify Access OIDC Provider are used to enrich grants and responses. No easy way exists to test the JavaScript mapping rules other than mounting them into the container and performing a runtime flow, where the mapping rules are invoked. Compile time or runtime errors in the mapping rule must be fixed iteratively.

Syntax of the runjs command

docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:24.06 /app/runjs premappingrule isvaop_pretoken.js input.json

For details about the parameter look here.

Format of the input

  • The input is expected in JSON format.
  • The JSON contains three top level keys client_id, claimjson and stsuujson.
{
  "clientID": "client01",
  "claimjson": {
    "userinfo": {
      "given_name": {
        "essential": true
      }
    },
    "id_token": {
      "auth_time": {
        "essential": true
      }
    }
  },  
  "stsuujson": {
    "uid": "john",
      "attributeContainer": [
      {
        "name": "AUTHENTICATION_LEVEL",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          "1"
        ]
      }],
      "contextAttributes": [
      {
        "name": "client_assertion_alg",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "PS256"
        ]
      }]
    }
}
  • If the input is not provided, a sample input.json is used to test the mapping rule.
  • The sample input.json
{
  "clientID": "client01",
  "claimjson": {
    "userinfo": {
      "given_name": {
        "essential": true
      },
      "nickname": null,
      "email": {
        "essential": true
      },
      "email_verified": {
        "essential": true
      },
      "picture": null,
      "http://example.info/claims/groups": null
    },
    "id_token": {
      "auth_time": {
        "essential": true
      },
      "acr": {
        "values": [
          "urn:mace:incommon:iap:silver"
        ]
      }
    }
  },
  "stsuujson": {
    "uid": "john",
    "attributeContainer": [
      {
        "name": "AUTHENTICATION_LEVEL",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          "1"
        ]
      },
      {
        "name": "AZN_CRED_AUTH_EPOCH_TIME",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          "1689835718"
        ]
      },
      {
        "name": "exp",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          1689839302
        ]
      },
      {
        "name": "iat",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          1689835719
        ]
      },
      {
        "name": "jti",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          "757f585a-26c9-11ee-a674-0a5d59d77e68"
        ]
      },
      {
        "name": "name",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          "john"
        ]
      },
      {
        "name": "nbf",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          1689835582
        ]
      },
      {
        "name": "sub",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          "john"
        ]
      },
      {
        "name": "uid",
        "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
        "values": [
          "john"
        ]
      }
    ],
    "contextAttributes": [
      {
        "name": "claims",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          {
            "userinfo": {
              "openbanking_intent_id": {
                "value": "edbade6a-d194-4552-8efb-8c078ab605dd",
                "essential": true
              }
            },
            "id_token": {
              "openbanking_intent_id": {
                "value": "edbade6a-d194-4552-8efb-8c078ab605dd",
                "essential": true
              }
            }
          }
        ]
      },
      {
        "name": "client_assertion_alg",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "PS256"
        ]
      },
      {
        "name": "client_assertion_type",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "urn:ietf:params:oauth:client-assertion-type:jwt-bearer"
        ]
      },
      {
        "name": "client_id",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "client_ksa02"
        ]
      },
      {
        "name": "codeChallengeExist",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          true
        ]
      },
      {
        "name": "code_challenge_method",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "S256"
        ]
      },
      {
        "name": "content-length",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "59"
        ]
      },
      {
        "name": "origin",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "https://acme.ibm.com:6443"
        ]
      },
      {
        "name": "redirectUriScheme",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "http"
        ]
      },
      {
        "name": "referer",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "https://acme.ibm.com:6443/isvaop/oauth2/authorize?stateId=a4fd1d69-ba2b-4cd6-9457-d2bac2e596f0"
        ]
      },
      {
        "name": "requestId",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "6ae94587-5ec8-4bc8-8c69-debb3a68c288"
        ]
      },
      {
        "name": "request_type",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "authorize"
        ]
      },
      {
        "name": "response_type",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "code"
        ]
        
      },
      {
        "name": "scope",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "openid",
          "profile"
        ]
      },
      {
        "name": "sec-fetch-dest",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "document"
        ]
      },
      {
        "name": "sec-fetch-mode",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "navigate"
        ]
      },
      {
        "name": "sec-fetch-site",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "same-origin"
        ]
      },
      {
        "name": "sec-fetch-user",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "?1"
        ]
      },
      {
        "name": "state",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "c4874f4d-fd35-4f09-9557-251261361e88"
        ]
      },
      {
        "name": "upgrade-insecure-requests",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "1"
        ]
      },
      {
        "name": "user-agent",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0"
        ]
      },
      {
        "name": "x-forwarded-for",
        "type": "urn:ibm:names:ITFIM:oauth:body:param",
        "values": [
          "101.67.92.81"
        ]
      }
    ]
  }
}

Testing a premappingrule rule type

  • The premappingrule rule type is used to enrich grants. The mapping rule can retrieve information from an LDAP or an HTTP Client to enrich grants or it can use session information available in the stsuujson object to enrich grants.

  • An example mapping rule which uses LDAP attributes to enrich grants

    • Prerequisistes

      • LDAP connection defined in the server_connections stanza.
        ...
        server_connections:                                         # Server connections
          - name: ldap_srvconn                                      # Connection name
            type: ldap                                              # Connection type
            hosts:                                                  # List of host information (IP and port)
              - hostname: openldap                                  # Server's hostname
                hostport: 636                                       # Server's host port
                credential:                                         # Credential information to connect to the host.
                  bind_dn: cn=root,secAuthority=Default             # Specifies the binding credential for the LDAP server connection.
                  bind_password: "OBF:U2FsdGVkX1+BPKsUsh0oGSsNNr1HSsAQWwPLB30MyDs=" 
                                                                    # Specifies the binding password for the LDAP server connection. It is recommended to obfuscate this.
            ssl:
              certificate:                                          # The SSL connection certificate array.
                - ks:ldap_keys                                      # The SSL keystore to be used for SSL connections. ks: indicates keystore.
              disable_hostname_verification: false                  # The SSL connection validates the hostname.
            conn_settings:                                          # Connection pool settings for the LDAP server. It can be specified at the top level if the settings are common across hosts.
              max_pool_size: 50                                     # Maximum connection pool size.
              connect_timeout: 3                                    # Connect timeout, in seconds.
              aged_timeout: 5                                       # Aged timeout, in seconds.
      
      
      • ldapcfg stanza defined.
        ldapcfg:
        - name: ldap_configuration
          scope: subtree
          user_object_classes: top,Person,organizationalPerson,inetOrgPerson
          filter: (|(|(objectclass=ePerson)(objectclass=person))(objectclass=User))
          selector: objectClass,cn,sn,givenName,userPassword
          srv_conn: ldap_srvconn
          attribute: uid
          baseDN: dc=ibm,dc=com
      
      
  • Mapping rule snippet

      importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
      importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
      importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
    
    
      var attrUtil = new LdapAttributeUtil("ldap_configuration");
      var outJSON = [];
    
      let result = attrUtil.init();
      if(result.isSuccessful()) {
          IDMappingExtUtils.traceString("attrUtil.init() OK");
      } else {
        OAuthMappingExtUtils.throwSTSException("LDAP connection fail");
      }
    
    
      if(attrUtil.isReady()){
          let resultSearchAttr = attrUtil.search("cn=john,dc=ibm,dc=com", "(objectclass=*)");
          IDMappingExtUtils.traceString("resultSearchAttr seaching for john:"+JSON.stringify(resultSearchAttr)); 
          if(!resultSearchAttr.hasError()){        
              let searchResultItr = resultSearchAttr.getNamingEnumeration();
              while (searchResultItr.hasMore()) {
                  let searchResult = searchResultItr.next();
                  idtokenData[searchResult.getName()] = searchResult.getAttributes()
              }
          }
      }
    
    
    • Response
      appuser| โ†’ docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:24.06 /app/runjs premappingrule ldapenrich.js input.json
      [09/14/2023 06:11:17.698 UTC] (internal.config.parseStagingFiles) I [CORR_ID-1c14c2b8-6a71-4752-a37a-04dfa9f2a651] "Loading 
      ...
      [09/14/2023 06:11:17.903 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "JS mapping rule is ldapenrich.js"
      Input is : {
        "clientID": "client01",
        ...
      }
      [09/14/2023 06:11:17.932 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "Claims is  {\"id_token\":{\"acr\":{\"values\":[\"urn:mace:incommon:iap:silver\"]},\"auth_time\":{\"essential\":true}},\"userinfo\":{\"email\":{\"essential\":true},\"email_verified\":{\"essential\":true},\"given_name\":{\"essential\":true},\"http://example.info/claims/groups\":null,\"nickname\":null,\"picture\":null}}"
      [09/14/2023 06:11:17.932 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "scope is [openid profile]"
      ...
      JS file content  is : importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
      importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
      importClass(Packages.com.ibm.security.access.user.UserLookupHelper);
    
    
      var attrUtil = new LdapAttributeUtil("ldap_configuration");
      var outJSON = [];
    
      let result = attrUtil.init();
      if(result.isSuccessful()) {
          IDMappingExtUtils.traceString("attrUtil.init() OK");
      } else {
        OAuthMappingExtUtils.throwSTSException("LDAP connection fail");
      }
    
    
      if(attrUtil.isReady()){
          let resultSearchAttr = attrUtil.search("cn=john,dc=ibm,dc=com", "(objectclass=*)");
          IDMappingExtUtils.traceString("resultSearchAttr seaching for john:"+JSON.stringify(resultSearchAttr)); 
          if(!resultSearchAttr.hasError()){
              
              let searchResultItr = resultSearchAttr.getNamingEnumeration();
              while (searchResultItr.hasMore()) {
                  let searchResult = searchResultItr.next();
                  
                  idtokenData[searchResult.getName()] = searchResult.getAttributes()
              }
          }
      }
      [09/14/2023 06:11:18.026 UTC] (internal.modules.ldap.GetAttributeUtil) D [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "get LdapAttributeUtil for 'ldap_configuration'"
      [09/14/2023 06:11:18.026 UTC] (internal.modules.ldap.newProvider) I [CORR_ID-RUNJS_LOGGER-cfff5a3a-0052-4e4a-8a65-8405ecb82600] "Building LDAP Provider: 'ldap_srvconn'"
      ...
    
    
      Final result: 
      idtoken_data is {"__$idt.ess$__":["auth_time"],"cn=john,dc=ibm,dc=com":{"attrs":{"cn":{"attr":["john"],"id":"cn"},"objectClass":{"attr":["top","person","organizationalPerson","inetOrgPerson"],"id":"objectClass"},"sn":{"attr":["a"],"id":"sn"},"uid":{"attr":["john"],"id":"uid"},"userPassword":{"attr":["{SSHA}hiGP/XPFUpmS4PfrywxVo15BUShnmgsC"],"id":"userPassword"}}}}
    
  • An example-mapping rule that uses session information available in the stsuujson object to enrich grants

      importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
    
    
      IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());
      var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type");
      IDMappingExtUtils.traceString("requestType is " + requestType);
      var authnLevel = stsuu.getAttributeContainer().getAttributeValueByName("AUTHENTICATION_LEVEL");
      var authnTime = stsuu.getAttributeContainer().getAttributeValueByName("AZN_CRED_AUTH_EPOCH_TIME");
    
      IDMappingExtUtils.traceString("AUTHENTICATION_LEVEL is " + authnLevel);
      IDMappingExtUtils.traceString("AZN_CRED_AUTH_EPOCH_TIME is " + authnTime);
    
      tokenData["AUTHENTICATION_LEVEL"] = authnLevel;
      idtokenData["auth_time"] = authnTime;
    
    
  • Response

        appuser| โ†’ docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:24.06 /app/runjs premappingrule pretokenmap.js input.json
        [09/14/2023 03:40:12.929 UTC] (internal.config.parseStagingFiles) I [CORR_ID-3c949cc1-44f2-4437-85ee-075a481b6b5f] "Loading configuration files."
        [09/14/2023 03:40:12.929 UTC] (internal.config.parseStagingFile) I [CORR_ID-3c949cc1-44f2-4437-85ee-075a481b6b5f] "Processing config file provider.yml"
        ...
        [09/14/2023 03:40:14.161 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS mapping rule is pretokenmap.js"
        Input is : {
          "clientID": "client01",
          "claimjson": {
            "userinfo": {
              "given_name": {
                "essential": true
              }
            },
            "id_token": {
              "auth_time": {
                "essential": true
              }
              ...
            }
          },
          "stsuujson": {
            "uid": "john",
            "attributeContainer": [
              {
                "name": "AUTHENTICATION_LEVEL",
                "type": "urn:ibm:names:ITFIM:5.1:accessmanager",
                "values": [
                  "1"
                ]
              }
              ...
            ],
            "contextAttributes": [
              {
                "name": "client_assertion_alg",
                "type": "urn:ibm:names:ITFIM:oauth:body:param",
                "values": [
                  "PS256"
                ]
              }
              ...
        }
        [09/14/2023 03:40:14.249 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "Claims is  {\"id_token\":{\"acr\":{\"values\":[\"urn:mace:incommon:iap:silver\"]},\"auth_time\":{\"essential\":true}},\"userinfo\":{\"email\":{\"essential\":true},\"email_verified\":{\"essential\":true},\"given_name\":{\"essential\":true},\"http://example.info/claims/groups\":null,\"nickname\":null,\"picture\":null}}"
        [09/14/2023 03:40:14.25 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "scope is [openid profile]"
        ...
        JS file content  is : importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
    
    
        IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());
        var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type");
        IDMappingExtUtils.traceString("requestType is " + requestType);
        var authnLevel = stsuu.getAttributeContainer().getAttributeValueByName("AUTHENTICATION_LEVEL");
        var authnTime = stsuu.getAttributeContainer().getAttributeValueByName("AZN_CRED_AUTH_EPOCH_TIME");
    
        IDMappingExtUtils.traceString("AUTHENTICATION_LEVEL is " + authnLevel);
        IDMappingExtUtils.traceString("AZN_CRED_AUTH_EPOCH_TIME is " + authnTime);
    
        tokenData["AUTHENTICATION_LEVEL"] = authnLevel;
        idtokenData["auth_time"] = authnTime;
    
    
    
    
        [09/14/2023 03:40:14.375 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS: Principal name is john"
        [09/14/2023 03:40:14.376 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS: requestType is authorize"
        [09/14/2023 03:40:14.376 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS: AUTHENTICATION_LEVEL is 1"
        [09/14/2023 03:40:14.376 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-ac8d77e6-5fce-4d9e-9344-268dbb9161cc] "JS: AZN_CRED_AUTH_EPOCH_TIME is 1689835718"
    
    
    
    
        Final result: 
        stsuu is ...
    
        Final result: 
        token_data is {"AUTHENTICATION_LEVEL":"1"}
    
    
    
    
        Final result: 
        idtoken_data is {"__$idt.ess$__":["auth_time"],"auth_time":"1689835718"}
    
    

Testing a postmappingrule rule type

  • The postmappingrule rule type is used to enrich the response. The mapping rule can update the response headers and parameters.

  • An example mapping rule which enriches headers and parmaeters

        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type");
        headersOverride["x-fapi-interaction-id"] = "interactionID";
        headersOverride["cnpj-value"] = "cnpj-505";
        paramsOverride["interactionID"] = "interactionID";
        paramsOverride["fapi-param"] = "fapi-param";
        IDMappingExtUtils.traceString("requestType is " + requestType);
        IDMappingExtUtils.traceString("issuer is " + oauth_definition.getOidc().getIss());
    
    • Response
        appuser | โ†’ docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:latest /app/runjs postmappingrule posttokenmap.js 
        [09/14/2023 06:33:15.604 UTC] (internal.config.parseStagingFiles) I [CORR_ID-d3704478-ee43-42d4-a4b6-d2a9b68a9d19] "Loading configuration files."
        ...
        [09/14/2023 06:33:15.826 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "JS mapping rule is posttokenmap.js"
        [09/14/2023 06:33:15.827 UTC] (cmd.runjs.main) I [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "Input parameter is empty, will use the default file /var/isvaop/input.json "
        Input is : {
            "clientID": "client01",
            "claimjson": {
              "userinfo": {
                "given_name": {
                  "essential": true
                },
               ...
        [09/14/2023 06:33:15.853 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "Claims is  {\"id_token\":{\"acr\":{\"values\":[\"urn:mace:incommon:iap:silver\"]},\"auth_time\":{\"essential\":true}},\"userinfo\":{\"email\":{\"essential\":true},\"email_verified\":{\"essential\":true},\"given_name\":{\"essential\":true},\"http://example.info/claims/groups\":null,\"nickname\":null,\"picture\":null}}"
        [09/14/2023 06:33:15.853 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "scope is [openid profile]"
        The inputs fed to engine is map[claimsJson:
        ...
        JS file content  is : importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        var requestType = stsuu.getContextAttributes().getAttributeValueByName("request_type");
    
        headersOverride["x-fapi-interaction-id"] = "interactionID";
        headersOverride["cnpj-value"] = "cnpj-505";
        paramsOverride["interactionID"] = "interactionID";
        paramsOverride["fapi-param"] = "fapi-param";
        IDMappingExtUtils.traceString("requestType is " + requestType);
        IDMappingExtUtils.traceString("issuer is " + oauth_definition.getOidc().getIss());
    
    
    
    
    
        [09/14/2023 06:33:15.973 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "JS: requestType is authorize"
        [09/14/2023 06:33:15.973 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-f7998813-bd73-459f-acc8-22f9d63dfc55] "JS: issuer is https://www.ibm.com"
    
    
    
    
        Final result: 
        stsuu is {"attributeContainer":[{"name":"AUTHENTICATION_LEVEL","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1"]...}
    
        Final result: 
        override_parameters is {"fapi-param":"fapi-param","interactionID":"interactionID"}
    
        Final result: 
        override_headers is {"cnpj-value":"cnpj-505","x-fapi-interaction-id":"interactionID"}
    
    

How to retrieve the context during a runtime flow

  • During a runtime flow, the context of the runtime flow can be used as sample input to a subsequent runjs utility.

  • A mapping rule global variable mappingrule_context exists that can be used to print the context of an on-going runtime flow.

        importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
        IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());
        IDMappingExtUtils.stdoutPrintln("runJSContext : \n\n" + mappingrule_context);
    
  • Response

        appuser | โ†’ docker run --rm --volume /home/runjs/isvaop-config:/var/isvaop/config --volume /home/runjsjs/input:/var/isvaop/input/ icr.io/isva/verify-access-oidc-provider:24.06 /app/runjs premappingrule isvaop_premap.js input.json
        [09/14/2023 06:57:16.584 UTC] (internal.config.parseStagingFiles) I [CORR_ID-7baf5755-9fe5-4096-9e9d-1862da9df434] "Loading configuration files."
        ...
        [09/14/2023 06:57:16.864 UTC] (cmd.runjs.main) D [CORR_ID-RUNJS_LOGGER-c843676c-f103-42c1-bb75-f8cf23fa0cbb] "JS mapping rule is isvaop_premap.js"
        Input is : {
        ...
        [09/14/2023 06:57:16.944 UTC] (internal.javascript.worker.startWorker) D [__jsengine__] "Isolate ID: 42fbefa9-ab26-447d-8623-076caf626e3d pick up a job."
        JS file content  is : importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
    
    
              IDMappingExtUtils.traceString("Principal name is " + stsuu.getPrincipalName());
              
              IDMappingExtUtils.stdoutPrintln("runJSContext : \n\n" + mappingrule_context);
        [09/14/2023 06:57:16.955 UTC] (internal.javascript.utils.traceFn) D [CORR_ID-RUNJS_LOGGER-c843676c-f103-42c1-bb75-f8cf23fa0cbb] "JS: Principal name is john"
    
        runJSContext : 
    
        {"clientID":"client01","stsuujson":{"uid":"john","attributeContainer":[{"name":"AUTHENTICATION_LEVEL","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1"]},{"name":"AZN_CRED_AUTH_EPOCH_TIME","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1689835718"]},{"name":"exp","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1689839302"]},{"name":"iat","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1689835719"]},{"name":"jti","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["757f585a-26c9-11ee-a674-0a5d59d77e68"]},{"name":"name","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["john"]},{"name":"nbf","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["1.689835582e+09"]},{"name":"sub","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["john"]},{"name":"uid","type":"urn:ibm:names:ITFIM:5.1:accessmanager","values":["john"]}],"contextAttributes":[{"name":"client_assertion_alg","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["PS256"]},{"name":"client_assertion_type","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["urn:ietf:params:oauth:client-assertion-type:jwt-bearer"]},{"name":"client_id","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["client_ksa02"]},{"name":"codeChallengeExist","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["true"]},{"name":"code_challenge_method","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["S256"]},{"name":"content-length","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["59"]},{"name":"grant_types","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["authorization_code","refresh_token"]},{"name":"origin","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["https://isamfed.com:6443"]},{"name":"redirectUriScheme","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["http"]},{"name":"referer","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["https://isamfed.com:6443/isvaop/oauth2/authorize?stateId=a4fd1d69-ba2b-4cd6-9457-d2bac2e596f0"]},{"name":"requestId","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["6ae94587-5ec8-4bc8-8c69-debb3a68c288"]},{"name":"request_type","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["authorize"]},{"name":"response_type","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["code"]},{"name":"scope","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["openid","profile"]},{"name":"sec-fetch-dest","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["document"]},{"name":"sec-fetch-mode","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["navigate"]},{"name":"sec-fetch-site","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["same-origin"]},{"name":"sec-fetch-user","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["?1"]},{"name":"state","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["c4874f4d-fd35-4f09-9557-251261361e88"]},{"name":"testAttr","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["value1"]},{"name":"upgrade-insecure-requests","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["1"]},{"name":"user-agent","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0"]},{"name":"x-forwarded-for","type":"urn:ibm:names:ITFIM:oauth:body:param","values":["10.67.92.81"]}]},"claimjson":{"id_token":{"acr":{"values":["urn:mace:incommon:iap:silver"]},"auth_time":{"essential":true}},"userinfo":{"email":{"essential":true},"email_verified":{"essential":true},"given_name":{"essential":true},"http://example.info/claims/groups":null,"nickname":null,"picture":null}}}
    
    
    
    
        Final result: 
        stsuu is ...
    
    
    
        Final result: 
        idtoken_data is {"__$idt.ess$__":["auth_time"]}