Articles

OAuth: JWT as an Access Token

Share this post:

 

OAuth: JWT as an Access Token on ISAM

The OAuth 2.0 specification does not go into great detail about token formats

 “Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements”. 

On IBM Security Access manager(ISAM) access tokens issued are a short opaque string used as a reference to a centralized repository. In some instances it can be advantageous to use a pass-by-value tokens which contain all necessary claims encapsulated in a cryptographic token which can then be validated locally by a resource server.

A colleague of mine, Shane Weeden has produced an article on this pattern previously, however this was using an earlier release of ISAM, which did not have a JWT STS module, support for custom tokens as part of the OAuth authorization server, or OAuth token introspection.

The steps in this article will show how you can configure ISAM to use a pass-by-value stratergy for access tokens for lateral scalability.

JWT Access Token Creation and Consumption

The examples and code provided in this article can be used with  the implicit flow, the authorization code flow, and resource owner password credential grant. Additionally the code will include two consumption patterns for the JWT access tokens, the OAuth introspection endpoint and the Web Reverse Proxy oauth-auth method of authentication.

In order to achieve JWT access tokens the following need to be augmented. Here is a list of what and how

  • Access token issuing from /authorize – Via the pre-token mapping rule.
  • Access token issuing from /token – Via the pre-token mapping rule
  • Access token validation in /introspect – via the pre-token mapping rule and providing a validation decision
  • Access token validation in the reverse proxy – via defining a custom STS chain and proxy configuration

JWT Token format

The JWT token format used in this article is a simple base. Including only the following claims.

{
  "exp": 1531807284,
  "iat": 1531803684,
  "sub": "testuser",
  "aud": "example_client",
  "scope": [
    "scope1",
    "scope2"
  ]
}

The format is intended to cover:

  • who the token was issued to  – aud
  • on behalf of who the token is for  –  sub
  • what the token was granted – scope
  • for how long the token is valid – exp
  • when the token was created – iat

This format can be extended to include any additional claims necessary.

Necessary Components

In order to configure an OAuth definition to issue pass by value JWT tokens several components and resources will be used:

  • ISAM added the ability to build custom tokens in 9.0.2.0 with one of the primary intents for consumption being a JSON Web Token as access token.
  • ISAM 9.0.2.0 also brought the addition of a JWT STS Module.
  • In an earlier article, I highlighted the ability to call an STS chain from a javascript context for high performance situations.

It is assumed that there is a configured OAuth definition and reverse proxy as a starting point.

This solution makes use of the LocalSTSClient, which was added in version 9.0.5.0.

STS Chains

The first thing to do is to configure the JWT STS chains. These are used to both create and validate the JWTs. The chains are:

JWT Access token creation:

STSUU(validate) -> JWT(issue)

JWT Access token validation:

JWT(validate) -> STSUU(issue).

STS Chain configuration

Configuring STS chains is a two step process. First you must configure the chain template. This template is what outlines the order and mode of the modules in the chain. This video shows the configuration of both chains

After configuring the chain templates, the chains themselves have to be configured.

We have several fields we need to cover here:

  • Chain mode – we will use validate mode http://schemas.xmlsoap.org/ws/2005/02/trust/Validate
  • Issuer and appliesTo addresses. We will use the value urn:jwt:issue and urn:jwt:validate for both of these fields for each chain respectively.
  • Module properties – we need to configure how the JWT is validated and issues. We’ll use RS256 signing, and use the rt_profile_keys / server certificate. Note, At this point, if necessary JWT encryption could be used to obfuscate the claims from the client.

This video covers configuring the chain instances

Additional examples of configuring STS chains can be found in the Federation Cookbook

Mapping rules

The next step in producing JWT Access tokens is to upload the mapping rules to the appliance. There are two which need to be done initially, the jwt_at_common.js and the jwt_at_pre.js files. The contents of the files are available here. Please note that when uploading the mapping rules, you need to ensure the correct names are used. These rules make use of mapping rule includes, which depend on the correct names for the files.

Now that the rules are uploaded, update your oauth pre-token mapping rule to include the following snippet:

importMappingRule("jwt_at_pre");

This will call our JWT Access token logic.

 

This configures the OAuth definition for all the operations needed to issue JWT access tokens. You can see now, that instead of an opaque token being used, a JWT is issued, containing necessary claims to validate the token. Additional claims could be included.

Token introspection

With the above mapping rules, token introspection will now also be possible. Be sure to check the value of only_allow_conf_client_introspect in the pre-token rule and must_client_own_token_introspect in the post token rule if you are using a client which is not confidential or trying to introspect with a client which is different to the audience of the token.

Reverse proxy authentication with OAuth

Authentication to the reverse proxy with an oauth token in the Bearer header makes use of the STS as well. However in this instance, the usual STS chain cannot be used (The client cannot be looked up, so the mapping rule cannot run). So instead, we will point the reverse proxy to a new STS chain. Firstly there is an additonal mapping rule jwt_at_validate.js to be uploaded. Then a new STS chain needs to be configured with just the module Default Map. The lookup details for this chain use the hard coded issuer address of urn:ibm:ITFIM:oauth20:token:bearer and in our example we will use the appliesTo of urn:jwt:webseal the request type is once again http://schemas.xmlsoap.org/ws/2005/02/trust/Validate. The chain properties should use the mapping rule jwt_at_validate. Once the chain has been configured, the [oauth] stanza must be updated, the entry default-fed-id needs a value which matches the appliesTo of the chain; urn:jwt:webseal. The configuration is performed in this video

 

Once the chain and the reverse proxy are configured, we can go ahead and make a request to a protected resource including a bearer token.

 


The following has now been configured to achieve a pass-by-value access token stratergy:

  • Custom access_token’s are being built in the OAuth pre-token mapping rule.
  • Custom validation logic is being performed in the OAuth pre-token mapping rule for introspection
  • JWT Issue and Validate chains have been configured
  • An OAuth-authentication STS Chain has been configured and the reverse proxy updated to use the chain.

 

Click here to rate this article

Rate this article :

Software Engineer - IBM Security Access Manager

More Articles stories
By Carsten Hagemann on June 20, 2022

Getting started with the IBM Verify SDK

The IBM Verify SDK is a library available for Android and iOS and provide classes to create rich native client mobile applications that interact with IBM Security Verify and IBM Security Verify Access, so that enterprises can easily integrate flexible and intelligent multi-factor authentication into their applications. Multi-factor authentiation (MFA) verifies an indiviual’s identity by […]

Continue reading

By Martin Schmidt on July 11, 2019

Modernizing your B2C Portal Security – LDAP Proxy Deep Dive

In this part of our series we are taking a deeper look on how the LDAP reverse proxy works and what is needed to be done to make it work. Enable CI In this part we look at what needs to be done on the CI side and what information needs to be collected. We […]

Continue reading

By Martin Schmidt on May 4, 2019

Modernizing your B2C Portal Security – Desired End State

Proposition: As we have seen in part one of this series, managing customer identities for a portal can be a challenge and distraction for the business.  In this part of the series we will outline how a modernized solution for a portal security can simplify operations and free your team up to focus on the […]

Continue reading