jwt

By Leo Farrell on November 7, 2018

Open ID Connect: Sharing identity information with Applications

Open ID Connect: Sharing identity information with Applications When developing modern web applications, information about the user is essential for providing a rich user experience. There are many ways in which this identity information is gathered. Applications may source user data many different ways. They may simply request the user supply user profile information on […]

Continue reading

By Leo Farrell on August 7, 2018

OAuth: SAML and JWT as a Grant Type

OAuth: SAML and JWT as a Grant Type In an earlier article it was demonstrated how Security Access Manager supports RFC 7523 using JWT as a method for OAuth clients to make requests to OAuth endpoints which require authentication such as /token and /introspect. However there is another portion to this RFC which goes into detail on […]

Continue reading

By Leo Farrell on July 24, 2018

OpenID Connect: Request parameters via JWT

OpenID Connect: Request parameters via JWT The OpenID Connect specification has an optional section which goes into details of how a client can provide(Via the browser) a claims and OAuth parameters to /authorize in an alternative manner to query string or post parameter. This is of note as it allows the client to provide a trusted set […]

Continue reading

By Leo Farrell on July 19, 2018

OAuth: JWT as an Access Token

  OAuth: JWT as an Access Token on ISAM The OAuth 2.0 specification does not go into great detail about token formats  “Access tokens can have different formats, structures, and methods of utilization (e.g., cryptographic properties) based on the resource server security requirements”.  On IBM Security Access manager(ISAM) access tokens issued are a short opaque string used as […]

Continue reading

By Leo Farrell on July 11, 2018

Introducing the LocalSTSClient

 Introducing the LocalSTSClient In IBM Security Access Manager 9.0, the Security Token Service (STS) from Federated Identity Manager (TFIM) was made available. The STS is essential when needing to transform a security token from one type to another. As usage of the STS has grown, we have seen adoption of simple security tokens such as JWT. The […]

Continue reading

By Leo Farrell on May 15, 2018

OAuth: Client Authentication using JWT

OAuth: Client Authentication using JWT Client authentication with a JWT is a requirement of the UK OpenBanking standard, as per Section 5.2.2 of the Open Banking Security Profile V1.1.2 it is considered a stonger and safer method of authentication than client_id and client_secret. This method does not require the client_secret to be sent in the request […]

Continue reading