Topic
  • 8 replies
  • Latest Post - ‏2019-08-21T21:13:20Z by progruma
SunnyG87
SunnyG87
100 Posts

Pinned topic Specify Custom claims using JWT Generator object

‏2016-01-05T18:26:36Z | #aaa #customclaims #gatewayscript #jwt #xslt

Hi All,

Has anyone used the Custom option (Additional claims in Advanced tab) in JWT Generator object to issue the JWT using AAA action in firmware v 7.2.0.1? If yes then how did you specify the custom claims in XSLT or GatewayScript file? Could you please share an example? Couldn't find any example in IBM documentation. Thanks. 

 

  • shiufun
    shiufun
    91 Posts

    Re: Specify Custom claims using JWT Generator object

    ‏2016-01-06T07:04:38Z  

    Greeting..  We are in the process of updating document with more information.

    Assuming you are using gatewayscript, the following code snippet will give you what the gw will get as input.  (xslt will receive it as /)

    session.input.readAsXML(function(error, nodelist) {
        var theDoc = nodelist.item(0).parentNode;
        console.error('custom input + ' + XML.stringify(nodelist));
    });
    

    For adding additional claims to the jwt, the stylesheet or xslt will have this nodeset as input (session.input)

    <input>

       <subject>....sub claim..</subject>

       <uuid>...  uuid (used as jit claim if it is configured)...</uuid>

       <JWTGenerator>configuration object of the JWT</JWTGenerator?

       <identity>,,, output from Extract Identity</identity>

       <credentials>..output from authentication step</credentials>

        <mapped-credentials>,..</mapped-credentials>

        <resource>,,,</resource>

        <mapped-resource>...</mapped-resource>

    </input>

     

    Output : string representation of the JSON claims. (stringify)

     

    e.g.  (gw)

    var claims = [ {"claim1":"one"}, {"claim2":123}];

    session.output.write(JSON.stringify(claims));

     

    e.g. (xslt)

     <xsl:template match="/">

    <xsl:value-of select="[{&quot;claim1&quot;:&quot;one&quot;},{&quot;claim2&quot;:123}]"/>

    </xsl:template>

  • johnwilliams.sp
    johnwilliams.sp
    28 Posts

    Re: Specify Custom claims using JWT Generator object

    ‏2016-04-04T20:54:39Z  
    • shiufun
    • ‏2016-01-06T07:04:38Z

    Greeting..  We are in the process of updating document with more information.

    Assuming you are using gatewayscript, the following code snippet will give you what the gw will get as input.  (xslt will receive it as /)

    <pre class="bz_comment_text" dir="ltr" id="comment_text_7">session.input.readAsXML(function(error, nodelist) { var theDoc = nodelist.item(0).parentNode; console.error('custom input + ' + XML.stringify(nodelist)); }); </pre>

    For adding additional claims to the jwt, the stylesheet or xslt will have this nodeset as input (session.input)

    <input>

       <subject>....sub claim..</subject>

       <uuid>...  uuid (used as jit claim if it is configured)...</uuid>

       <JWTGenerator>configuration object of the JWT</JWTGenerator?

       <identity>,,, output from Extract Identity</identity>

       <credentials>..output from authentication step</credentials>

        <mapped-credentials>,..</mapped-credentials>

        <resource>,,,</resource>

        <mapped-resource>...</mapped-resource>

    </input>

     

    Output : string representation of the JSON claims. (stringify)

     

    e.g.  (gw)

    var claims = [ {"claim1":"one"}, {"claim2":123}];

    session.output.write(JSON.stringify(claims));

     

    e.g. (xslt)

     <xsl:template match="/">

    <xsl:value-of select="[{&quot;claim1&quot;:&quot;one&quot;},{&quot;claim2&quot;:123}]"/>

    </xsl:template>

    The token generated out of this is not having JWT specification headers. Only the "alg" is present in header.

    Will we be able to add "typ":"JWT" into header section of token ? Is there a way we can do customization of these headers as well ?

  • shiufun
    shiufun
    91 Posts

    Re: Specify Custom claims using JWT Generator object

    ‏2016-04-05T11:49:17Z  

    Unfortunately not.  We have no requirement to allow customization on the header.  Having said that, you have a couple options

    - use the gatewayscript directly to create your own jwt (outside AAA)

    - open an RFE again the product to provide this level of support within AAA

    Thanks.

     

  • johnwilliams.sp
    johnwilliams.sp
    28 Posts

    Re: Specify Custom claims using JWT Generator object

    ‏2016-04-08T19:09:02Z  
    • shiufun
    • ‏2016-04-05T11:49:17Z

    Unfortunately not.  We have no requirement to allow customization on the header.  Having said that, you have a couple options

    - use the gatewayscript directly to create your own jwt (outside AAA)

    - open an RFE again the product to provide this level of support within AAA

    Thanks.

     

    Would you be able to guide on the code snippet on how to achieve this in Gateway script. I am using the below.

    var jose=require('jose');
    var jwt=require('jwt');
    var sm=require('service-metadata');
    sm.mpgw.skipBackside=true;
    
    var now = new Date()/1000;
    
    var claims={"iss":"eig","sub":"user_name","aud":"audience","iat": now,"exp": now + parseInt(3600)};
    var jwsHeader=jose.createJWSHeader('sign_key','RS256');
    var encoder=new jwt.Encoder(claims);
    encoder.addOperation('sign',jwsHeader).encode(function(error,token) {
            if (error) {
                    session.output.write('Error creating JWT' + error);
            }
            else {
                    session.output.write(token);
            }
            }
    );
    
  • ldurrani
    ldurrani
    1 Post

    Re: Specify Custom claims using JWT Generator object

    ‏2016-09-19T21:01:45Z  

    Can you post an example xslt here to add a custom claim in jwt.

  • HermannSW
    HermannSW
    8694 Posts

    Re: Specify Custom claims using JWT Generator object

    ‏2016-09-20T09:10:51Z  
    • ldurrani
    • ‏2016-09-19T21:01:45Z

    Can you post an example xslt here to add a custom claim in jwt.

    XSLT has no support for JWT/JOSE, what is wrong in using GatewayScript which has the needed support?

    In case you need it in XSLT, you could call GatewayScript via <dp:gatewayscript> from XSLT.

    Hermann.

  • shiufun
    shiufun
    91 Posts

    Re: Specify Custom claims using JWT Generator object

    ‏2016-09-20T10:50:28Z  
    • ldurrani
    • ‏2016-09-19T21:01:45Z

    Can you post an example xslt here to add a custom claim in jwt.

    @Idurrani : see the above response, there is code snippet there.

  • progruma
    progruma
    2 Posts

    Re: Specify Custom claims using JWT Generator object

    ‏2019-08-21T21:13:20Z  
    • shiufun
    • ‏2016-09-20T10:50:28Z

    @Idurrani : see the above response, there is code snippet there.

    here is what I did to add the "typ" in the header via gatewayscript

     

    var jwsHdr = jose.createJWSHeader(key, 'RS256');
    jwsHdr.setProtected({'typ': 'JWT'});
    
    var encoder = new jwt.Encoder(pClaim);
    encoder.addOperation('sign', jwsHdr);