Topic
  • 17 replies
  • Latest Post - ‏2019-08-19T14:18:39Z by progruma
DatapowerOfNow
DatapowerOfNow
9 Posts

Pinned topic OAuth JWT Bearer Token Grant Type

‏2015-10-28T21:13:44Z | urn:ietf:params:oauth:grant-type:jwt-bearer

I am looking into the use case that JWT Bearer grant type is used for authorization flow to get access_token. Its similar to this salesforce example https://help.salesforce.com/HTViewHelpDoc?id=remoteaccess_oauth_jwt_flow.htm

The IBM says that it supports urn:ietf:params:oauth:grant-type:jwt-bearer. But in the OAuth Client Profile it only shows the 4 grant types.

http://www-01.ibm.com/support/knowledgecenter/SS9H2Y_7.2.0/com.ibm.dp.doc/oauth_granttypes.html?lang=en

 

Anyone worked on this type use case? please share some experiences and references

  • shiufun
    shiufun
    91 Posts
    ACCEPTED ANSWER

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-10-29T16:45:52Z  

    Why does the above link goes to 7.2.0. In the link it does not say its in 7.2.0.1 or in the release notes. In release notes it says that its supported in 7.2.0
     

    As of 7.2.0.1, JWT for both client authentication and as Grant Type is supported.  This release is out early this week. 

     

    As of 7.2.0.1,  on high level, DP supports

    - JWT as client authentication and authorization grant type (RFC7523)  : this is what you are asking, I believe

    - Misc enhancement to OAuth 2.0 support

    - JWT natively as part of AAA option

    - OIDC as part of OAuth 2.0 support

    - Social Login

    - Misc others

     

    Information Center may be a little behind in its update.

     

     

  • shiufun
    shiufun
    91 Posts
    ACCEPTED ANSWER

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-11-17T01:09:41Z  

    Thanks for your response.

    For Grant Types "Authorization Code" & "Implicit Grant", we need to use the SM for resource owner authentication. We wanted to pass SM_SESSION after the authentication. We need SM_SESSION to be passed along with the access token for the DataPower PEP endpoint to validate the access token and then use SM_SESSION to call SiteMinder Authorize soap call to reterive the user data values as JSON response to the OAuth Client.

    I have noticed that the below xslt code for misc_info was failing due to the Session token character length was more than 512. After replacing  user attributes data(<512 character length) instead of session token. Its working fine. How do we maintain the large session token data during the OAuth Authorization Code Flow? The current DataPower doesn't support SQL/ODBC Library which we could have store session token into external database. Any other options to store corresponding authenticated user session token into the DataPower? We do not want to use the cookie or http response header.

     

     

        <xsl:when test="/input/operation = 'miscinfo_request'">
              <xsl:choose>
                <xsl:when test="/input/operation/@type = 'dp-state'">
                  <xsl:if test="/input/container/identity/entry[@type='oauth']//OAuthSupportedClient/client-id = $oauthClientId and /input/container/mapped-credentials[@au-success= 'true']">
                    <xsl:variable name="compressedSMToken" select="dp:deflate($smSessionUserData)"/>
                    <result><miscinfo><xsl:value-of select="$smSessionUserData"/></miscinfo></result>
                    <dp:set-response-header name="'smSessionUserData'" value="$compressedSMToken"/>
                  </xsl:if>
                </xsl:when>
                <xsl:when test="/input/operation/@type = 'az-code' and /input/operation/@type != 'dp-state'">
                  <xsl:if test="/input/container/identity/entry[@type='oauth']//OAuthSupportedClient/client-id = $oauthClientId and /input/container/mapped-credentials[@au-success= 'true']">
                    <xsl:variable name="compressedSMToken" select="dp:deflate($smSessionUserData)"/>
                    <result><miscinfo><xsl:value-of select="$smSessionUserData"/></miscinfo></result>
                    <dp:set-response-header name="'smSessionUserData'" value="$compressedSMToken"/>
                  </xsl:if>
                </xsl:when>
                <xsl:when test="/input/container/credentials/entry[@type='custom'] = $statusInvalidAuthz">
                  <dp:reject><error> <xsl:value-of select="/input/container/credentials/entry[@type='custom']"/>: <username><xsl:value-of select="/input/container/identity/entry//username"/></username></error></dp:reject>
                </xsl:when>
                <xsl:otherwise/>
              </xsl:choose>
            </xsl:when>
           

    DatapowerOfNow,

    Question : in this use case, how many appliances you will be using ?  If it is just one appliance, you have a couple options.. (document cache, security context cache ...)

    If it is more than 1 appliance, it becomes more complicated...

    - you use the miscinfo as the primary key to a persistent data storage (e.g. sql database, redis db, mongo db)

       e.g. key:value

              key is uuid

              value is the SM_SESSION

    - as in the above, when miscinfo is created, it also call out to a rest api, which will store the SM_SESSION with the uuid as the key. The uuid is kept as the miscinfo

    - from this point on, as long as you can get to the value of the miscinfo (which you can, since it is baked into the access_token), you can retrieve the SM_SESSION from the persistent storage

     

    This is the first which comes to my mind.. :-)  There are probably many others options..

    BR,

    ShiuFun

  • kenhygh
    kenhygh
    2519 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-10-28T21:22:15Z  

    Make sure you're on 7.2.0.x

  • DatapowerOfNow
    DatapowerOfNow
    9 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-10-28T21:37:57Z  
    • kenhygh
    • ‏2015-10-28T21:22:15Z

    Make sure you're on 7.2.0.x

    We are using the 7.2.0. I dont see any docs or example in IBM site or the OAuthClient Profile setup

  • DPdocumentationteam
    1 Post

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-10-29T16:15:46Z  

    We are using the 7.2.0. I dont see any docs or example in IBM site or the OAuthClient Profile setup

    To use OpenID/Social Login, you need to upgrade to 7.2.0.1. If you follow the cited link, it list 6 grant types. However, if you're only at 7.2.0.0, the product provides only 4 grant types.
         http://www-01.ibm.com/support/knowledgecenter/SS9H2Y_7.2.0/com.ibm.dp.doc/oauth_granttypes.html?lang=en

  • DatapowerOfNow
    DatapowerOfNow
    9 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-10-29T16:25:15Z  

    To use OpenID/Social Login, you need to upgrade to 7.2.0.1. If you follow the cited link, it list 6 grant types. However, if you're only at 7.2.0.0, the product provides only 4 grant types.
         http://www-01.ibm.com/support/knowledgecenter/SS9H2Y_7.2.0/com.ibm.dp.doc/oauth_granttypes.html?lang=en

    Why does the above link goes to 7.2.0. In the link it does not say its in 7.2.0.1 or in the release notes. In release notes it says that its supported in 7.2.0
     

  • shiufun
    shiufun
    91 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-10-29T16:45:52Z  

    Why does the above link goes to 7.2.0. In the link it does not say its in 7.2.0.1 or in the release notes. In release notes it says that its supported in 7.2.0
     

    As of 7.2.0.1, JWT for both client authentication and as Grant Type is supported.  This release is out early this week. 

     

    As of 7.2.0.1,  on high level, DP supports

    - JWT as client authentication and authorization grant type (RFC7523)  : this is what you are asking, I believe

    - Misc enhancement to OAuth 2.0 support

    - JWT natively as part of AAA option

    - OIDC as part of OAuth 2.0 support

    - Social Login

    - Misc others

     

    Information Center may be a little behind in its update.

     

     

  • DatapowerOfNow
    DatapowerOfNow
    9 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-10-30T00:09:20Z  
    • shiufun
    • ‏2015-10-29T16:45:52Z

    As of 7.2.0.1, JWT for both client authentication and as Grant Type is supported.  This release is out early this week. 

     

    As of 7.2.0.1,  on high level, DP supports

    - JWT as client authentication and authorization grant type (RFC7523)  : this is what you are asking, I believe

    - Misc enhancement to OAuth 2.0 support

    - JWT natively as part of AAA option

    - OIDC as part of OAuth 2.0 support

    - Social Login

    - Misc others

     

    Information Center may be a little behind in its update.

     

     

    Thanks for the updates. I am not able to find Release note and knowledge center for 7.2.01 . Looking for some samples and use case docs.

    We are looking for that JWT used as client authentication and authorization grant type. IBM doc says that this would be used in the 2-legged OAuth flow. If we are using the JWT both for client authentication and authorization grant type then the flow looks like 3 legged i.e. client auth for getting authorization code and authorization grant for getting access token. This looks confuse for me. Can any one explain better? Who would be generating/issuing JWT?

    Does resource owner needs authenticate with any IDP and receive JWT?

  • shiufun
    shiufun
    91 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-11-04T14:53:32Z  

    Thanks for the updates. I am not able to find Release note and knowledge center for 7.2.01 . Looking for some samples and use case docs.

    We are looking for that JWT used as client authentication and authorization grant type. IBM doc says that this would be used in the 2-legged OAuth flow. If we are using the JWT both for client authentication and authorization grant type then the flow looks like 3 legged i.e. client auth for getting authorization code and authorization grant for getting access token. This looks confuse for me. Can any one explain better? Who would be generating/issuing JWT?

    Does resource owner needs authenticate with any IDP and receive JWT?

    JWT has 2 usages in the OAuth universe..  (I have a deck for the internal, which explains this better with picture/example, so bear with me with the wording here)

    1.  as the OAuth grant type - this is a 2 legged grant type..

          e.g. {"typ":"JWT"..}.{"iss":"issuer","sub":"resource owner, ShiuFun","aud":"client or application or xxx"}.signature

                    in this scenario, the JWT is signed (so once verified), the user is ShiuFun, and the client/application is "aud" claim.

    2.  as the client authentication

          e.g. {"typ":"JWT"..}.{"iss":"issuer","sub":"client or application or xxx","aud":"xxxxx"}.signature

                    in this scenario, the verified signed JWT is the authentication of the client, defined in the "sub" claim

     

    The generation of the JWT could be any issuer (of course, being with DataPower, I would like this to be a DataPower :-)) who generated a signed JWT according to the spec, and DP can verify the signature.

     

    > Do resource owner needs to authenticate with any IDP and receive JWT

    See the example 1.  The resource owner identity is in the JWT's "sub" claim, and it being verified as is, and it is also part of the <username/> in the identity, so if for whatever reason you need to perform additional authentication with the "sub", you can do so during the Authenticate stage of AAA.

     

    I hope this helps.

     

  • DatapowerOfNow
    DatapowerOfNow
    9 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-11-04T16:20:40Z  
    • shiufun
    • ‏2015-11-04T14:53:32Z

    JWT has 2 usages in the OAuth universe..  (I have a deck for the internal, which explains this better with picture/example, so bear with me with the wording here)

    1.  as the OAuth grant type - this is a 2 legged grant type..

          e.g. {"typ":"JWT"..}.{"iss":"issuer","sub":"resource owner, ShiuFun","aud":"client or application or xxx"}.signature

                    in this scenario, the JWT is signed (so once verified), the user is ShiuFun, and the client/application is "aud" claim.

    2.  as the client authentication

          e.g. {"typ":"JWT"..}.{"iss":"issuer","sub":"client or application or xxx","aud":"xxxxx"}.signature

                    in this scenario, the verified signed JWT is the authentication of the client, defined in the "sub" claim

     

    The generation of the JWT could be any issuer (of course, being with DataPower, I would like this to be a DataPower :-)) who generated a signed JWT according to the spec, and DP can verify the signature.

     

    > Do resource owner needs to authenticate with any IDP and receive JWT

    See the example 1.  The resource owner identity is in the JWT's "sub" claim, and it being verified as is, and it is also part of the <username/> in the identity, so if for whatever reason you need to perform additional authentication with the "sub", you can do so during the Authenticate stage of AAA.

     

    I hope this helps.

     

    Shiufun,

     

    Thanks for your response.  Some more clarification on above scenario

    1. After verify JWT, extract sub: resource owner then we need to call authorize to Siteminder AuthnAuthz web services using the resource owner's SM_SESSION. How do we embed the SM_SESSION into JWT token from the issuer and then pass it to OAuth grant type call.

    2. For this scenario 2, what is aud: "xxxxx" going to be?

    Does the current firmware supports SAML Token Bearer Profile https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23 for OAuth Grant Type?

  • shiufun
    shiufun
    91 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-11-11T21:01:06Z  

    Shiufun,

     

    Thanks for your response.  Some more clarification on above scenario

    1. After verify JWT, extract sub: resource owner then we need to call authorize to Siteminder AuthnAuthz web services using the resource owner's SM_SESSION. How do we embed the SM_SESSION into JWT token from the issuer and then pass it to OAuth grant type call.

    2. For this scenario 2, what is aud: "xxxxx" going to be?

    Does the current firmware supports SAML Token Bearer Profile https://tools.ietf.org/html/draft-ietf-oauth-saml2-bearer-23 for OAuth Grant Type?

    DatapowerOfNow..

    1. After verify JWT, extract sub: resource owner then we need to call authorize to Siteminder AuthnAuthz web services using the resource owner's SM_SESSION. How do we embed the SM_SESSION into JWT token from the issuer and then pass it to OAuth grant type call.

    [spoon] The challenge I see here is how will SM authentication the resource owner (unless the "sub" contains the SM_SESSION cookie).  If not, the from JWT point of view, the "sub" contains username (e.g. datapowerofnow), and unless there is a way to retrieve the password, I cannot imagine SM will accept that and provide a SM_SESSION.

    And on how to get SM_SESSION into the "sub" of the JWT, it is really how the JWT created..   If it is DP, as of 7.2.0.x release, this will most likely done with a stylesheet/gatewayscript, build the JWT, and have it signed.

    2. For this scenario 2, what is aud: "xxxxx" going to be?

    [spoon] aud should be the application/client defined in the OAuth spec.  However the spec is somewhat fuzzy here, for example for implicit grant type, it indicates redirect_uri can be used as the "aud".  This is one of the reasons on why DP provides a configuration and it is up to the admin of the application to put in the right information for the 'aud' for DP to verify.

    I hope this addresses your questions, if not, just ping back :-)

    And for the SAML token Bearer grant type, I believe there is an RFE for it.  it is NOT supported as of 7.2.0.x.

     

     

     

  • DatapowerOfNow
    DatapowerOfNow
    9 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-11-11T21:41:01Z  
    • shiufun
    • ‏2015-11-11T21:01:06Z

    DatapowerOfNow..

    1. After verify JWT, extract sub: resource owner then we need to call authorize to Siteminder AuthnAuthz web services using the resource owner's SM_SESSION. How do we embed the SM_SESSION into JWT token from the issuer and then pass it to OAuth grant type call.

    [spoon] The challenge I see here is how will SM authentication the resource owner (unless the "sub" contains the SM_SESSION cookie).  If not, the from JWT point of view, the "sub" contains username (e.g. datapowerofnow), and unless there is a way to retrieve the password, I cannot imagine SM will accept that and provide a SM_SESSION.

    And on how to get SM_SESSION into the "sub" of the JWT, it is really how the JWT created..   If it is DP, as of 7.2.0.x release, this will most likely done with a stylesheet/gatewayscript, build the JWT, and have it signed.

    2. For this scenario 2, what is aud: "xxxxx" going to be?

    [spoon] aud should be the application/client defined in the OAuth spec.  However the spec is somewhat fuzzy here, for example for implicit grant type, it indicates redirect_uri can be used as the "aud".  This is one of the reasons on why DP provides a configuration and it is up to the admin of the application to put in the right information for the 'aud' for DP to verify.

    I hope this addresses your questions, if not, just ping back :-)

    And for the SAML token Bearer grant type, I believe there is an RFE for it.  it is NOT supported as of 7.2.0.x.

     

     

     

    Thanks for your response.

    For Grant Types "Authorization Code" & "Implicit Grant", we need to use the SM for resource owner authentication. We wanted to pass SM_SESSION after the authentication. We need SM_SESSION to be passed along with the access token for the DataPower PEP endpoint to validate the access token and then use SM_SESSION to call SiteMinder Authorize soap call to reterive the user data values as JSON response to the OAuth Client.

    I have noticed that the below xslt code for misc_info was failing due to the Session token character length was more than 512. After replacing  user attributes data(<512 character length) instead of session token. Its working fine. How do we maintain the large session token data during the OAuth Authorization Code Flow? The current DataPower doesn't support SQL/ODBC Library which we could have store session token into external database. Any other options to store corresponding authenticated user session token into the DataPower? We do not want to use the cookie or http response header.

     

     

        <xsl:when test="/input/operation = 'miscinfo_request'">
              <xsl:choose>
                <xsl:when test="/input/operation/@type = 'dp-state'">
                  <xsl:if test="/input/container/identity/entry[@type='oauth']//OAuthSupportedClient/client-id = $oauthClientId and /input/container/mapped-credentials[@au-success= 'true']">
                    <xsl:variable name="compressedSMToken" select="dp:deflate($smSessionUserData)"/>
                    <result><miscinfo><xsl:value-of select="$smSessionUserData"/></miscinfo></result>
                    <dp:set-response-header name="'smSessionUserData'" value="$compressedSMToken"/>
                  </xsl:if>
                </xsl:when>
                <xsl:when test="/input/operation/@type = 'az-code' and /input/operation/@type != 'dp-state'">
                  <xsl:if test="/input/container/identity/entry[@type='oauth']//OAuthSupportedClient/client-id = $oauthClientId and /input/container/mapped-credentials[@au-success= 'true']">
                    <xsl:variable name="compressedSMToken" select="dp:deflate($smSessionUserData)"/>
                    <result><miscinfo><xsl:value-of select="$smSessionUserData"/></miscinfo></result>
                    <dp:set-response-header name="'smSessionUserData'" value="$compressedSMToken"/>
                  </xsl:if>
                </xsl:when>
                <xsl:when test="/input/container/credentials/entry[@type='custom'] = $statusInvalidAuthz">
                  <dp:reject><error> <xsl:value-of select="/input/container/credentials/entry[@type='custom']"/>: <username><xsl:value-of select="/input/container/identity/entry//username"/></username></error></dp:reject>
                </xsl:when>
                <xsl:otherwise/>
              </xsl:choose>
            </xsl:when>
           

  • shiufun
    shiufun
    91 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-11-17T01:09:41Z  

    Thanks for your response.

    For Grant Types "Authorization Code" & "Implicit Grant", we need to use the SM for resource owner authentication. We wanted to pass SM_SESSION after the authentication. We need SM_SESSION to be passed along with the access token for the DataPower PEP endpoint to validate the access token and then use SM_SESSION to call SiteMinder Authorize soap call to reterive the user data values as JSON response to the OAuth Client.

    I have noticed that the below xslt code for misc_info was failing due to the Session token character length was more than 512. After replacing  user attributes data(<512 character length) instead of session token. Its working fine. How do we maintain the large session token data during the OAuth Authorization Code Flow? The current DataPower doesn't support SQL/ODBC Library which we could have store session token into external database. Any other options to store corresponding authenticated user session token into the DataPower? We do not want to use the cookie or http response header.

     

     

        <xsl:when test="/input/operation = 'miscinfo_request'">
              <xsl:choose>
                <xsl:when test="/input/operation/@type = 'dp-state'">
                  <xsl:if test="/input/container/identity/entry[@type='oauth']//OAuthSupportedClient/client-id = $oauthClientId and /input/container/mapped-credentials[@au-success= 'true']">
                    <xsl:variable name="compressedSMToken" select="dp:deflate($smSessionUserData)"/>
                    <result><miscinfo><xsl:value-of select="$smSessionUserData"/></miscinfo></result>
                    <dp:set-response-header name="'smSessionUserData'" value="$compressedSMToken"/>
                  </xsl:if>
                </xsl:when>
                <xsl:when test="/input/operation/@type = 'az-code' and /input/operation/@type != 'dp-state'">
                  <xsl:if test="/input/container/identity/entry[@type='oauth']//OAuthSupportedClient/client-id = $oauthClientId and /input/container/mapped-credentials[@au-success= 'true']">
                    <xsl:variable name="compressedSMToken" select="dp:deflate($smSessionUserData)"/>
                    <result><miscinfo><xsl:value-of select="$smSessionUserData"/></miscinfo></result>
                    <dp:set-response-header name="'smSessionUserData'" value="$compressedSMToken"/>
                  </xsl:if>
                </xsl:when>
                <xsl:when test="/input/container/credentials/entry[@type='custom'] = $statusInvalidAuthz">
                  <dp:reject><error> <xsl:value-of select="/input/container/credentials/entry[@type='custom']"/>: <username><xsl:value-of select="/input/container/identity/entry//username"/></username></error></dp:reject>
                </xsl:when>
                <xsl:otherwise/>
              </xsl:choose>
            </xsl:when>
           

    DatapowerOfNow,

    Question : in this use case, how many appliances you will be using ?  If it is just one appliance, you have a couple options.. (document cache, security context cache ...)

    If it is more than 1 appliance, it becomes more complicated...

    - you use the miscinfo as the primary key to a persistent data storage (e.g. sql database, redis db, mongo db)

       e.g. key:value

              key is uuid

              value is the SM_SESSION

    - as in the above, when miscinfo is created, it also call out to a rest api, which will store the SM_SESSION with the uuid as the key. The uuid is kept as the miscinfo

    - from this point on, as long as you can get to the value of the miscinfo (which you can, since it is baked into the access_token), you can retrieve the SM_SESSION from the persistent storage

     

    This is the first which comes to my mind.. :-)  There are probably many others options..

    BR,

    ShiuFun

  • DatapowerOfNow
    DatapowerOfNow
    9 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2015-11-17T12:03:00Z  
    • shiufun
    • ‏2015-11-17T01:09:41Z

    DatapowerOfNow,

    Question : in this use case, how many appliances you will be using ?  If it is just one appliance, you have a couple options.. (document cache, security context cache ...)

    If it is more than 1 appliance, it becomes more complicated...

    - you use the miscinfo as the primary key to a persistent data storage (e.g. sql database, redis db, mongo db)

       e.g. key:value

              key is uuid

              value is the SM_SESSION

    - as in the above, when miscinfo is created, it also call out to a rest api, which will store the SM_SESSION with the uuid as the key. The uuid is kept as the miscinfo

    - from this point on, as long as you can get to the value of the miscinfo (which you can, since it is baked into the access_token), you can retrieve the SM_SESSION from the persistent storage

     

    This is the first which comes to my mind.. :-)  There are probably many others options..

    BR,

    ShiuFun

    Thanks for your response. We do have more than 1 appliance in the Production env. We would need to maintain another external infrastructure for database. Is there any other options that we could use local temp file system or some other with in datapower objects. Since this SM_SESSION is valid for 60 mins , the data will be invalid and wiped out.

     

  • srini1973
    srini1973
    19 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2016-04-03T13:48:29Z  

    Thanks for your response.

    For Grant Types "Authorization Code" & "Implicit Grant", we need to use the SM for resource owner authentication. We wanted to pass SM_SESSION after the authentication. We need SM_SESSION to be passed along with the access token for the DataPower PEP endpoint to validate the access token and then use SM_SESSION to call SiteMinder Authorize soap call to reterive the user data values as JSON response to the OAuth Client.

    I have noticed that the below xslt code for misc_info was failing due to the Session token character length was more than 512. After replacing  user attributes data(<512 character length) instead of session token. Its working fine. How do we maintain the large session token data during the OAuth Authorization Code Flow? The current DataPower doesn't support SQL/ODBC Library which we could have store session token into external database. Any other options to store corresponding authenticated user session token into the DataPower? We do not want to use the cookie or http response header.

     

     

        <xsl:when test="/input/operation = 'miscinfo_request'">
              <xsl:choose>
                <xsl:when test="/input/operation/@type = 'dp-state'">
                  <xsl:if test="/input/container/identity/entry[@type='oauth']//OAuthSupportedClient/client-id = $oauthClientId and /input/container/mapped-credentials[@au-success= 'true']">
                    <xsl:variable name="compressedSMToken" select="dp:deflate($smSessionUserData)"/>
                    <result><miscinfo><xsl:value-of select="$smSessionUserData"/></miscinfo></result>
                    <dp:set-response-header name="'smSessionUserData'" value="$compressedSMToken"/>
                  </xsl:if>
                </xsl:when>
                <xsl:when test="/input/operation/@type = 'az-code' and /input/operation/@type != 'dp-state'">
                  <xsl:if test="/input/container/identity/entry[@type='oauth']//OAuthSupportedClient/client-id = $oauthClientId and /input/container/mapped-credentials[@au-success= 'true']">
                    <xsl:variable name="compressedSMToken" select="dp:deflate($smSessionUserData)"/>
                    <result><miscinfo><xsl:value-of select="$smSessionUserData"/></miscinfo></result>
                    <dp:set-response-header name="'smSessionUserData'" value="$compressedSMToken"/>
                  </xsl:if>
                </xsl:when>
                <xsl:when test="/input/container/credentials/entry[@type='custom'] = $statusInvalidAuthz">
                  <dp:reject><error> <xsl:value-of select="/input/container/credentials/entry[@type='custom']"/>: <username><xsl:value-of select="/input/container/identity/entry//username"/></username></error></dp:reject>
                </xsl:when>
                <xsl:otherwise/>
              </xsl:choose>
            </xsl:when>
           

    Hi,

     

    As Shiufun said, unless you maintain persistent storage, you cannot carry over the session identifier. But, I am wandering, how can you embed SM_Session in OAuth token ? My questions on embedding the SM_SESSION.

     

    1) Are you  making the OAuth  token state-full?

    2) Is it long lived or short lived token?

    3) If your DP is issuing long lived token in 3-legged flow, how will ensure that SM_SESSION is long lived in Siteminder? Does your Policy Servers can support long lived Session ?

    4) If you answer yes for 3, Did you think of idle time out for SM_SESSION ?

     

    Ping us back if you have any questions ?

     

  • gkaradi
    gkaradi
    1 Post

    Re: OAuth JWT Bearer Token Grant Type

    ‏2016-04-14T19:12:53Z  
    • srini1973
    • ‏2016-04-03T13:48:29Z

    Hi,

     

    As Shiufun said, unless you maintain persistent storage, you cannot carry over the session identifier. But, I am wandering, how can you embed SM_Session in OAuth token ? My questions on embedding the SM_SESSION.

     

    1) Are you  making the OAuth  token state-full?

    2) Is it long lived or short lived token?

    3) If your DP is issuing long lived token in 3-legged flow, how will ensure that SM_SESSION is long lived in Siteminder? Does your Policy Servers can support long lived Session ?

    4) If you answer yes for 3, Did you think of idle time out for SM_SESSION ?

     

    Ping us back if you have any questions ?

     

    Hi All,

     

    I have configured Oauth2 using TFIM 6.2.2 FP16. When I access the authorization code URL, it successfully authenticates and displays the code. But if I relaunch url in same browser, I get a server_error.

    The error message is  " The authorization server encountered an unexpected condition which prevented it from fullfilling the request".

    When I clear the cookies it goes through the authentication and consent page. Without clearing the cookies shouldn't it give new authroization code? Am I missing something.

  • Arun Prashad
    Arun Prashad
    10 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2016-09-27T18:52:13Z  

    Thanks for your response. We do have more than 1 appliance in the Production env. We would need to maintain another external infrastructure for database. Is there any other options that we could use local temp file system or some other with in datapower objects. Since this SM_SESSION is valid for 60 mins , the data will be invalid and wiped out.

     

    we dont need a db or persistence,if its a short length data like SM Session Id,we shall embed them within token(miscinfo(oauth) or private claim(jwt)) and upon validation we can retireve and do further processing based on use case..

    {
       "iss": "apim",
       "aud": ["apim-client"],
       "smsessid": "arunprashad",
       "exp": 1.475002081746E9
    }

     

  • DP_DEVELOPER08
    DP_DEVELOPER08
    1 Post

    Re: OAuth JWT Bearer Token Grant Type

    ‏2018-05-21T04:52:23Z  

    Hi,

    I have a requirement to generate JWT token in DP and send it to Oauth provide to get the access token. I tried using the createJWT.js script in store folder in DP but that has different steps and its not what we need. There are certain steps listed by the Oauth provider to generate JWT token and we need to follow the same. I have not worked on gateway script before. Can someone please help me?

     

    Below are the steps in which we need to generate the JWT token:

    1. Construct a JWT Header with this format: {"alg":"RS256"}.
    2. Construct a JSON Claims Set for the JWT with isssubaud, and exp. ---- We got these values which we need to use 
    3. Base64url encode the JWT Claims Set without any line breaks
    4. Create a string for the encoded JWT Header and the encoded JWT Claims Set in this format.
    5. encoded_JWT_Header + "." + encoded_JWT_Claims_Set
    6. Sign the resulting string using SHA256 with RSA. ----we have a PFX certificate shared by them
    7. Create a string in the following format
    8. existing_string + "." + base64_encoded_signature

     

    When posted, the following parameters are required :

    • grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
    • assertion-JWT bearer token

    Can someone give me the gateway script for the below?

     

    Thanks In Advance.

     

    Updated on 2018-05-21T04:54:02Z at 2018-05-21T04:54:02Z by DP_DEVELOPER08
  • progruma
    progruma
    2 Posts

    Re: OAuth JWT Bearer Token Grant Type

    ‏2019-08-19T14:18:39Z  

    Hi,

    I have a requirement to generate JWT token in DP and send it to Oauth provide to get the access token. I tried using the createJWT.js script in store folder in DP but that has different steps and its not what we need. There are certain steps listed by the Oauth provider to generate JWT token and we need to follow the same. I have not worked on gateway script before. Can someone please help me?

     

    Below are the steps in which we need to generate the JWT token:

    1. Construct a JWT Header with this format: {"alg":"RS256"}.
    2. Construct a JSON Claims Set for the JWT with isssubaud, and exp. ---- We got these values which we need to use 
    3. Base64url encode the JWT Claims Set without any line breaks
    4. Create a string for the encoded JWT Header and the encoded JWT Claims Set in this format.
    5. encoded_JWT_Header + "." + encoded_JWT_Claims_Set
    6. Sign the resulting string using SHA256 with RSA. ----we have a PFX certificate shared by them
    7. Create a string in the following format
    8. existing_string + "." + base64_encoded_signature

     

    When posted, the following parameters are required :

    • grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer
    • assertion-JWT bearer token

    Can someone give me the gateway script for the below?

     

    Thanks In Advance.

     

    @ DP_DEVELOPER08

    have you figured out the steps to do this ? are you using gateway script or OAuth Client Pofile and AAA ?

    thanks

    Ramy Basily