OpenID Connect request and response mapping

The OAuth and Open ID Connect authorization flows in IBM Security Verify consists of request mapping and response mapping.

The OAuth and Open ID Connect authorization flow in IBM Security Verify consists of the following steps:
  1. Authentication: Checks for an authenticated session in the browser and if the user did not authenticate, redirects the user for authentication.
  2. Request mapping: Modifies the authorization request for specific request parameters. This mapping is only supported for the authorize endpoint.
  3. User authorization: Checks whether the user is entitled to access the application.
  4. User consent: Obtains user authorization to share data and perform actions on their behalf.
  5. Attribute mapping: Enriches the authorization grant with more computed and mapped values. These values are included in the ID token, user info response and introspection response.
  6. Token generation: Builds the token, as requested, based on the response_type in the authorization request.
  7. Response mapping: Modifies the response to add more headers and parameters. This mapping is only supported for the authorize and token endpoints.

Request mapping

The following steps are done on the applications Sign-on tab.
  1. Under Endpoint configuration, click the edit icon for the Authorize endpoint.
  2. Under Request mapping, click Edit on the specific request parameter row . For example, if you want to modify the user consent request or adding more context for the page, click the Edit on the "Consent request" row.
  3. Author and test the custom rule.
  4. Click OK. The application is not yet saved, so the changes are not persisted.
  5. Click OK to return to the application Sign-on page.
  6. Click Save on the application page to persist the changes.
Note: Custom HTTP headers are not available in request mapping for the authorize endpoint.
The image show the flow for response mapping.

Response mapping

The following steps are done on the applications Sign-on tab.
  1. Under Endpoint configuration, click the edit icon for the Authorize or the Token endpoint.
  2. Under Response mapping, click Add response mapping rule.
  3. Choose the type of target parameter. For example, if Header is chosen, the computed value is added to the HTTP response header.
  4. Enter a name for the target parameter.
  5. Click the Edit icon to add or edit a custom rule. See Attribute functions. All domain objects that are listed in this page are available.
  6. Click OK. The application is not yet saved, so the changes are not persisted.
  7. Click OK to return to the application Sign-on page.
  8. Click Save on the application page to persist the changes.