API provider third-party authentication

Learn how IBM® z/OS® Connect implements third-party authentication for clients that connect to a server.

Before you study this topic, you should be familiar with the information in API provider authentication and identification.

When you plan to implement third-party authentication for clients that connect to a IBM z/OS Connect server, consider the following methods:
  • Authenticating with a JSON Web Token (JWT).
  • Using the OpenID Connect Client feature.
  • Authentication filters

When you use third-party authentication, the REST client authenticates with a third-party authentication server. This server generates an authentication token. The REST client might access the third-party authentication server through an intermediate server, typically an API gateway, for example, IBM API Connect®. The authentication token is then sent to the IBM z/OS Connect server, which validates the token. The identity in the token can also be mapped to a user ID in the user registry.

Figure 1. A representation of third-party authentication.
Diagram showing the flow when using third party authentication.

Trust between the third party and a IBM z/OS Connect server can be established in different ways, including the use of a digital signature. Third-party authentication tokens can be used as part of a Single Sign-On (SSO) solution.

IBM z/OS Connect supports the following types of authentication token:
JSON Web Token (JWT)
A JSON formatted token conveys claims, such as the identity used by a user login. As JSON is less verbose than XML, a JWT is more compact than a Security Assertion Markup Language (SAML) token. This efficiency makes JWT a good choice to be passed in REST API requests to IBM z/OS Connect, and is why JWT authentication is becoming a standard for REST APIs.

For more information about using JWTs with IBM z/OS Connect, see Authenticating with a JSON Web Token.

OAuth 2.0 access token
The OAuth 2.0 protocol facilitates the authorization of one site to access and use information that is related to the user's account on another site. You can configure IBM z/OS Connect to function as an OAuth 2.0 protected resource server so that it remotely validates the access token to an OAuth authorization server by calling an OAuth 2.0 Token Introspection endpoint.

For more information about configuring Liberty z/OS to function as an OAuth 2.0 protected resource server, see Configuring OAuth 2.0 protected resources in Liberty in the WebSphere® Application Server for z/OS Liberty documentation.

Security Assertion Markup Language (SAML) token
A SAML token is an XML-based token that is widely used for securing web services. It is typically used to comply with existing company standards that are based around SAML.

For more information about authenticating with a SAML token in Liberty z/OS, see Configuring SAML Web Inbound Propagation in Liberty in the WebSphere Application Server for z/OS Liberty documentation.

Lightweight Third-Party Authentication (LTPA) token
LTPA is a proprietary authentication technology that is used by Liberty z/OS and other IBM products. When multiple Liberty z/OS servers are configured to use LTPA, it is possible to enable SSO so that clients can reuse their login to access all the servers.

When LTPA is used, a token is created that contains the user information, an expiration time, and the signature of an LTPA key. The LTPA token passes between the client application and the Liberty server as a cookie when SSO is enabled. IBM z/OS Connect supports the use of LTPA for authentication and SSO. However, it is more common to use an open authentication token such as a JWT.

For more information, see Configuring LTPA in Liberty in the WebSphere Application Server for z/OS Liberty documentation.

Warning: The default expiration time of an LTPA token is 2 hours. If the user is then re-authenticated, a new LTPA token is created. If you use the same default expiration time for multiple servers that were all started at the same time, the LTPA tokens will all expire at the same time, possibly causing a degradation in performance as the user is re-authenticated and a new token created. Consider setting expiration times so that when a token expires, this re-authentication process occurs at a suitable time for your environment. Also, it is not advisable to set a long expiry time as it could cause a security exposure. Also, it is not advisable to set a long expiry time as it could cause a security exposure.

Authenticating with a JSON Web Token

JSON Web Tokens are an open industry standard for securely representing claims between two parties. Claims are statements about an entity. For example, what identity was used by a user login, or any other type of claims as required by business processes, such as, the user is an administrator.

The claims in a JWT are encoded as a JSON object and are normally digitally signed with a Message Authentication Code (MAC) and if necessary, encrypted. The most common scenario for using a JWT is authentication. When the user is logged in, each subsequent request includes the JWT, allowing the user to access services that are permitted with that token.

The following list shows some of the advantages of using JWTs with IBM z/OS Connect:
  • They are lightweight and easy to use by client applications such as mobile apps.
  • They are self-contained, which means that a IBM z/OS Connect server accepts the token directly and uses a claim from the token as the identity for making the API request.
  • They can be symmetrically signed by a shared secret that uses the HMAC algorithm, or asymmetrically by using a private key.
  • They have a built-in expiry mechanism.
  • They can be extended to contain custom claims.
  • They are widely adopted by different Single Sign-On solutions and well-known standards such as OpenID Connect.

Anatomy of a JWT

A JWT consists of three parts: a header, payload, and signature, as shown in Figure 2.
Figure 2. Structure of a JSON Web Token (JWT).
Diagram showing the three parts of a JSON Web Token (JWT) as described in the text.

The header typically consists of two parts: the type of token, which is JWT, and the hashing algorithm that is used to sign the JWT, such as HMAC SHA256 or RSA SHA256. The header is Base64Url encoded to form the first part of the JWT.

The payload contains the claims. A set of predefined claims is provided. For example, iss (issuer), sub (subject), aud (audience), and exp (expiration time). These claims are not mandatory but should be included to provide a set of useful, interoperable claims. The payload can also include other attributes that define custom claims such as employee role. Typically, the subject claim is used to create the OpenID Connect user subject. However, IBM z/OS Connect can be configured to use an alternative claim, if required. The payload is Base64Url encoded to form the second part of the JWT.

To create the signature, the encoded header, encoded payload, and a secret are signed by using the signature algorithm that is specified in the header alg parameter. The signature is used to verify the issuer of the JWT and to ensure the integrity of the message.

IBM z/OS Connect does not support JSON Web Encryption (JWE), but you can use HTTPS to encrypt the complete message (including the JWT).

OpenID Connect

You can enable open secure APIs by using standards such as OAuth, an open standard for authorization, and OpenID Connect, an identity protocol that is built on the OAuth 2.0 protocol. OpenID Connect enables client applications to rely on authentication that is performed by an OpenID Connect Provider. The client application retrieves an ID token in the form of a JWT from the OpenID Connect Provider. The token is used to access a resource on behalf of the user. See Figure 3
Figure 3. Flow of OpenID Connect tokens
Diagram showing the flow of OpenID Connect tokens when used for authorization.
The diagram in Figure 3 shows the following steps:
  1. The user makes a request to the client application.
  2. The client application redirects the request to the OpenID Provider (OP).
  3. The OP sends an authentication and authorization request to the user.
  4. The user authenticates and authorizes the client application to access the resource.
  5. The OP sends a grant code to the client application.
  6. The client application sends a request to the OP to exchange the grant code for an ID token in the form of a JWT, access token, and refresh token.
  7. The OP sends the ID token (JWT), access token and refresh token to the client application.
  8. The client application makes the request to the Resource Server with the JWT, which is used for authenticating the user and authorizing access to the resource.
  9. The response is sent from the Resource Server to the client application.
  10. The response is sent from the client application to the user.

IBM z/OS Connect supports OpenID Connect 1.0 as a Resource server that can accept a JWT as an authentication token.

Liberty z/OS supports OpenID Connect 1.0 and can play a role as an OpenID Connect Client, Provider, or Resource Server. For more information about configuring support for OpenID Connect with Liberty, see Using OpenID Connect in the WebSphere Application Server for z/OS Liberty documentation.

JWT authentication methods

IBM z/OS Connect supports the following methods for processing JWTs:
OpenID Connect Client feature
You can configure IBM z/OS Connect to use the Liberty openidConnectClient-1.0 feature to accept a JWT as an authentication token. For more information about configuring the OpenID Connect Client feature with IBM z/OS Connect, see Using the OpenID Connect Client feature.
Note: This is the preferred method for configuring JWT authentication with IBM z/OS Connect.
Trust Association Interceptor (TAI)
You can configure IBM z/OS Connect to integrate with a third-party security service by using a Trust Association Interceptor (TAI). The TAI can inspect the HTTP request from the third-party security server for a specific security token, such as a JWT. For more information on using a TAI with Liberty z/OS, see Configuring TAI for Liberty in the WebSphere Application Server for z/OS Liberty documentation.
Java™ Authentication Service Provider Interface for Containers (JASPIC)
JASPIC is a Java EE standard service provider API that enables the implementation of authentication mechanisms into Java EE Web Applications. For more information, see Configuring a Java Authentication SPI for Containers (JASPIC) User Feature in the WebSphere Application Server for z/OS Liberty documentation.

Using the OpenID Connect Client feature

To configure a IBM z/OS Connect server to accept a JWT as an authentication token, enable the openidConnectClient-1.0 feature and set the inboundPropagation attribute of the openidConnectClient element to required. You can also specify additional JWT configurations, such as authentication filters and claim-to-subject mapping.

Any trusted party in possession of a JWT can use that token to get access to the APIs hosted by IBM z/OS Connect. The IBM z/OS Connect server validates the JWT and creates the authenticated subject from the token. To be accepted as an authentication token, the JWT must contain iss, sub, and exp claims and be signed with the RS256 or HS256 algorithm.

You can configure IBM z/OS Connect to accept a JWT as an authentication token either as part of an OpenID Connect flow, or from any intermediate server, such as an API Gateway.

A JWT might contain privacy-sensitive information, so take precautions to prevent disclosure of this information to unintended parties. For example, use Transport Layer Security (TLS) when transporting the token. Extra trust can be established by accepting a JWT only as an authentication token across a TLS mutually authenticated connection.

For more information, see How to configure JWT authentication.

Authentication filters

If JWT authentication is required only for a subset of requests to the IBM z/OS Connect server, then authentication filters can be used to restrict which requests the JWT authentication applies to. Authentication filters specify conditions that are matched against the HTTP request and are configured by using an authFilter element in the server.xml configuration file. This authFilter element can be configured as a subelement of the openidConnectClient element, or specified as a separate element referenced by the authFilterRef attribute of the openidConnectClient element.

By using authentication filters, you can have different security policies for different requests. For example, you can put a filter on the requestUrl so that the openidConnectClient element applies only to requests that match that URL. Another example is to put a filter on the remoteAddress element so that different certificates can validate the signature of the JWT depending on the server that sends the request.

If you use IBM z/OS Connect V3.0.17 or later, authentication filters can also match on request headers. For example, to configure an authentication filter to match HTTP requests that send the HTTP Authorization header with a Bearer token, add the following element to the server.xml configuration file, either as a subelement, or referenced element, of the openidConnectClient element :
<authFilter id="JwtAuthFilter">
    <requestHeader id="authHeader" name="Authorization" value="Bearer" matchType="contains"/>
</authFilter>

To ensure that any requests containing a Basic token can fail over to use basic authentication, configure the following element:

<webAppSecurity allowFailOverToBasicAuth="true"/>

For more information, see Authentication Filter (authFilter) and Authentication Filters in the WebSphere Application Server for z/OS Liberty documentation.