执行 policyauth 授权

在线编辑

policyauth 流是使用第一因子规则的唯一授权类型。

启动流

执行此初始请求。
POST https://securitypoc.ice.ibmcloud.com/v1.0/endpoint/default/token

client_id=1a4310d4-0118-4511-9082-39669ccdcad6&
client_secret=cmVkYWN0ZWQ&
scope=openid&
grant_type=policyauth&
context=eyJzZXNzaW9uSWQiOiJNRE5qWm1RM05ETTJOakZtTURjNU56Vm1ZVEptTVQiLCAiaXBBZGRyZXNzIjoiMTkyLjE2OC4xLjEiLCAidXNlckFnZW50IjoiTW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvODMuMC40MTAzLjExNiBTYWZhcmkvNTM3LjM2In0=
未编码的上下文参数为
{
        "sessionId":"MDNjZmQ3NDM2NjFmMDc5NzVmYTJmMT",
        "ipAddress":"192.168.1.1",
        "userAgent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.116 Safari/537.36"
}
注意: 由于此授权未建立用户主体,因此访问令牌具有 ISV 权限 authnAnyUser
响应为
{
    "access_token": "Zm51m36StosiS1Ylk8N0kPej6txyqD77Csqu2BXx",
    "allowedFactors": [
        "password"
    ],
    "scope": "mfa_challenge",
    "grant_id": "c14c63c1-6431-4c8f-a8fe-c939aff01744",
    "token_type": "Bearer",
    "expires_in": 1800
}
如果提供的上下文与 IP 条件不匹配,那么响应为
{
    "access_token": "0IINSucs0dv7Tj8uLEvZ1ePrwlkDV1O5dIK5UGJA",
    "allowedFactors": [
        "fido2"
    ],
    "scope": "mfa_challenge",
    "grant_id": "8edae448-b6a8-4ae7-8ebb-63c2a9a49ca0",
    "token_type": "Bearer",
    "expires_in": 1800
}
请注意返回的 allowedFactors 中的差异。

执行第一个因子

使用指示的 allowedFactors 来执行对用户名密码 API 的调用。
POST https://securitypoc.ice.ibmcloud.com/v1.0/authnmethods/password/46872982-ab9e-4c9f-8200-8f394b328394?returnJwt=true
Authorization: Bearer Zm51m36StosiS1Ylk8N0kPej6txyqD77Csqu2BXx


{
  "username": "scott",
  "password": "hunter22"
}
mfa_challenge 响应中发出的访问令牌用于调用因子。 端点调用包含 returnJwt 参数。
响应为
{
  "groups": [...],
  "attributes": [...],
  "assertion": "eyJhbGciOiJSUzI1NiIsImtpZCI6InNlcnZlciJ9.eyJzdWIiOiI2MDQwMDAzT0g4IiwianRpIjoiNjBmMDY3ZDYtM2VmYS00ODVlLTk0MTYtMzZjNjQ4MTFhZTc2IiwiaWF0IjoxNTkzNDkyOTA0LCJleHAiOjE1OTM0OTMyMDQsInRlbmFudElkIjoibG1mLmljZS5pYm1jbG91ZC5jb20iLCJpc3MiOiJodHRwczovL2xtZi5pY2UuaWJtY2xvdWQuY29tL3YyLjAvZmFjdG9ycyIsImF1ZCI6WyIxYTQzMTBkNC0wMTE4LTQ1MTEtOTA4Mi0zOTY2OWNjZGNhZDYiLCJodHRwczovL2xtZi5pY2UuaWJtY2xvdWQuY29tL3YxLjAvZW5kcG9pbnQvZGVmYXVsdC90b2tlbiJdLCJmYWN0b3IiOiJwYXNzd29yZCIsImFtciI6WyJwYXNzd29yZCJdLCJncmFudF9pZCI6ImMxNGM2M2MxLTY0MzEtNGM4Zi1hOGZlLWM5MzlhZmYwMTc0NCJ9Cg.J9_Omrs8vlTz9bgGWVI0T4AssoMP0UFNoDZ_4d93NEELq_kE1qoXw0Ao8_1QMyyYPRhtnCxtpF5NrD7s4yIzU-WnOkV2qXHfVX5nZPJnPOdP3YOOfUiA0sBTqxlAWr_lePaZuMjseKXpB0YP9ntOqo9T0woQ9MUY6B1gPrRbnX9Zzx64RzA3GgUD3_IhgghIcwxYuSZEKzf8PejG-oh70jSE5gkPK8JiEbvc2lVP7tQgdTCdbjRFybST5B57RTdU1X85uQ7fjO4ggxLcYljHPBfOkSgwCBnq6BXwcVo8o4w6XPYQgRnjDFyJJTf7EwLMaoEwjDiGO4wHXmATgitMng",
  "id": "6040003OH8"
}

初始认证:将 JWT 返回到 /token

POST https://securitypoc.ice.ibmcloud.com/v1.0/endpoint/default/token

POST https://securitypoc.ice.ibmcloud.com/v1.0/endpoint/default/token

client_id=1a4310d4-0118-4511-9082-39669ccdcad6&
client_secret=cmVkYWN0ZWQ&
scope=openid&
grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&
context=eyJzZXNzaW9uSWQiOiJNRE5qWm1RM05ETTJOakZtTURjNU56Vm1ZVEptTVQiLCAiaXBBZGRyZXNzIjoiMTkyLjE2OC4xLjEiLCAidXNlckFnZW50IjoiTW96aWxsYS81LjAgKFgxMTsgTGludXggeDg2XzY0KSBBcHBsZVdlYktpdC81MzcuMzYgKEtIVE1MLCBsaWtlIEdlY2tvKSBDaHJvbWUvODMuMC40MTAzLjExNiBTYWZhcmkvNTM3LjM2In0=&
assertion=eyJhbGciOiJSUzI1NiIsImtpZCI6InNlcnZlciJ9.eyJhbXIiOlsiZW1haWxvdHAiLCJwYXNzd29yZCJdLCJhdWQiOlsiMWE0MzEwZDQtMDExOC00NTExLTkwODItMzk2NjljY2RjYWQ2IiwiaHR0cHM6Ly9zZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tL3YxLjAvZW5kcG9pbnQvZGVmYXVsdC90b2tlbiJdLCJleHAiOjE1OTM4OTMyMDQsImZhY3RvciI6ImVtYWlsb3RwIiwiZ3JhbnRfaWQiOiJjMTRjNjNjMS02NDMxLTRjOGYtYThmZS1jOTM5YWZmMDE3NDQiLCJpYXQiOjE1OTM4OTI5MDQsImlzcyI6Imh0dHBzOi8vc2VjdXJpdHlwb2MuaWNlLmlibWNsb3VkLmNvbS92Mi4wL2ZhY3RvcnMiLCJqdGkiOiI2MGZhYjdkNi0zZWZhLTQ4NWUtOTQxNi0zNmM2NDgxMWFlNzYiLCJzdWIiOiI2MDQwMDAzT0g4IiwidGVuYW50SWQiOiJzZWN1cml0eXBvYy5pY2UuaWJtY2xvdWQuY29tIn0.J9_Omrs8vlTz9bgGWVI0T4AssoMP0UFNoDZ_4d93NEELq_kE1qoXw0Ao8_1QMyyYPRhtnCxtpF5NrD7s4yIzU-WnOkV2qXHfVX5nZPJnPOdP3YOOfUiA0sBTqxlAWr_lePaZuMjseKXpB0YP9ntOqo9T0woQ9MUY6B1gPrRbnX9Zzx64RzA3GgUD3_IhgghIcwxYuSZEKzf8PejG-oh70jSE5gkPK8JiEbvc2lVP7tQgdTCdbjRFybST5B57RTdU1X85uQ7fjO4ggxLcYljHPBfOkSgwCBnq6BXwcVo8o4w6XPYQgRnjDFyJJTf7EwLMaoEwjDiGO4wHXmATgitMng
上下文参数不变。
/token 答案是
{
  "access_token": "lkXMx3tHQjWSalhNmtWIrloMHQOue1ntchRymytL",
  "allowedFactors": [
    "emailotp"
  ],
  "scope": "mfa_challenge",
  "grant_id": "c14c63c1-6431-4c8f-a8fe-c939aff01744",
  "token_type": "Bearer",
  "expires_in": 1799
}
注: 该值 grant_id 保持不变,因为此用法并非建立新的授权,这与传统的 jwt-bearer grant_type 用法不同。 访问令牌具有 ISV 权利
authn,
        readEnrollMFAMethod
允许同时进行因子注册发现和执行。

由于用户位于 ADMINISTRATORS 组中,因此需要进行进一步认证。 请参阅 “执行多因素身份验证 (MFA) ”。