OAuth and OpenID Connect protocol context example for access policy

We can specify an access policy that makes access decisions based on context that you obtained from the OAuth and OpenID Connect protocol.

Some examples scenarios that make use of an access policy with an OAuth and OpenID Connect deployment are as follows.

• An access policy performs extra authentication:
  • For a particular client
  • For a certain flow based, on response_type requested.
  • When a specific scope is requested.

• An access policy decided to re-authenticate the user when the last authentication time is greater than the max_age that was requested.

Following is an example of protocol context for OpenID Connect.

//Retrieve protocol context
var protocolContextJSON = (function() {
       var protocolContext = context.getProtocolContext();
       var protocolContextReturn = {};
       protocolContextReturn["request"] = "" + protocolContext.getAuthenticationRequest();
       protocolContextReturn["ClientId"] = "" + protocolContext.getClientId();
       protocolContextReturn["ClientName"] = "" + protocolContext.getClientName();
       protocolContextReturn["DefinitionId"] = "" + protocolContext.getDefinitionId();
       protocolContextReturn["DefinitionName"] = "" + protocolContext.getDefinitionName();
       return protocolContextReturn;
})();

An example of using OpenID Connect 2.0 protocol context to make a decision to allow or deny based on the client ID name is as follows.

importClass(Packages.com.ibm.security.access.policy.decision.Decision);
importClass(Packages.com.ibm.security.access.policy.decision.HtmlPageDenyDecisionHandler);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.utilities);  
 
//This access policy denies successful Single Sign On, if clientid = clientID
var protocolContext = context.getProtocolContext();

if (protocolContext.getClientId() == "clientID")
{
       var handler = new HtmlPageDenyDecisionHandler();
       //Setting the macro with all the context information,
       // make sure the /access_policy/deny_decision.html is modified to print the macro.
       handler.setMacro("@MESSAGE@", "Single Sign On cannot be completed by the 
              following clientId : "+protocolContext.getClientId());
       var decision = Decision.deny(handler);
       context.setDecision(decision);
}else
{
       var decision = Decision.allow();
       context.setDecision(decision);
}

Parent topic: Access policy development