STS Chains

As a part of OIDC OP Conformance, an STS chain is created to handle parameters that are sent in a JWT to the authorize endpoint. This STS chain template must be updated to include a map module.

UpdateRequestJWT (JWTtoMaptoSTSUU)

This STS chain is used to handle request and request_uri parameters. Parameters can be sent to the /authorize endpoint using a JWT or using a URL containing the JWT.

The applies to must match https://localhost/sps/oauth/oauth20.

The issuer must match REGEXP:(urn:ibm:ITFIM:oauth20:client_request:.*). See Passing parameters through JWT in a request to /authorize. The map module performs basic request object checks which are required for FAPI conformance. This map module links to the following mapping rule that can be uploaded into mapping rules in the appliance.

importPackage(Packages.com.tivoli.am.fim.trustserver.sts);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.oauth20);
importPackage(Packages.com.tivoli.am.fim.trustserver.sts.uuser);
importPackage(Packages.com.ibm.security.access.user);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.IDMappingExtUtils);
importClass(Packages.com.tivoli.am.fim.trustserver.sts.utilities.OAuthMappingExtUtils);
importClass(Packages.com.ibm.security.access.httpclient.HttpClient);
importClass(Packages.com.ibm.security.access.httpclient.HttpResponse);
importClass(Packages.com.ibm.security.access.httpclient.Headers);
importClass(Packages.com.ibm.security.access.httpclient.Parameters);
importClass(Packages.java.util.ArrayList);
importClass(Packages.java.util.HashMap);
var claims_str = stsuu.getContextAttributes().getAttributeValueByNameAndType("claim_json", "urn:com:ibm:JWT");
var claims = JSON.parse(claims_str);
var header_str = stsuu.getContextAttributes().getAttributeValueByNameAndType("header", "urn:com:ibm:JWT");
var headers = JSON.parse(header_str);
/* 
 * Checks that request object contains exp, scope, nonce, redirect_uri.
 */
requestObjPass = true
if ( claims.exp == undefined){
   OAuthMappingExtUtils.throwSTSCustomUserPageException("exp is missing in request object.",400,"invalid_request");
}if ( claims.scope == undefined ){
   OAuthMappingExtUtils.throwSTSCustomUserPageException("scope is missing in request object.",400,"invalid_request");
}if ( claims.nonce == undefined ){
   OAuthMappingExtUtils.throwSTSCustomUserPageException("nonce is missing in request object. ",400,"invalid_request");
}if (claims.redirect_uri == undefined){
   OAuthMappingExtUtils.throwSTSCustomUserPageException("redirect_uri in request object is missing. ",400,"invalid_request");
}if (headers.alg == "none"){
   OAuthMappingExtUtils.throwSTSCustomUserPageException("alg in request object value cannot be none. ",400,"invalid_request");
}/*
 * Check the JWT has not expired 
 */
if ( claims.exp != undefined ){
    var expDate = new Date(claims.exp * 1000);
    var currDate = new Date();
    if (expDate < currDate){
        OAuthMappingExtUtils.throwSTSCustomUserPageException("Request object has expired.",400,"invalid_request");
   }}/*
 * Validates aud and issuer value in request object against information in definition.
 */
if ( claims.iss != undefined ){
    var defID = OAuthMappingExtUtils.getClient(claims.iss).getDefinitionID();
    var iss = OAuthMappingExtUtils.getDefinitionByID(defID).getOidc().getIss();
    if (Array.isArray(claims.aud)){
       var found = false;
       for (var x = 0; x < claims.aud.length; x++ ){
           if( claims.aud[x]!= iss ){
                found = true;
           }       }       if (!found){
          OAuthMappingExtUtils.throwSTSCustomUserPageException("aud in request object does not match issuer of client definition.",400,"invalid_request");
       }    }    else if( claims.aud != iss ){
        OAuthMappingExtUtils.throwSTSCustomUserPageException("aud in request object does not match issuer of client definition.",400,"invalid_request");
    }}/*
 * Ensures Nonce/State length are within supported range, 255.
 */
if ( claims.state != undefined && claims.state.length > 255){
    OAuthMappingExtUtils.throwSTSCustomUserPageException("State in request object exceeds supported limit.",400,"invalid_request");
}if ( claims.nonce != undefined && claims.nonce.length > 255){
    OAuthMappingExtUtils.throwSTSCustomUserPageException("Nonce in request object exceeds supported limit.",400,"invalid_request");
}

Parent topic: Achieving Financial-grade API (FAPI) conformance with IBM Security Verify Access