ISAM provides the concept of Authentication Levels out of the box. This means a given authentication mechanism or flow can be assigned an integer value >0 that represents the authentication strength.
OAuth Auth can make use of this for features such as incremental authentication – for example if the OAuth grant was issued via single factor authentication or if it’s been verified with additional mechanisms such as a One Time Password (OTP) flow. It can also be used when you have a pre-pin Quick Balance style mechanism where it might be set at “1” and if they enter an additional PIN to validate their identity, set to “2” for full API access.
To make use of this – simply configure the OAuth Post Token mapping rule within ISAM to return the following value in theĀ resource request_type for runtime access:
stsuu.addContextAttribute(new Attribute("AUTHENTICATION_LEVEL",
"urn:ibm:names:ITFIM:oauth:response:attribute", "3"));
This will place the value into the ISAM credential on access, and the Authentication Level can be enforced using the standard POP interactions.
Philip Nye 