When performing an Authorization Code flow, or when performing an Implicit Grant flow, it may be necessary to get attributes out of the ISAM Session credential, and store them with your OAuth tokens.
This is a quick guide to show how this can be done:
Identify the request in the mapping rule
Requests passing through the mapping rule make use of three main attributes that tell us the type of request that is being processed.
- Request Type
- Grant Type
- Response Type
For an authorization code flow, the request will have the following attributes:
- Request Type = “authorization”
- Grant Type = null
- Response Type = “code”
As shown in the trace output from the OAuth mapping rules:
commands.GetFlowGrantInfoCmd > execute ENTRY commands.GetFlowGrantInfoCmd > getRequestTypeFromSTSUU ENTRY commands.GetFlowGrantInfoCmd < getRequestTypeFromSTSUU RETURN authorization commands.GetFlowGrantInfoCmd > getGrantTypeFromSTSUU ENTRY commands.GetFlowGrantInfoCmd < getGrantTypeFromSTSUU RETURN null commands.GetFlowGrantInfoCmd > getResponseTypeFromSTSUU ENTRY commands.GetFlowGrantInfoCmd < getResponseTypeFromSTSUU RETURN code commands.GetFlowGrantInfoCmd 3 execute OAUTH20 Flow: Request Type=authorization Grant Type=null ResponseType=code
For an implicit grant flow, the request will have the following attributes:
- Request Type = “authorization”
- Grant Type = null
- Response Type = “token”
As shown in the trace output from the OAuth mapping rules:
commands.GetFlowGrantInfoCmd > execute ENTRY commands.GetFlowGrantInfoCmd > getRequestTypeFromSTSUU ENTRY commands.GetFlowGrantInfoCmd < getRequestTypeFromSTSUU RETURN authorization commands.GetFlowGrantInfoCmd > getGrantTypeFromSTSUU ENTRY commands.GetFlowGrantInfoCmd < getGrantTypeFromSTSUU RETURN null commands.GetFlowGrantInfoCmd > getResponseTypeFromSTSUU ENTRY commands.GetFlowGrantInfoCmd < getResponseTypeFromSTSUU RETURN token commands.GetFlowGrantInfoCmd 3 execute OAUTH20 Flow: Request Type=authorization Grant Type=null ResponseType=token
Mapping Rule Identifying the Request
I’ve detailed a comprehensive Sample mapping rule in this post here:
ISAM OAuth Token Mapping Rules – A Beginners Guide
Sample Processing Input
When the request enters the mapping rule, here is a copy of the STSUU in all it’s glory, to give you an idea of the attributes that are available, and where they are stored:
Firefox displays this better than Chrome or Safari – for a readable version, use Firefox. 🙂
<?xml version="1.0" encoding="UTF-8"?> <stsuuser:STSUniversalUser xmlns:stsuuser="urn:ibm:names:ITFIM:1.0:stsuuser"> <stsuuser:Principal> <stsuuser:Attribute name="name" type=""> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> </stsuuser:Principal> <stsuuser:AttributeList> <stsuuser:Attribute name="tagvalue_level2" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>10000</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_AUTH_METHOD" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>ext-auth-interface</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_role" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>admin,olb</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_PRINCIPAL_UUID" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>00000001-0000-1000-8002-030405060708</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_QOP_INFO" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>SSK: TLSV12: 2F</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_xattr" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>xattr_value_from_eai</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_PRINCIPAL_DOMAIN" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>Default</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CUSTOM_ATTRIBUTES" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>tagvalue_level2</stsuuser:Value> <stsuuser:Value>mobileNumber</stsuuser:Value> <stsuuser:Value>tagvalue_xattr</stsuuser:Value> <stsuuser:Value>tagvalue_role</stsuuser:Value> <stsuuser:Value>tagvalue_securitylevel</stsuuser:Value> <stsuuser:Value>tagvalue_level1</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AUTHENTICATION_LEVEL" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>2</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_REGISTRY_ID" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>cn=emily,cn=ExternalUser</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_NETWORK_ADDRESS_STR" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>192.168.42.1</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="mobileNumber" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>1234567890</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_level1" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>1100</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_PRINCIPAL_NAME" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_IP_FAMILY" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>AF_INET</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_session_index" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>200086fc-31f2-11e6-b024-000c29e29751</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_NETWORK_ADDRESS_BIN" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>0xc0a82a01</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_BROWSER_INFO" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>curl/7.43.0</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_VERSION" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>0x00000901</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_MECH_ID" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>IV_LDAP_V3.0</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_securitylevel" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>2</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_AUTHZN_ID" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_login_user_name" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> </stsuuser:AttributeList> <stsuuser:RequestSecurityToken> <stsuuser:Attribute name="Issuer" type="http://schemas.xmlsoap.org/ws/2005/02/trust"> <stsuuser:Value>urn:ibm:ITFIM:oauth20:client:browser</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AppliesTo" type="http://schemas.xmlsoap.org/ws/2004/09/policy"> <stsuuser:Value>http://localhost/sps/oauth/oauth20</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="Forwardable" type="com:tivoli:am:fim:sts:RST"> <stsuuser:Value>true</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="RenewingOk" type="com:tivoli:am:fim:sts:RST"> <stsuuser:Value>false</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="RenewingAllow" type="com:tivoli:am:fim:sts:RST"> <stsuuser:Value>true</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AllowPostDating" type="com:tivoli:am:fim:sts:RST"> <stsuuser:Value>false</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="KeySize" type="com:tivoli:am:fim:sts:RST"> <stsuuser:Value>0</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="Claims" type="com:tivoli:am:fim:sts:RST"> <stsuuser:Value> <wst:Claims xmlns:wst="http://schemas.xmlsoap.org/ws/2005/02/trust" Dialect="urn:ibm:names:ITFIM:oauth20"> <fimoauth20:OAuth20Claims xmlns:fimoauth20="urn:ibm:names:ITFIM:oauth20" ClientConfidential="false" ClientDisplayName="Browser" ClientEnabled="true" ClientId="browser" ClientRedirectUri="https://www.ibm.com"/> </wst:Claims> </stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="RequestType" type="com:tivoli:am:fim:sts:RST"> <stsuuser:Value>http://schemas.xmlsoap.org/ws/2005/02/trust/Validate</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="Base" type="urn:ibm:names:ITFIM:1.0:stsuuser"> <stsuuser:Value> <stsuuser:STSUniversalUser> <stsuuser:Principal> <stsuuser:Attribute name="name"> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> </stsuuser:Principal> <stsuuser:AttributeList> <stsuuser:Attribute name="tagvalue_level2" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>10000</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_AUTH_METHOD" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>ext-auth-interface</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_role" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>admin,olb</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_PRINCIPAL_UUID" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>00000001-0000-1000-8002-030405060708</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_QOP_INFO" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>SSK: TLSV12: 2F</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_xattr" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>xattr_value_from_eai</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_PRINCIPAL_DOMAIN" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>Default</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CUSTOM_ATTRIBUTES" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>tagvalue_level2</stsuuser:Value> <stsuuser:Value>mobileNumber</stsuuser:Value> <stsuuser:Value>tagvalue_xattr</stsuuser:Value> <stsuuser:Value>tagvalue_role</stsuuser:Value> <stsuuser:Value>tagvalue_securitylevel</stsuuser:Value> <stsuuser:Value>tagvalue_level1</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AUTHENTICATION_LEVEL" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>2</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_REGISTRY_ID" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>cn=emily,cn=ExternalUser</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_NETWORK_ADDRESS_STR" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>192.168.42.1</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="mobileNumber" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>1234567890</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_level1" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>1100</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_PRINCIPAL_NAME" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_IP_FAMILY" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>AF_INET</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_session_index" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>200086fc-31f2-11e6-b024-000c29e29751</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_NETWORK_ADDRESS_BIN" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>0xc0a82a01</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_BROWSER_INFO" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>curl/7.43.0</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_VERSION" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>0x00000901</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_MECH_ID" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>IV_LDAP_V3.0</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_securitylevel" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>2</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="AZN_CRED_AUTHZN_ID" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="tagvalue_login_user_name" type="urn:ibm:names:ITFIM:5.1:accessmanager"> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> </stsuuser:AttributeList> <stsuuser:RequestSecurityToken/> <stsuuser:ContextAttributes> <stsuuser:Attribute name="request_type" type="urn:ibm:names:ITFIM:oauth:request"> <stsuuser:Value>authorization</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="client_id" type="urn:ibm:names:ITFIM:oauth:query:param"> <stsuuser:Value>browser</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="response_type" type="urn:ibm:names:ITFIM:oauth:query:param"> <stsuuser:Value>token</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="username" type="urn:ibm:names:ITFIM:oauth:request"> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="redirect_uri" type="urn:ibm:names:ITFIM:oauth:query:param"> <stsuuser:Value>https://www.ibm.com</stsuuser:Value> </stsuuser:Attribute> </stsuuser:ContextAttributes> <stsuuser:AdditionalAttributeStatement/> </stsuuser:STSUniversalUser> </stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="Delegatable" type="com:tivoli:am:fim:sts:RST"> <stsuuser:Value>false</stsuuser:Value> </stsuuser:Attribute> </stsuuser:RequestSecurityToken> <stsuuser:ContextAttributes> <stsuuser:Attribute name="access_token" type="urn:ibm:names:ITFIM:oauth:response:attribute"> <stsuuser:Value>3tmIouP1Cf4MaRPvInQv</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="scope" type="urn:ibm:names:ITFIM:oauth:response:attribute"/> <stsuuser:Attribute name="request_type" type="urn:ibm:names:ITFIM:oauth:request"> <stsuuser:Value>authorization</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="access_token_id" type="urn:ibm:names:ITFIM:oauth:response:metadata"> <stsuuser:Value>3tmIouP1Cf4MaRPvInQv</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="state_id" type="urn:ibm:names:ITFIM:oauth:state"> <stsuuser:Value>uuid4d6a73fa-0155-13e7-90cc-f1e1ddbfe4c2</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="expires_in" type="urn:ibm:names:ITFIM:oauth:response:attribute"> <stsuuser:Value>3599</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="client_id" type="urn:ibm:names:ITFIM:oauth:query:param"> <stsuuser:Value>browser</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="token_type" type="urn:ibm:names:ITFIM:oauth:response:attribute"> <stsuuser:Value>bearer</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="client_type" type="urn:ibm:names:ITFIM:oauth:response:metadata"> <stsuuser:Value>public</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="response_type" type="urn:ibm:names:ITFIM:oauth:query:param"> <stsuuser:Value>token</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="username" type="urn:ibm:names:ITFIM:oauth:request"> <stsuuser:Value>emily</stsuuser:Value> </stsuuser:Attribute> <stsuuser:Attribute name="redirect_uri" type="urn:ibm:names:ITFIM:oauth:query:param"> <stsuuser:Value>https://www.ibm.com</stsuuser:Value> </stsuuser:Attribute> </stsuuser:ContextAttributes> <stsuuser:AdditionalAttributeStatement id=""/> </stsuuser:STSUniversalUser>
