API Protection Introduction

OAUTH 2.0

Ross Holman Nick Lloyd Gabriel Bell

IBM Security L2 Support IBM Security L2 Support IBM Security L2 Support

August 16, 2017

 Agenda

OAuth Overview

OAuth Terminology

OAuth Roles

Grant Types

Enabling OAuth Authentication

API Protection configuration

Authentication Code flow

Implicit Flow

OAuth Mapping Rules

2 IBM Security
 What is OAuth?

OAuth is an HTTP based authorization protocol that provides 3rd party applications scoped access to
protected resources on behalf of the resource owner. This allows private resources to be shared
between sites without obtaining a username and password.

ISAM support OAuth 2.0 authentication and strictly follows the OAuth standards.

3 IBM Security
 OAuth Terminology that you should know.

Authentication

Authorization

Access Token

Refresh Token

Authorization Code

Scope

Grant

4 IBM Security
 OAuth Roles

Resource Server

Resource Owner

Client

Authorization server

5 IBM Security
 Popular OAuth Grant Types

Authorization Code
Most appropriate for server-side web applications
Authorization code is obtained and exchanged for an access token

Implicit Grant for Browser-Based Client-Side Applications

Most appropriate for browser-based client-side applications
Access token is immediately created and returned

6 IBM Security
 Enabling OAuth in Webseal

Stop the Webseal Server

Edit the oauth-auth field in the Webseal configuration file. This can be set to HTTP, HTTPS, or both
depending on your requirements. Once this has been updated, save the file.

Restart the Webseal Server

Using oauth-eas is another option but not recommended since it does not allow fine-grain
authentication.

7 IBM Security
 Enabling API Protection for AAC

8 IBM Security
 Creating an API Definition and Client

9 IBM Security
 Requesting an Authorization Code

Authorization endpoint
An authorization URL where the resource owner grants authorization to the OAuth client to access the protected
resource.
http://server.oauth.com/mga/sps/oauth/oauth20/authorize

Example

10 IBM Security
 Authenticate and Consent to Receive Authorization Code

11 IBM Security
 Authorization Code Generated Without a Redirect URI

12 IBM Security
 Authorization Code Generated with a Redirect URI

*Demonstration purposes only.

13 IBM Security
 Exchanging an Authorization Code for an Access Token

Token endpoint
A token request URL where the OAuth client exchanges an authorization grant for an access token and an optional
refresh token.
http://server.oauth.com/mga/sps/oauth/oauth20/token

Example

14 IBM Security
 Accessing the Protected Resource with the Access Token

15 IBM Security
 Requesting an Access Token for Implicit Flow

*Demonstration purposes only.

16 IBM Security
 Authenticate and Consent to Obtain an Access Token

17 IBM Security
 Access Token Generated with a Redirect URI

*Demonstration purposes only.

18 IBM Security
 Accessing the Protected Resource with the Access Token

19 IBM Security
 OAuth Mapping Rules

The PreToken rule is called before a OAuth token is generated and typically used for validation.
Username/Password validation
LDAP
HTTP callout method
Limit the number of tokens or grants
Restrict Introspect endpoint (confidential clients)

The PostToken rule is called after an OAuth token is generated and used to modify the token.
Associate attributes with the token
HTTP Client example
Delete a token from cache
Restrict Introspect endpoint (validate token ownership)

20 IBM Security
 OAuth Mapping Rule Methods

Use the mapping rule methods to link an attribute key-value pair to the authorization grant state ID.

associate - Associates the attribute key-value pair to the authorization grant state ID.

public static boolean associate(

String stateID,
String attrKey,
String attrValue
)

getAssociation Get the attribute value from the authorization grant state ID and attribute key.

public static String getAssociation(

String stateID,
String attrKey
)

https://www.ibm.com/support/knowledgecenter/SSPREK_9.0.3/com.ibm.isam.doc/config/referen
ce/ref_oauth_mapping_rule_methods.html#ref_oauth_mapping_rule_methods

21 IBM Security
 HEADER CONTENT 1 | HEADER CONTENT 2

Example

//Get attribute from STSUUser data

temp_attr = stsuu.getAttributeContainer().getAttributeValuesByName(tagvalue_custom);
if (temp_attr != null && temp_attr.length > 0){
customattr = temp_attr[0];
}
//Get the extra attribute keys of all extra attributes associated with the authorization grant
var attrKeyArray = OAuthMappingExtUtils.getAssociationKeys(state_id);
if (attrKeyArray != null){

// Associate a extra attribute

OAuthMappingExtUtils.associate(state_id, customattr, customattr);
}
// Put extra attributes into stsuu context attribute
attrKeyArray = OAuthMappingExtUtils.getAssociationKeys(state_id);
if (attrKeyArray != null){
for ( var i = 0; i < attrKeyArray.length; i++) {stsuu.addContextAttribute(new
Attribute(attrKeyArray[i], "urn:ibm:names:ITFIM:oauth:response:attribute",
OAuthMappingExtUtils.getAssociation(state_id,attrKeyArray[i])));
}

22 IBM Security
 QUESTIONS?

23 IBM Security
THANK YOU
FOLLOW US ON:

ibm.com/security

securityintelligence.com
xforce.ibmcloud.com

@ibmsecurity

youtube/user/ibmsecuritysolutions

Copyright IBM Corporation 2017. All rights reserved. The information contained in these materials is provided for informational purposes only, and is provided AS IS without warranty of any kind, express
or implied. IBM shall not be responsible for any damages arising out of the use of, or otherwise related to, these materials. Nothing contained in these materials is intended to, nor shall have the effect of,
creating any warranties or representations from IBM or its suppliers or licensors, or altering the terms and conditions of the applicable license agreement governing the use of IBM software. References in these
materials to IBM products, programs, or services do not imply that they will be available in all countries in which IBM operates. Product release dates and / or capabilities referenced in these materials may
change at any time at IBMs sole discretion based on market opportunities or other factors, and are not intended to be a commitment to future product or feature availability in any way. IBM, the IBM logo, and
other IBM products and services are trademarks of the International Business Machines Corporation, in the United States, other countries or both. Other company, product, or service names may be trademarks
or service marks of others.

Statement of Good Security Practices: IT system security involves protecting systems and information through prevention, detection and response to improper access from within and outside your enterprise.
Improper access can result in information being altered, destroyed, misappropriated or misused or can result in damage to or misuse of your systems, including for use in attacks on others. No IT system or
product should be considered completely secure and no single product, service or security measure can be completely effective in preventing improper use or access. IBM systems, products and services are
designed to be part of a lawful, comprehensive security approach, which will necessarily involve additional operational procedures, and may require other systems, products or services to be most effective.

IBM DOES NOT WARRANT THAT ANYSYSTEMS, PRODUCTS OR SERVICES ARE IMMUNE FROM, OR WILL MAKE YOUR ENTERPRISE IMMUNE FROM, THE MALICIOUS OR ILLEGAL CONDUCT
OF ANY PARTY.