Virtual attribute in OIDC scope. - Micro Focus Community

-Magnus- · ‎2020-09-28

Feels like every error I conquer, a new one is hitting back on me.

Now I have problem with Virtual attributes in OIDC Scopes.

My goal is to provide a attribute set that supports microprofile, wich means I need an attribute that is named groups and that includes the All Roles values. Should be simple with virtual attributes, I thought ... but not...

I can include custom attributes i my scope. But not virtual attributes, they don't show up in jwt..

And if I name the attribute "groups" , then its definetly not showing up in the jwt access-token..

Anyone that can confirm that virtual attributes is working with oidc scopes ?

Thanks

//Magnus

Sebastijan · ‎2020-09-28

AFAIK virtual attributes are working in id token. But there is limitation with all virtual attributes used with oauth:

https://www.netiq.com/documentation/access-manager-45/admin/data/createattrset.html

For the OAuth scope, you can add LDAP attributes or only the virtual attributes that are LDAP attributes or are constants.

Kind regards,

Sebastijan

srajamanjit · ‎2020-09-30

As @Sebastijan say OAuth Scope supports VA created using LDAP Attributes.

-Magnus- · ‎2020-09-30

thanks @srajamanjit and @Sebastijan for your input,

I can confirm that virtual attributes works, but not as I expected. Let me explain,

In my example my user is authenticated and roles are assigned:

Authenticated user cn=mag,ou=HK,o=xx in User Store eDirectory with roles "role_captain","role_sailor","authenticated".

If I configure "All Roles" like this:

jwt contains:

"allRoles": " role_captain ",

Only the first value of my assigned roles is included.

Now.. If I set up a virtual attribute named error with P1= cn and a javascript =

function main(P1) {
System.out.println("crash-me");
return P1;
}

and just include it in the attr set. (remote attr = error)

This makes the VirtualAttribute component to crash,

But the allRoles in jwt is complete :

"allRoles": [
"role_captain",
"role_sailor",
"authenticated"
],

I also discovered that javascript in VirtualAttributes dosent care about the output type of return, in this case I have P1 = cn (not single value in eDir) but javascript says its a string when initializing the P1 variable.

(my js code is in bold makes sure that output is a string)

from catalina.out =

var P1 = 'xxxx' ;

com.netiq.nam.common.util.virtualAttributes.VirtualAttrScriptEngine: Script to run is :var vaJavaLib ;
try{
var javaLib = Java.type('com.netiq.nam.common.util.virtualAttributes.lib.java.VAJavaLib');
vaJavaLib = new javaLib();
}catch(err){}

var result = main(P1);

function main(P1) {
if (P1 instanceof Array) {
var a = P1[0];
return a.toString();
} else {
return P1;
}
}

DEBUG NIDS WSP:
Method: LDAPAuthorityLdap.A
Thread: ajp-nio-127.0.0.1-9019-exec-11
Calculated the value of the Virtual attribute svCN successfully
Value is : [xxxx] </amLogEntry>

and JWT is array:

"svCN": [
"mag"
],

When I use a single value attribute as P1 on the same javascript ,output is a string=

"svCN": "my only value",

The last example is a simple constant value in attr set:

that is a multivalue in jwt token:

"Constant": [
"a Constant value"
],

As @Sebastijan mentioned in a previous post , it is possible to fool the virtual attribute output by doing P1 / P2 switching ..

P1 = Mv attr
P2 = Sv attr
js:

function main(P1,P2) {
if (P1 instanceof Array) {
var a = P1[0];
return a.toString();
} else {
return P1;
}
}

My conclusion is that : if not source attribute is a single value in ldap it is always an array in output, the type is applied after all values are calculated and doesn't care if the Virtual attribute output type is multi or single.

And if your JS script in Virtual attribute is not working , dont expect your jwt token to be complete.