Commodore
Commodore
383 views

Virtual attribute in OIDC scope.

Feels like every error I conquer, a new one is hitting back on me.

Now I have problem with Virtual attributes in OIDC Scopes. 

My goal is to provide a attribute set that supports microprofile, wich means I need an attribute that is named groups and that includes the All Roles values. Should be simple with virtual attributes, I thought ... but not...

I can include custom attributes i my scope. But not virtual attributes, they don't show up in jwt..

And if I name the attribute "groups" , then its definetly not showing up in the jwt access-token.. 


Anyone that can confirm that virtual attributes is working with oidc scopes ?

Thanks 

//Magnus

0 Likes
3 Replies
Vice Admiral
Vice Admiral

AFAIK virtual attributes are working in id token. But there is limitation with all virtual attributes used with oauth:

https://www.netiq.com/documentation/access-manager-45/admin/data/createattrset.html

For the OAuth scope, you can add LDAP attributes or only the virtual attributes that are LDAP attributes or are constants.

Kind regards,

Sebastijan

0 Likes
Micro Focus Expert
Micro Focus Expert

As @Sebastijan say OAuth Scope supports VA created using LDAP Attributes.

 

VA.PNG

0 Likes
Commodore
Commodore

thanks @srajamanjit  and @Sebastijan  for your input, 

I can confirm that virtual attributes works, but not as I expected. Let me explain, 

In my example my user is authenticated and roles are assigned:

Authenticated user cn=mag,ou=HK,o=xx in User Store eDirectory with roles "role_captain","role_sailor","authenticated".

If I configure "All Roles" like this: 

 1.PNG

jwt contains: 

"allRoles": " role_captain ",

Only the first value of my assigned roles is included. 

Now..  If I set up a virtual attribute named error with P1= cn and a javascript =

function main(P1) {
System.out.println("crash-me");
return P1;
}

and just include it in the attr set. (remote attr = error)

This makes the VirtualAttribute component to crash,

But the allRoles in jwt is complete :

"allRoles": [
"role_captain",
"role_sailor",
"authenticated"
],

I also discovered that javascript in VirtualAttributes dosent care about the output type of return, in this case  I have P1 = cn (not single value in eDir) but javascript says its a string when initializing the P1 variable.

(my js code is in bold makes sure that output is a string)

from catalina.out =

var P1 = 'xxxx' ; 

com.netiq.nam.common.util.virtualAttributes.VirtualAttrScriptEngine: Script to run is :var vaJavaLib ;
try{
var javaLib = Java.type('com.netiq.nam.common.util.virtualAttributes.lib.java.VAJavaLib');
vaJavaLib = new javaLib();
}catch(err){}

var result = main(P1);

function main(P1) {
if (P1 instanceof Array) {
var a = P1[0];
return a.toString();
} else {
return P1;
}
}

DEBUG NIDS WSP:
Method: LDAPAuthorityLdap.A
Thread: ajp-nio-127.0.0.1-9019-exec-11
Calculated the value of the Virtual attribute svCN successfully
Value is : [xxxx] </amLogEntry>

and JWT is array:

"svCN": [
"mag"
],

When I use a single value  attribute as P1 on the same javascript ,output is a string=

"svCN": "my only value",

The last example is a simple constant value in attr set:

2.PNG

that is a multivalue in jwt token:

"Constant": [
"a Constant value"
],

As @Sebastijan  mentioned in a previous post , it is possible to fool  the virtual attribute output by doing P1 / P2 switching ..

P1 = Mv attr
P2 = Sv attr
js:

function main(P1,P2) {
if (P1 instanceof Array) {
var a = P1[0];
return a.toString();
} else {
return P1;
}
}

 

My conclusion is that : if not source attribute is a single value in ldap it is always an array in output, the type is applied after all values are calculated and doesn't care if the Virtual attribute output type is multi or single. 

And if your JS script in Virtual attribute is not working , dont expect your jwt token to be complete. 

 

 

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.