SSO LTPA/JWT support authentication filter for Liberty #10091
Comments
|
This is from the stack product leads I had opportunities to work with. This git issue include great ideas on filtering out ltpa token for easier security configuration . Roger Bacalzo kindly put together his ideas with Brian Laskey's. These are from real customers scenarios and their day-to-day experience developing on Liberty. |
utle
added
the
Epic
|
Design review follow-up actions:
|
|
Would it be possible to also get these filters for custom TAIs? |
|
@garypicher |
utle
changed the title
utle
added
design
Design Approval Request
In Progress
|
@utle do you have any reference to work items to track the documentation work for auth filters? In the design review we spoke about deficiencies in current documentation so I'd like to make sure we have documentation issues raised somewhere before I approve. |
|
Hi @NottyCode Here is the issue for auth filter description and sample. [https://github.com//issues/11741] |
utle
added
release:20004
target:ga
samwatibm
added
focalApproved:globalization
jhanders34
added
the
focalApproved:performance
nstewart0206
added
the
focalApproved:svt
steven1046
added
the
focalApproved:accessibility
skasund
added
the
focalApproved:ste
samwatibm
added
the
focalApproved:globalization
|
Hi @donbourne Serviceability Approval Comment - Please answer the following questions for serviceability approval: UFO -- does the UFO identify the most likely problems customers will see and identify how the feature will enable them to diagnose and solve those problems without resorting to raising a PMR? Yes Have these issues been addressed in the implementation? Yes Test and Demo -- As part of the serviceability process we're asking feature teams to test and analyze common problem paths for serviceability and demo those problem paths to someone not involved in the development of the feature (eg. L2, test team, or another development team).
b) Who did you demo to?
c) Do the people you demo'd to agree that the serviceability of the demonstrated problem scenarios is sufficient to avoid PMRs for any problems customers are likely to encounter, or that L2 should be able to quickly address those problems without need to engage L3?
SVT -- SVT team is often the first team to try new features and often encounters problems setting up and using them. Note that we're not expecting SVT to do full serviceability testing -- just to sign-off on the serviceability of the problem paths they encountered.
Which L2 / L3 queues will handle PMRs for this feature?
Does this feature add any new metrics or emit any new JSON events? If yes, have you updated the JMX metrics reference list / Metrics reference list / JSON log events reference list in the Open Liberty docs?
|
donbourne
added
the
focalApproved:serviceability
|
The input that Ut provided for the ID issue looks good. Approving. |
samwatibm
added
release:21004
and removed
target:ga
|
GA Blog - #16552 |
WAD for SSO LTPA/JWT support authentication filter:
https://ibm.box.com/s/hv3ftnr3dsa294j37pu153b5jdyi8fk8
Doc: OpenLiberty/docs#3801
In This epic we are adding only the SSO LTPA/JWT support authentication filter.
Recently a few developers who had experienced issues with WebSphere Liberty SSO in the past were asked to provide input on a new Liberty LTPA authentication filter mechanism under consideration for development.
Below is a summary of the responses:
The LTPA authentication filter sounds like a good idea. I think it should work similarly to the authentication filter used by OIDC (
https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.wlp.doc/ae/rwlp_auth_filter.html and https://www.ibm.com/support/knowledgecenter/SSEQTP_liberty/com.ibm.websphere.liberty.autogen.nd.doc/ae/rwlp_config_openidConnectClient.html).
But I would give this priority to the filter implementation:
In terms of APIs, these would be the most useful:
Enance the OIDC PropagationHelper (https://www.ibm.com/support/knowledgecenter/en/SSEQTP_liberty/com.ibm.websphere.javadoc.liberty.doc/com.ibm.websphere.appserver.api.oidc_1.0-javadoc/com/ibm/websphere/security/openidconnect/PropagationHelper.html) to return a String version of the IdToken (e.g. getTokenString()). If propagating an IdToken to a downstream server as a Bearer token on the http authorization header, this needs to be a string. The current method getIdToken() returns a com.ibm.websphere.security.openidconnect.token.IdToken object. This is useless for token propagation since you can't get the String form of that token to propagate to a subsequent downstream servers.
A public method to validate an LTPA token.
It would also be good to know a way of identifying tWAS and Liberty jar files required for builds when we do use specific Liberty or tWAS APIs in our code so that we can have the correct build dependencies. Right now, we have to dig through Liberty and tWAS deployed directories to search for the jars containing the classes we need to compile our code, then manually copy those jars into our build tree.
I think we had less experience needing to manipulate the application of LTPA checks, and more with limitations around various SSO TAIs (i.e. SAML, SPNEGO) needing more advanced filtering behavior in cases of multiple IdP or some users with native login, some with SSO, so I hope I'm understanding the request.
Anyway, For LTPA filter ideas I think I would rank as follows
I would also think that it's very important to have a robust logical operations supported in whatever the filter mechanism (i.e. grouping of filter expressions with AND and OR logical operators, usage of NOT). I recall SAML sp.filter having some limitations around being all AND or all OR in certain expressions.
I would imagine it would be useful having a per-User API that allows the application to set a cookie so that the LTPA authentication could be by-passed next time if needed for that user ( a formal way for us to decide which users might have cookies that will be filtered out by #2 above )
The text was updated successfully, but these errors were encountered: