Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8900

OpenID/JWT claims in authZ policy subjects condition should provide signing verification

    Details

    • Type: Improvement
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 13.0.0
    • Fix Version/s: None
    • Component/s: entitlements
    • Labels:
      None
    • Environment:
      13.0 nightly

      Description

      The current subjects condition within an authorization policy, provides the ability to check claims presented within a JWT/OpenID id_token. This condition however, does not verify the signature of the token, with no facility to enter cryptographic details to do so.

      Ideally this condition, should provide option to enter HMAC or RSA signing details in order to verify the token presented. Public key material could be alias based assuming the 3rd party certificate was imported in to the OpenAM key store. HMAC shared secret could be a free form field.

      Currently this can only be handled via a scripted condition as written up here:

      http://identityrelationshipmanagement.blogspot.co.uk/2016/05/federated-authorization-using-3rd-party.html

        Attachments

          Activity

            People

            • Assignee:
              Unassigned
              Reporter:
              simon.moffatt Simon Moffatt
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated: