Layer7 API Management

Based on business requirement, we have to implemented OIDC with grant type=password. One of the change I know is we have to add password as supported grant type in #OTK openid grant_type_supported policy​.

Apart from this, in token endpoint, we have to add assertions' code specific to id_token generation. So I copied it from authorization grant type and added/customized in OTK grant_type=PASSWORD policy. However we are getting errors, one of them is "missing or duplicate parameters".
It will be really helpful if we can get already implemented policy xml files where id_token generation for password grant type is implemented.


------------------------------
Technology Lead
Infosys Limited
------------------------------

Hi Sachin,
Depending on the version of the OTK Toolkit you are using you might notice that OTK grant_type=PASSWORD  will become read-only in the next release which means your customization will not work.

As far as we look at OIDC standard we do not have id token for password grant type as the app is verifying on behalf of the user and there is no need to validate the user, but saying that we had to deploy it for one of our customers. 
We achieved this by the following
1. In token endpoint add an expression (NOTE: This will be updated during every OTK upgrade so you will have to apply this change whenever you upgrade)




------------------------------
Pre-Sales Consultant
CA Southern Africa
------------------------------

Original Message:
Sent: 05-12-2020 01:03 PM
From: Sachin Ghumbre
Subject: OIDC (id_token) with password grant type policy example

Based on business requirement, we have to implemented OIDC with grant type=password. One of the change I know is we have to add password as supported grant type in #OTK openid grant_type_supported policy​.

Apart from this, in token endpoint, we have to add assertions' code specific to id_token generation. So I copied it from authorization grant type and added/customized in OTK grant_type=PASSWORD policy. However we are getting errors, one of them is "missing or duplicate parameters".
It will be really helpful if we can get already implemented policy xml files where id_token generation for password grant type is implemented.


------------------------------
Technology Lead
Infosys Limited
------------------------------

Forgot to store the token in the db. Corrected it now

------------------------------
Pre-Sales Consultant
CA Southern Africa
------------------------------

Original Message:
Sent: 05-13-2020 05:43 AM
From: Ronald Dsouza
Subject: OIDC (id_token) with password grant type policy example

Hi Sachin,
Depending on the version of the OTK Toolkit you are using you might notice that OTK grant_type=PASSWORD  will become read-only in the next release which means your customization will not work.

As far as we look at OIDC standard we do not have id token for password grant type as the app is verifying on behalf of the user and there is no need to validate the user, but saying that we had to deploy it for one of our customers.
We achieved this by the following
1. In token endpoint add an expression (NOTE: This will be updated during every OTK upgrade so you will have to apply this change whenever you upgrade)

=====
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
<wsp:All wsp:Usage="Required">
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${request.http.parameter.realm}"/>
<L7p:Operator operatorNull="null"/>
<L7p:Predicates predicates="included">
<L7p:item dataType="included">
<L7p:Type variableDataType="string"/>
</L7p:item>
<L7p:item binary="included">
<L7p:Operator operator="EMPTY"/>
<L7p:RightValue stringValue="enterprise"/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
</wsp:All>
</wsp:Policy>

=====

2. Next Step is to update the OTK Grant Type = CUSTOM
Update the policy as attached


NOTE: This is a limited security version of the ID_TOKEN generated just to meet the requirement. I would suggest to avoid if possible and recommend using Authorization code or Implicit grant type that output ID_TOKEN

Output:

------------------------------
Pre-Sales Consultant
CA Southern Africa

Original Message:
Sent: 05-12-2020 01:03 PM
From: Sachin Ghumbre
Subject: OIDC (id_token) with password grant type policy example

Based on business requirement, we have to implemented OIDC with grant type=password. One of the change I know is we have to add password as supported grant type in #OTK openid grant_type_supported policy​.

Apart from this, in token endpoint, we have to add assertions' code specific to id_token generation. So I copied it from authorization grant type and added/customized in OTK grant_type=PASSWORD policy. However we are getting errors, one of them is "missing or duplicate parameters".
It will be really helpful if we can get already implemented policy xml files where id_token generation for password grant type is implemented.


------------------------------
Technology Lead
Infosys Limited
------------------------------

Thanks for your response Ronald. I will use these steps and test it. 
We are using OTK 4.3. can you please suggest by when password grant type will become readonly ?

------------------------------
Technology Lead
Infosys Limited
------------------------------

Original Message:
Sent: 05-13-2020 05:43 AM
From: Ronald Dsouza
Subject: OIDC (id_token) with password grant type policy example

Hi Sachin,
Depending on the version of the OTK Toolkit you are using you might notice that OTK grant_type=PASSWORD  will become read-only in the next release which means your customization will not work.

As far as we look at OIDC standard we do not have id token for password grant type as the app is verifying on behalf of the user and there is no need to validate the user, but saying that we had to deploy it for one of our customers.
We achieved this by the following
1. In token endpoint add an expression (NOTE: This will be updated during every OTK upgrade so you will have to apply this change whenever you upgrade)

=====
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
<wsp:All wsp:Usage="Required">
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${request.http.parameter.realm}"/>
<L7p:Operator operatorNull="null"/>
<L7p:Predicates predicates="included">
<L7p:item dataType="included">
<L7p:Type variableDataType="string"/>
</L7p:item>
<L7p:item binary="included">
<L7p:Operator operator="EMPTY"/>
<L7p:RightValue stringValue="enterprise"/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
</wsp:All>
</wsp:Policy>

=====

2. Next Step is to update the OTK Grant Type = CUSTOM
Update the policy as attached


NOTE: This is a limited security version of the ID_TOKEN generated just to meet the requirement. I would suggest to avoid if possible and recommend using Authorization code or Implicit grant type that output ID_TOKEN

Output:

------------------------------
Pre-Sales Consultant
CA Southern Africa

Original Message:
Sent: 05-12-2020 01:03 PM
From: Sachin Ghumbre
Subject: OIDC (id_token) with password grant type policy example

Based on business requirement, we have to implemented OIDC with grant type=password. One of the change I know is we have to add password as supported grant type in #OTK openid grant_type_supported policy​.

Apart from this, in token endpoint, we have to add assertions' code specific to id_token generation. So I copied it from authorization grant type and added/customized in OTK grant_type=PASSWORD policy. However we are getting errors, one of them is "missing or duplicate parameters".
It will be really helpful if we can get already implemented policy xml files where id_token generation for password grant type is implemented.


------------------------------
Technology Lead
Infosys Limited
------------------------------

Not really sure when but I think it is the next minor release. Because i am using 4.3.x version where the password grant type is readonly



------------------------------
Pre-Sales Consultant
CA Southern Africa
------------------------------

Original Message:
Sent: 05-13-2020 09:42 AM
From: Sachin Ghumbre
Subject: OIDC (id_token) with password grant type policy example

Thanks for your response Ronald. I will use these steps and test it.
We are using OTK 4.3. can you please suggest by when password grant type will become readonly ?

------------------------------
Technology Lead
Infosys Limited

Original Message:
Sent: 05-13-2020 05:43 AM
From: Ronald Dsouza
Subject: OIDC (id_token) with password grant type policy example

Hi Sachin,
Depending on the version of the OTK Toolkit you are using you might notice that OTK grant_type=PASSWORD  will become read-only in the next release which means your customization will not work.

As far as we look at OIDC standard we do not have id token for password grant type as the app is verifying on behalf of the user and there is no need to validate the user, but saying that we had to deploy it for one of our customers.
We achieved this by the following
1. In token endpoint add an expression (NOTE: This will be updated during every OTK upgrade so you will have to apply this change whenever you upgrade)

=====
<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
<wsp:All wsp:Usage="Required">
<L7p:ComparisonAssertion>
<L7p:CaseSensitive booleanValue="false"/>
<L7p:Expression1 stringValue="${request.http.parameter.realm}"/>
<L7p:Operator operatorNull="null"/>
<L7p:Predicates predicates="included">
<L7p:item dataType="included">
<L7p:Type variableDataType="string"/>
</L7p:item>
<L7p:item binary="included">
<L7p:Operator operator="EMPTY"/>
<L7p:RightValue stringValue="enterprise"/>
</L7p:item>
</L7p:Predicates>
</L7p:ComparisonAssertion>
</wsp:All>
</wsp:Policy>

=====

2. Next Step is to update the OTK Grant Type = CUSTOM
Update the policy as attached


NOTE: This is a limited security version of the ID_TOKEN generated just to meet the requirement. I would suggest to avoid if possible and recommend using Authorization code or Implicit grant type that output ID_TOKEN

Output:

------------------------------
Pre-Sales Consultant
CA Southern Africa

Original Message:
Sent: 05-12-2020 01:03 PM
From: Sachin Ghumbre
Subject: OIDC (id_token) with password grant type policy example

Based on business requirement, we have to implemented OIDC with grant type=password. One of the change I know is we have to add password as supported grant type in #OTK openid grant_type_supported policy​.

Apart from this, in token endpoint, we have to add assertions' code specific to id_token generation. So I copied it from authorization grant type and added/customized in OTK grant_type=PASSWORD policy. However we are getting errors, one of them is "missing or duplicate parameters".
It will be really helpful if we can get already implemented policy xml files where id_token generation for password grant type is implemented.


------------------------------
Technology Lead
Infosys Limited
------------------------------