ExistingIDToken API returns PASSWORD_AUTH instead of AUTH_ALLOWED
search cancel

ExistingIDToken API returns PASSWORD_AUTH instead of AUTH_ALLOWED

book

Article ID: 367837

calendar_today

Updated On:

Products

Symantec Identity Security Platform - IDSP (formerly VIP Authentication Hub)

Issue/Introduction


When running VIP Authentication Hub, and passing an ExistingIDToken (JWT token signed with a certificate) to the Authenticate API, then, the VIP Authentication Hub API returns PASSWORD_AUTH, instead of AUTH_ALLOWED.

POST https://{{sspHost}}/{{apiPathTenant}}/auth/v1/authenticate

{

  "existingIDToken":"euJ0 [...omitted for brevity...]",

Body

{

  "nextaction": "PASSWORD_AUTH",


The JWT has:

  HEADER

  {
    "typ": "JWT",
    "alg": "RS256"
  }

  PAYLOAD:DATA


  {
    "sub": "<user>",
    "idp_name": "<idpname>",
    "user_universalid": "<user>",
    "amr": [
      "PWD"
    ],
    "iss": "https://api.example.com",
    "exp": <exp_number>
  }

 

Environment


  VIP Authentication Hub 2.2.5;

 

Cause

 

Some mandatory headers and claims are missing from the JWT.

Mandatory claims are:

  • Must contain an "amr" claim with values corresponding to Authentication Hub's AMR values  --> show "amr" claim format and table of supported values;
  • Must contain a "sub" with the value of user's login id, or have "user_loginid" claim;
  • Must have a certificate imported into Authentication Hub matching the token's header (kid, x5c, x5t, x5t#S256).

 

Resolution


Add the mandatory claims and headers to the JSON token to solve the issue.

 

Powered by Wolken Software