Layer7 API Management

  • 1.  PPID generated only with iss + resource_owner + salt ?

    Posted Sep 13, 2016 10:14 PM

    I'd like to know implementation details on generating a PPID for sub value in ID Token. OTK doc states that the value will be created with values of part1, part2 and part3 though, it doesn't clarify what are part1 and part2 while describing part3 is "salt."

     

    Using the OpenID Connect Assertions - CA API Management OAuth Toolkit - 3.5 - CA Technologies Documentation 

     

    It seems that the default values for the former 2 parts are iss and resource_owner respectively, but I don't think it is sufficient to generate PPID as all three values including salt are global i.e. the same sub value is to be provided to all OIDC RP. Please let me know if it is some sort of doc bug or there is some algorithm leveraging client / sectoral identifier behind the documentation.

     

    Tatsuo.



  • 2.  Re: PPID generated only with iss + resource_owner + salt ?
    Best Answer

    Posted Sep 13, 2016 11:16 PM

    Hi Tatsuo!

     

    You are right, those values would not be sufficient. That is why the client_id is also part of the 'sub' generation. Two different clients (client_id's) would not get the same 'sub' value.

    We will check our documentation to make sure it includes those details.

    I hope this clarifies it.

     

    Thanks,

    Sascha



  • 3.  Re: PPID generated only with iss + resource_owner + salt ?

    Posted Sep 20, 2016 03:35 AM

    Thanks Sascha,

     

    I don't have my OTK lab environment at this moment, but a colleague of mine said there were iss and resource_owner pre-configured as default parameters for the sub generation in vanilla installation of OTK. Let me know if his finding is correct.

     

    Tatsuo.



  • 4.  Re: PPID generated only with iss + resource_owner + salt ?

    Posted Sep 26, 2016 11:05 AM

    saspr02,

     

    These default values, ${iss}, ${resource_owner} and ${salt} for sub claim in "Generate ID Token" assertion are specified by "OTK id_token generation" assertion. I don't think these values of the OTK product meet requirement for PPID. Should it be ${client_id}|${resource_owner}|${salt} or ${client_ident}|${resource_owner}|${salt} by default. Let me know your opinion on this.

     

    Generate ID Token properties



  • 5.  Re: PPID generated only with iss + resource_owner + salt ?

    Posted Sep 26, 2016 11:18 AM

    Tatsuo,

     

    you have to look where the assertion is used. As you know that screenshot is taken from an assertion within an encapsulated assertion "OTK id_token Generation- HS256". That encapsulated assertion is using variables that are set "from outside". That is where the client_id becomes part of the salt.

     

    Regards,

    Sascha



  • 6.  Re: PPID generated only with iss + resource_owner + salt ?

    Posted Sep 26, 2016 11:55 AM

    Thanks saspr02, got it.

     

    Could you elaborate more on the salt created in the OTK id_token Generation-HS256 assertion, especially its ingredients other than client_id and manipulation e.g. sha256(). I wanted to have a look into this, but I can't connect to the lab environment right now.

     

    Another concern from my colleague who has found this setting is if it is officially supported when he tries to modify the values in the OTK-provided assertion, to ${client_ident}|${resource_owner}|${salt} for example. Any comments appreciated.

     

    Tatsuo.



  • 7.  Re: PPID generated only with iss + resource_owner + salt ?

    Posted Sep 26, 2016 01:20 PM

    Tatsuo,

     

    regarding more details, I am not sure what I can add to my earlier response. The way its produced is like this: SHA-256( sector_identifier | resource_owner | salt ) (where salt is a value generated with different values), which is how it was specified originally.

     

    For your colleague, there is no reason for him to change the way sub is generated. If he still wants to do so, he has to make sure it is done the same way in future versions, he has to maintain it himself. And we are not able to help you with issues that may occur by doing so.

     

    Regarding sub in general, would it be helpful for you if you could provide an already existing value rather than have OTK generate it for you? This would be good to know for us to adjust future versions.

     

    Thanks,

    Sascha