Layer7 API Management

I am trying to use this assertion to create an ID token as JSON message but having some difficulties.

I was able to figure out most of the fields except these:

sub - This is not super important for me

exp - This is what causing me pain. Document says "Enter the expiration date in seconds since 01.01.1970-00:00:00"

This is epoch format. How do I set this field with an expiration time of 15 mins for each token generated but at diff times?

There is no OAuth so the optional stuff doesn't apply for this use case.

You can somewhat achieve this through using Xpath to do mathematical calculations.

I am attaching a policy in which I take in ${request.time.seconds} and add 900 seconds to that value. Sadly the Xpath output is in scientific notation, so there is an extra RegEx to remove that notation. You should be able to copy or use this same policy logic to prepare a value to put inside the "exp" field.

<?xml version="1.0" encoding="UTF-8"?>
<wsp:Policy xmlns:L7p="http://www.layer7tech.com/ws/policy" xmlns:wsp="http://schemas.xmlsoap.org/ws/2002/12/policy">
    <wsp:All wsp:Usage="Required">
        <L7p:SetVariable>
            <L7p:Base64Expression stringValue="PGEvPg=="/>
            <L7p:ContentType stringValue="text/xml; charset=utf-8"/>
            <L7p:DataType variableDataType="message"/>
            <L7p:VariableToSet stringValue="dummyXml"/>
        </L7p:SetVariable>
        <L7p:SetVariable>
            <L7p:Base64Expression stringValue="JHtyZXF1ZXN0LnRpbWUuc2Vjb25kc30="/>
            <L7p:VariableToSet stringValue="total"/>
        </L7p:SetVariable>
        <L7p:SetVariable>
            <L7p:AssertionComment assertionComment="included">
                <L7p:Properties mapValue="included">
                    <L7p:entry>
                        <L7p:key stringValue="RIGHT.COMMENT"/>
                        <L7p:value stringValue="Size of the xml portion of the message."/>
                    </L7p:entry>
                </L7p:Properties>
            </L7p:AssertionComment>
            <L7p:Base64Expression stringValue="OTAw"/>
            <L7p:VariableToSet stringValue="xmlSize"/>
        </L7p:SetVariable>
        <L7p:ResponseXpathAssertion>
            <L7p:VariablePrefix stringValue=""/>
            <L7p:XmlMsgSrc stringValue="dummyXml"/>
            <L7p:XpathExpression xpathExpressionValue="included">
                <L7p:Expression stringValue="$total + $xmlSize"/>
                <L7p:Namespaces mapValue="included">
                    <L7p:entry>
                        <L7p:key stringValue="s"/>
                        <L7p:value stringValue="http://schemas.xmlsoap.org/soap/envelope/"/>
                    </L7p:entry>
                </L7p:Namespaces>
                <L7p:XpathVersion xpathVersion="XPATH_1_0"/>
            </L7p:XpathExpression>
        </L7p:ResponseXpathAssertion>
        <L7p:Regex>
            <L7p:AutoTarget booleanValue="false"/>
            <L7p:OtherTargetMessageVariable stringValue="responseXpath.result"/>
            <L7p:Regex stringValue="\.|E9"/>
            <L7p:RegexName stringValue="nodot"/>
            <L7p:Replace booleanValue="true"/>
            <L7p:Replacement stringValue=""/>
            <L7p:Target target="OTHER"/>
        </L7p:Regex>
        <L7p:HardcodedResponse>
            <L7p:Base64ResponseBody stringValue="UmVxdWVzdCBUaW1lID0gJHt0b3RhbH0gKyAke3htbFNpemV9CgpSZXN1bHQgPSAke3Jlc3BvbnNlWHBhdGgucmVzdWx0fQ=="/>
            <L7p:ResponseContentType stringValue="text/plain; charset=UTF-8"/>
        </L7p:HardcodedResponse>
    </wsp:All>
</wsp:Policy>

I was not aware you can do this much easier just in the Date/Time Context Variable assertion mentioned below by Barry Stern. Follow that method as it's much simpler.

For exp you can create a context variable  with a name  like exp of type date/time with the time offset to 900 seconds or 15 minutes.  Then in the generate id token  assertion set the value for expiration at ${exp.seconds}

This is how the OTK does it.

Barry

I tried the same initially before posting my question here. Looks like Generate ID Token needs timestamp un epoch format.  Errors out like this --> Assertion 'Generate ID Token'; The claim 'exp' is not a valid 10-digit unix-timestamp: ''

The format field for date/time is set to 'Auto" ..should it be something else?

The format should be "second timestamp" and it should work.

Incase you still have issue here is a snapshot of the OTK context variable this is from the "OTK id_token Generation - HS256" Encapsulated assertion. 

Barry

Thanks Barry. That worked.