Zowe API Mediation Layer OIDC Authentication
The OpenID/Connect (OIDC) protocol adds an authentication layer on top of the OAuth2 Authorization protocol. OIDC authentication, together with the z/OS Identity Propagation mechanism, is the foundation of the API ML Identity Federation. In this article, OIDC is often referred to as the provider, while the token-related functionality is actually provided by the OAuth2 component of the OIDC implementation.
Zowe API ML can be configured to authenticate users by accepting Access Tokens issued by an external OIDC/OAuth2 provider. This configuration is useful in advanced deployments of Zowe where client applications need to access mainframe as well as enterprise/distributed systems while simultaneously offering single sign-on (SSO) across system boundaries.
This article details the API ML OIDC authentication functionality, and how to configure the OIDC Authentication feature.
- Authentication flow
- API ML configuration
The OIDC protocol is used by API ML client applications to verify the identity of a user with a distributed OIDC provider trusted by the mainframe security manager. After successful user login, the OIDC provider grants the client application a JWT Access Token along with an (JWT) Identity Token. The client application can pass this Access Token with subsequent requests to mainframe services routed through the API ML Gateway. The API ML Gateway then validates the OIDC Access Token. If the token is valid, the user identity from that token is mapped to the mainframe identity of the user. The API ML Gateway can then create mainframe user credentials (JWT or a Passticket) according to the service's authentication schema configuration. The request is routed to the target API services with correct mainframe user credentials.
The following diagram illustrates the interactions between the participants of the OIDC/OAuth2 based API ML authentication process.
- When a user wants to access mainframe resources or services using the client application without a valid authentication / access token, the client redirects the user agent to the login end-point of the distributed OIDC provider.
- The user is asked to provide valid credentials (authentication factors).
- After successful validation of all authentication factors, the OIDC provider grants the client an Access Token.
- The client can then request from API ML Gateway the needed mainframe resources presenting the access token in the request.
- The Gateway validates the access token at the provider's OIDC/introspection end-point. If the access token is validated, the outcome is cached for a short time (20 sec by default).
- In subsequent calls with the same token, the Gateway reuses the cached validation outcome. As such, round trips to the OIDC /introspection end-point are not required between short intervals, when the client needs to access multiple resources in a row to complete a unit of work. The caching interval is configurable with a default value of 20 seconds, which is typically a sufficient time to allow most client operations requiring multiple API requests to complete, while also providing adequate protection against unauthorized access.
- The API ML Gateway fetches the distributed user identity from the distributed access token and maps this user identity to the user mainframe identity using SAF.
- The API ML Gateway calls the requested mainframe service/s with mainframe user credentials (Zowe, SAF JWT, or pass-ticket) which are expected by the target mainframe service.
Ensure that the following prerequisites are met:
- Users who require access to mainframe resources using OIDC authentication have a mainframe identity managed by SAF/ESM.
- Client application users have their distributed identity managed by the OIDC provider. For details, see the section OIDC provider in this topic.
- SAF/ESM is configured with mapping between the mainframe and distributed user identities. For details, see the section ESM configuration in this topic.
- ZSS must be enabled and properly configured in the Zowe installation.
Client Application configuration in the OIDC provider.
Depending on the OIDC provider and client application capabilities, configuration of the OIDC provider varies. For example Web Applications with a secure server side component can use
code grant authorization flowand can be granted a Refresh Token, whereas a Single Page Application running entirely in the User Agent (browser) is more limited regarding its security capabilities.
Tip: Consult your OIDC provider documentation for options and requirements available for your type of client application.
Users have been assigned to the Client Application.
To access mainframe resources, users with a distributed authentication must either be directly assigned by the OIDC provider to the client application, or must be part of group which is allowed to work with the client application.
The user identity mapping is defined as a distributed user identity filter, which is maintained by the System Authorization Facility (SAF) / External Security Manager (ESM). A distributed identity consists of two parts:
- A distributed identity name
- A trusted registry which governs that identity
API ML provides a Zowe CLI plugin to help administrators to generate a JCL for creating the mapping filter specific for the ESM installed on the target mainframe system.
See the Identity Federation cli plugin documentation for details about how to use the plugin tool to set up the mapping in the ESM of your z/OS system.
Alternatively, administrators can use the installed ESM functionality to create, delete, list, and query a distributed identity filter/s:
- For RACF consult RACMAP command.
- For CA Top Secret use the IDMAP Keyword - Implement z/OS Identity Propagation Mapping.
- For CA ACF2 use IDMAP User Profile Data Records.
API ML OIDC configuration
Use the following procedure to enable the feature to use an OIDC Access Token as the method of authentication for the API Mediation Layer Gateway.
In the zowe.yaml file, configure the following properties:
Specifies the global feature toggle. Set the value to
trueto enable OIDC authentication functionality.
Specifies the value of the client identification (
client_id) assigned by the OIDC provider to the API ML Gateway.
Specifies the client secret assigned by the OIDC provider to the API ML Gateway. This parameter is used in combination with the
client_idin Access Token validation requests at the
/introspectendpoint of the OIDC provider.
Specifies the SAF registry used to group the identities recognized as having a OIDC identity mapping. The registry name is the string used during the creation of the mapping between the dustributed and mainframe user identities. For more information, see the ESM configuration.
Specifies the full URL to the introspect endpoint of the OIDC provider. The OIDC token is sent to the provider's introspect endpoint for external validation.
(Optional) If the userId is different from the default Zowe runtime userId (
ZWESVUSR), specify the
identityMapperUseruserId to configure API ML access to the external user identity mapper.
Note User authorization is required to use the
IRR.RUSERMAPresource within the
FACILITYclass. The default value is
ZWESVUSR. Permissions are set up during installation with the
ZWESECURJCL or workflow. To authenticate to the mapping API, a JWT is sent with the request. The token represents the user that is configured with this property.
Defines the URL where the Gateway can query the mapping of the distributed user ID to the mainframe user ID. This property informs the Gateway about the location of this API. ZSS is the default API provider in Zowe. You can provide your own API to perform the mapping. In this case, it is necessary to customize this value.
The following URL is the default value for Zowe and ZSS:
API ML fails to validate the OIDC access token due to Identity Provider introspect endpoint misconfiguration
The Gateway log contains a WARNING with the following message:
Missing or invalid introspectUrl configuration. Cannot proceed with token validation.
introspectUrl is not configured in the API ML Gateway or does not contain the full URL for the Identity Provider introspect end-point.
introspectUrl properly to contain the full URL of the Identity Provider introspect end-point.
API ML cannot validate the OIDC access token due to misconfiguration of the Identity Provider certificate
The following error is thrown:
ZWESVUSR ERROR (o.z.a.g.s.s.t.OIDCTokenProvider) Failed to validate the OIDC access token.
javax.net.ssl.SSLHandshakeException: com.ibm.jsse2.util.h: PKIX path building failed: com.ibm.security.cert.IBMCertPathBuilderException: unable to find valid certification path to requested target
API ML is sending the OIDC token to the
/introspect API of the identity provider for validation. Successful connection to the identity provider requires that API ML knows and trusts the root certificate of the identity provider.
Include the root certificate in the truststore or keyring used by API ML.
API ML fails to validate the OIDC access token due to missing clientID and/or clientSecret
The Gateway log contains the following WARNING message:
Missing clientId or clientSecret configuration. Cannot proceed with token validation.
clientSecret are not configured properly to correspond to the values set for the client application in the OIDC Identity Provider.
clientSecret properly to contain the values set for the client application in the OIDC Identity Provider.
API ML fails to validate the OIDC access token with the Distributed Identity Provider
The Gateway log contains the following ERROR message:
Failed to validate the OIDC access token. Unexpected response: XXX.
is the HTTP status code returned by the Identity Provider.
The HTTP code is one from the 40X variants to provide the reason of the failure.
Correct the Gateway configuration according to the code returned by the OIDC Identity Provider.
The access token validation fails with HTTP error
The OIDC provider returns an HTTP 40x error code.
The client application is not properly configured in the API ML Gateway.
Check that the
client_secret configured in the API ML Gateway correspond to the
client_secret of the client application as configured in the OIDC provider.