KOBIL Cookie
KOBIL Cookie
The main use case is to authenticate the user based on the access token and exchange it for a different access token with limited scope or authorization code.
Type
| Protocol | OpenID Connect 1.0 |
|---|---|
| HTTP method | GET |
| Type | Browser Flow |
| Endpoint | Authorization Endpoint |
| Flow Supported | Authorization code flow Implicit flow Hybrid flow |
| Response | ID Token, Access Token, Refresh Token |
| Response Mode | query, form_post, fragment |
How to configure
To access the config of the execution press the Actions button and select Config . The authenticator configuration screen will appear. Then enter your config data.
Configuration
Parameters involved in KOBIL Cookie execution
| Parameter | Description |
|---|---|
| Alias | Provide an alias name for the configuration to be set. This will be displayed in the authentication flow configuration. |
| Header/Cookie Name | Provide a name of the "key" also called "field, name" send during client authentication request either in the header or in the cookie. For Example: 1FA-Token |
| Result ACR Value | Provide the ACR Value which needs to be added to the token. |
| Expected Client Name | Configure the client name should provided in the azp (authorized party) of the token. |
| Enable Loader | If enabled error page will be displayed when navigating back from the next authenticator. |
| AST Registration | If enabled, activates or verifies users in AST and links user to AST client. |
| AST Login | If enabled initiates AST login for user. |
| AMR value | Configure the AMR value for token when flow succeeds. |
| Enable BruteForce Check | If enabled, an error page is displayed when user is locked in bruteforce. |
Execution Flow
This execution contains the following main steps:
- KOBIL Cookie is an independent authenticator and could be used without any precedent authenticator.
- An access token is generated and stored in the server for every user during the IAM onboarding.
- The token should either be set in the header or the client portal URL cookie.
- Now when the user tries to login, the access token is verified and login happens.
How to verify cookie using postman collection:
-
Download the postman collection here.
-
Use the
Get Access tokenAPI to generate an access token. -
Use the sample GET method named "KOBIL Cookie" for reference.
-
Paste the `authorization URL in the request URL section.
-
Go to the "Headers" tab and add the previously generated access token in the
valueparameter and send the request.Else
-
Go to the "Cookies" tab ->
Add Cookieand add the previously generated access token in thevalueparameter and send the request. -
If the request is fetched successfully, then the cookie is verified.
Development
Example
curl --location --request GET 'midprovider.kobil.com/digitanium/v3/auth?client_id=ibm_ega&response_type=code&redirect_uri=app://login&scope=openid&response_mode=querry&nonce=sadasdsadasd' \
--header '2FA-token: {{access token}}' \
--header 'Content-Type: application/x-www-form-urlencoded'
OkHttpClient client = new OkHttpClient().newBuilder()
.build();
Request request = new Request.Builder()
.url("midprovider.kobil.com/digitanium/v3/auth?client_id=ibm_ega&response_type=code&redirect_uri=app://login&scope=openid&response_mode=querry&nonce=sadasdsadasd")
.method("GET", null)
.addHeader("2FA-token", "{{access token}}")
.addHeader("Content-Type", "application/x-www-form-urlencoded")
.build();
Response response = client.newCall(request).execute();
var settings = {
"url": "midprovider.kobil.com/digitanium/v3/auth?client_id=ibm_ega&response_type=code&redirect_uri=app://login&scope=openid&response_mode=querry&nonce=sadasdsadasd",
"method": "GET",
"timeout": 0,
"headers": {
"2FA-token": "{{access token}}",
"Content-Type": "application/x-www-form-urlencoded"
},
};
$.ajax(settings).done(function (response) {
console.log(response);
});
import http.client
import mimetypes
conn = http.client.HTTPSConnection("midprovider.kobil.com")
payload = ''
headers = {
'2FA-token': '{{access token}}',
'Content-Type': 'application/x-www-form-urlencoded'
}
conn.request("GET", "/digitanium/v3/auth?client_id=ibm_ega&response_type=code&redirect_uri=app://login&scope=openid&response_mode=querry&nonce=sadasdsadasd", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))
Example combined with Condition - ACR KOBIL Cookie
Basically only the extra paramater needs to be added to the header. For example --header '1FA-token: {{1FA access token}}' is added to the request.
The name of the parameter can be defined in configuration under section "Header/Cookie Name".
curl --location --request GET 'midprovider.kobil.com/digitanium/v3/auth?client_id=ibm_ega&response_type=code&redirect_uri=app://login&scope=openid&response_mode=querry&nonce=sadasdsadasd' \
--header '1FA-token: {{1FA access token}}' \
--header '2FA-token: {{2FA access token}}' \
--header 'Content-Type: application/x-www-form-urlencoded'
var settings = {
"url": "midprovider.kobil.com/digitanium/v3/auth?client_id=ibm_ega&response_type=code&redirect_uri=app://login&scope=openid&response_mode=querry&nonce=sadasdsadasd",
"method": "GET",
"timeout": 0,
"headers": {
"1FA-token": "{{1FA access token}}",
"2FA-token": "{{access token}}",
"Content-Type": "application/x-www-form-urlencoded"
},
};
$.ajax(settings).done(function (response) {
console.log(response);
});
OkHttpClient client = new OkHttpClient().newBuilder()
.build();
Request request = new Request.Builder()
.url("midprovider.kobil.com/digitanium/v3/auth?client_id=ibm_ega&response_type=code&redirect_uri=app://login&scope=openid&response_mode=querry&nonce=sadasdsadasd")
.method("GET", null)
.addHeader("1FA-token", "{{1FA access token}}")
.addHeader("2FA-token", "{{access token}}")
.addHeader("Content-Type", "application/x-www-form-urlencoded")
.build();
Response response = client.newCall(request).execute();
import http.client
import mimetypes
conn = http.client.HTTPSConnection("midprovider.kobil.com")
payload = ''
headers = {
'1FA-token': '{{1FA access token}}',
'2FA-token': '{{access token}}',
'Content-Type': 'application/x-www-form-urlencoded'
}
conn.request("GET", "/digitanium/v3/auth?client_id=ibm_ega&response_type=code&redirect_uri=app://login&scope=openid&response_mode=querry&nonce=sadasdsadasd", payload, headers)
res = conn.getresponse()
data = res.read()
print(data.decode("utf-8"))