Skip to Main Content
Integration


This is an IBM Automation portal for Integration products. To view all of your ideas submitted to IBM, create and manage groups of Ideas, or create an idea explicitly set to be either visible by all (public) or visible only to you and IBM (private), use the IBM Unified Ideas Portal (https://ideas.ibm.com).


Shape the future of IBM!

We invite you to shape the future of IBM, including product roadmaps, by submitting ideas that matter to you the most. Here's how it works:

Search existing ideas

Start by searching and reviewing ideas and requests to enhance a product or service. Take a look at ideas others have posted, and add a comment, vote, or subscribe to updates on them if they matter to you. If you can't find what you are looking for,

Post your ideas
  1. Post an idea.

  2. Get feedback from the IBM team and other customers to refine your idea.

  3. Follow the idea through the IBM Ideas process.


Specific links you will want to bookmark for future use

Welcome to the IBM Ideas Portal (https://www.ibm.com/ideas) - Use this site to find out additional information and details about the IBM Ideas process and statuses.

IBM Unified Ideas Portal (https://ideas.ibm.com) - Use this site to view all of your ideas, create new ideas for any IBM product, or search for ideas across all of IBM.

ideasibm@us.ibm.com - Use this email to suggest enhancements to the Ideas process or request help from IBM for submitting your Ideas.


Status Delivered
Workspace API Connect
Created by Guest
Created on Apr 5, 2018

OpenID Connect support with security features

We are currently using API Connect Version 5.0.8 and use the developer portal with portal delegated user registry. T-his enabled us to use custom modules to use OpenID Connect in combination with our own OpenID Identity Provider. We do not want/need users to register directly in the developer portal, but use existing OpenID Identitites.

API Connect Version 2018.1 does not support the use portal delegated user registry and the use of OpenID Connect to log in with our Identity Porvider (and customize the openid flow).

We need API Connect to support Login Openid / Social Login in a secure mannerm which must include these features:
- OpenID Connect Hybrid flow
- response_mode=codce+id_token (Other response_mode values described for the Hybrid Flow in the OpenID Conenct Core specification dfo not matter for us, but may be relevant for other users)
- c_hash in signed id_token of the authorization request should be checked against hash of the auth. Code (prevent code manipulation, MITM): OpenID Core Spec 3.3.2.11
- at_hash in signed id_token of the token service request should be checked against the hash of the access token (prevent token manipulation, MITM): OpenID Core Spec 3.3.2.11
- Use of the parameter „nonce“ to bind id_token to a session and prevent replay attacks: OpenID Core Spec 3.3.2.11 (nonce should be at least 20 character in length)
- Support of PKCE (Proof Key for Code Exchange, RFC 7636, to prevent code interception attacks)
- Use of the parameters state to prevent CSRF attacks (state should be at least 20 character in length)
- Scope of the Open ID Connect authentication must be configurable: like „openid email profile customscope123 another_scope“
- End user Identity should then be extracted from a custom claim (example: person_id) in the UserInfo-Endpoint Response of our OpenID Identity Provider

Idea priority Urgent
RFE ID 118508
RFE URL
RFE Product IBM API Connect
  • Guest
    Reply
    |
    Aug 3, 2021

    Hello - We believe that most of these requirements have been delivered, please re-open if there are further requirements.

    API Connect Product Mgmt Team