How to invoke an authentication tree from onUpdate script hook?

KaranNayyar1 · August 11, 2023, 11:07am

anishetty · August 11, 2023, 1:34pm

Sorry if I didn’t understand your usecase properly. Could you please explain more about what you are trying to accomplish?

onUpdate is a script that is invoked when some managed object (user) is updated. Updating of the managed object can happen as a part of a synchronization operation. So, it doesn’t make sense to invoke an authentication tree using onUpdate script hook since onUpdate happens in the backend.

However, as part of onUpdate script, you may be able to send out an email to the related managed object and provide a link to the journey.

patrickdiligent · August 13, 2023, 11:55pm

There is one case where you would need to authenticate to AM is when the customisation script needs to perform some task against AM that requires a session. Of course in this case, there is no interactivity (no user agent) therefore it has to be POST to the authenticate endpoint, and handling the callback(s) from the script. If this is an admin operation, I would carefully design the journey with security in mind, and for code simplicity ensure a single callback round - possibly using some kind of JWT authentication.

However it’s not because you can authenticate and perform some operation agains AM from within IDM that you should. It is actually not advisable, as first, it incurs a performance hit at the IDM REST managed endpoint, and secondly, it increases the solution ownership costs. Also to further hit the nail, you can’t implement caching in an IDM script, therefore, can’t cache the SSO token, it has to be acquired each time - which is a poor design.

It is best to place this code outside of IDM, logically at the intermediate layer. In fact you could use IG for this, this is an optimally performant solution, and easier to maintain. And there is some logic that can be implemented in IG to cache the SSO token obtained from a backchannel transaction - encapsulated with a specialised client handler [ see Promise Synchronisation in https://community.forgerock.com/t/identity-gateway-7-1-highway-to-async-programming ]

Note that my assumption here is that the onUpdate script invocation is originating from an update performed at the IDM REST endpoint, and therefore via using the admin or some delegated admin that has the privileges to do so, so this is not a direct user interaction, is that correct?

Regards
Patrick

KaranNayyar1 · August 14, 2023, 5:07am

Thanks @patrick_diligent @anishetty for your reply. I could not describe my use case well. This is what we are trying to do in ForgeRock Identity Platform.

We are trying to kill all sessions which are related to a username.
I have created a authentication tree, which collects a username using Platform Username collector node.
Further steps in the tree are scripted decision node, where I am first calling rest api endpoint to retrieve an admin session cookie, then session handles for the given username in step1 and finally invalidating all the session handles(array) by calling the rest api endpoint for AM.
The onUpdate script hook() should call this authentication tree when there is an update on a custom attribute name forcedLogoff (which is create in managed user schema) boolean data type, that when the value = true , we call the authentication tree for the object.username and kill all the sessions associated with it.

patrickdiligent · August 14, 2023, 5:43am

Hi @KaranNayyar1,

Not sure why going thru a journey to do accomplish this task - ending up calling from a scripted decision node an AM endpoint to revoke a user’s sessions - while the same functionality could be invoked directly from the IDM script? Furthermore, you’ll have to handle the callback for the username collector, which is an additional roundtrip - highly inefficient - this will increase IDM’s response time significantly. I guess this is the endpoint you’re referring to : Invalidate user sessions?

As I mentioned earlier embedding such designs in IDM and AM scripts make the solution more complicated than necessary, complicates the monitoring and troubleshooting aspects, as well as make it difficult to maintain. It is better to handle such matters at the intermediate layer,

Regards
Patrick

KaranNayyar1 · August 14, 2023, 8:02am

@patrick_diligent Yes I am referring same link which is share by you. Is it possible to make the call to am endpoint to kill all session related to an object username ? If possible can you share reference link or snippet of code? I was not able to found much about this hence we took the approach of calling auth tree invoked by an Idm endpoint.

patrickdiligent · August 15, 2023, 12:37am

Hi @KaranNayyar1,

Since the username is known in the IDM script, if I have understood well, then the script can indeed invoke directly the AM endpoint. What led you to consider using an AM journey, is there any blocker that prevents calling the session endpoint from the onUpdate script? Note that the journey you describe presents some risk, potentially impacting the user experience since it just require entering a username - so anyone can invoke this - unless the journey has some other built-in protection?

Then, personally, I do not really like invoking an external API from a managed customisation script: this is a performance bottleneck (the external call adds to the response time), and as well is a threat to availability, this is why I encourage you to push this to an intermediate layer- you could actually use IG for that, if it is already deployed in the infra - and take advantage of IG asynchronous nature to minimise the performance hit. Also you can cache the SSO token in IG across route invocations, this is an additional benefit.

Regards
Patrick

KaranNayyar1 · August 15, 2023, 2:53am

Hi @patrick_diligent ,

I could not find a way to do a rest api call to AM endpoint from onUpdate hook. Is there a code sample which you can share with me. I referred the scripting function but could not figure out any function which could do a call to an AM endpoint.
Below is the link of the doc I referred.
Scripting function reference :: IDM 7.2.2

patrickdiligent · August 15, 2023, 3:31am

Hi @KaranNayyar1,

You can do this with one the following methods:

Use the external REST service : Access External REST Services :: IDM 7.3.0
Use Scripted REST connector with Script On Resource - see https://community.forgerock.com/t/using-the-remote-connector-server-to-access-on-premises-apis-from-identity-cloud
Look at this article from the point of view of how to use the script on resource operation. Then you can use openidm.action from the script with “system/<connector>” as the resource and passing the script on resource parameters

Regards
Patrick