This topic describes how to use advanced expressions for Machine-to-Machine (M2M) federated credentials in the IDaaS built-in expression engine. It also provides descriptions of data model fields, functions, and related examples.
Basic concepts
The IDaaS built-in expression engine supports advanced expressions in M2M scenarios. You can use these expressions to define trust conditions for federated credential providers and validation conditions for application federated credentials. If a target application needs to process additional parameters that require transformation, concatenation, or logical evaluation, you can use expressions for flexible configuration. An expression consists of two core components:
Component | Name | Description |
Model | Client | Data related to client properties. |
PKCS#7 federated credential model | Processes credentials in PKCS#7 format. | |
PCA federated credential model | Processes credentials in PCA format. | |
OIDC federated credential model | Processes credentials related to the OIDC protocol. | |
Function | / | Used to execute logical operations. |
Model descriptions
1. Client (client model)
In IDaaS expressions, you can access the properties of the Client data model using the client.fieldname format. The following table lists the fields that the Client data model supports and their descriptions:
Field name | Data type | Description |
clientId | String | The clientId of the application. |
applicationFederatedCredentialId | String | The ID of the application federated credential. |
activeSubjectUrn | String | A reserved property generated from the field mapping of applicationFederatedCredential. It cannot be called. |
2. PKCS#7 Federated Credential (PKCS#7 federated credential model)
In the IDaaS PKCS#7 federated credential model, you can access the following fields using the pkcs7.fieldname format. This data model applies to conditional expressions for the trust of PKCS#7 federated trust sources and the validation of PKCS#7 federated credentials.
Field name | Data type | Description |
payload | object | / |
data | String | The original content extracted from PKCS#7. |
jsonData | JSON object |
|
signingTime | Long | The signature timestamp, in seconds. This parameter is returned only when the federated identity provider is Amazon Web Services. |
certificates | List<CertificateObject> | The certificate chain included in the PKCS#7 signature. For information about the fields of the CertificateObject model, see the note at the end of this topic. |
3. PCA Federated Credential (PCA federated credential model)
In the IDaaS PCA federated credential model, you can access the following fields through the cert object. For example, to retrieve the Common Name (CN) field of the certificate issuer, you can use the expression `cert.issuer.subject.CN`. This data model applies to conditional expressions for the trust of PCA federated trust sources and the validation of PCA federated credentials.
Property | Data type | Description |
serialNumber | String | The certificate serial number in hexadecimal format. It is in lowercase and does not contain colons. If the most significant bit is 1, a leading zero is added. For example: 6d5a2816af467************f6e974f114a061e 00d******dc305a652 According to ASN.1 DER encoding rules, the certificate serial number must be encoded based on the following requirements: If the most significant bit (the highest bit of the leftmost byte) of the serial number is 1, a leading byte of 0x00 must be added to ensure that the serial number is correctly decoded as a positive integer.
|
issuer | CertificateSubjectObject | The certificate issuer object, such as `issuer.CN` and `issuer.C`. |
subject | CertificateSubjectObject | The certificate object, such as `subject.C`, `subject.O`, and `subject.OU`. |
fingerprint | String | The certificate fingerprint in SHA256 format. It is in lowercase and does not contain colons. |
certificateCaIssuerUrl | String | The issuer. |
subjectKeyIdHex | String | The subject ID. |
signatureOid | String | 1.2.840.113549.1.1.11 (SHA256withRSA) |
notBefore | Long | The start time of the certificate validity period. This value is a UNIX timestamp in seconds. |
notAfter | Long | The end time of the certificate validity period. This value is a UNIX timestamp in seconds. |
ca | Boolean | Indicates whether the certificate is a certification authority (CA) certificate. This field is an extension field of an X.509 v3 certificate, not a main certificate field. |
4. OIDC Federated Credential (OIDC federated credential model)
In the IDaaS OIDC federated credential model, you can access the following fields using the jwt.fieldname format. This data model applies to conditional expressions for the trust of OIDC federated trust sources and the validation of OIDC federated credentials. The following table lists the main fields of the OIDC federated credential model and their descriptions:
Property | Data type | Description |
iss | String | The issuer of the token. It indicates the URL of the authorization server and can be accessed using |
sub | String | The subject of the token. It indicates the unique identifier of the user and can be accessed using |
aud | List<String> | The audience of the token, which is usually the identifier of the resource server or the client ID. Note The aud claim supports an array format. To validate aud, you must write the expression as follows: The aud field supports the array format. To validate the aud field, the expression must be written as You can use the |
jti | String | The unique identifier of the token, which is used to prevent reuse. |
exp | Long | The expiration time. This value is a UNIX timestamp in seconds. |
nbf | Long | The effective time. This value is a UNIX timestamp in seconds. |
iat | Long | The issuance time. This value is a UNIX timestamp in seconds. |
claims | Map | All properties. |
5. CertificateObject model
The CertificateObject model handles certificate-related validation scenarios and provides access to various fields of a certificate. You can access the following fields using the cert.fieldname format. This data model applies to scenarios such as certificate chain validation, certificate property validation, and certificate validity period checks.
Property | Data type | Description |
serialNumber | String | The certificate serial number in hexadecimal format. It is in lowercase and does not contain colons. |
issuer | CertificateSubjectObject | The certificate issuer, such as `issuer.CN` and `issuer.C`. |
subject | CertificateSubjectObject | The certificate object, such as `subject.C`, `subject.O`, and `subject.OU`. |
fingerprint | String | The certificate fingerprint in SHA256 format. It is in lowercase and does not contain colons. |
certificateCaIssuerUrl | String | The issuer. |
subjectKeyIdHex | String | The subject ID. |
signatureOid | String | 1.2.840.113549.1.1.11 (SHA256withRSA). |
notBefore | Long | The start time of the certificate validity period. This value is a UNIX timestamp in seconds. |
notAfter | Long | The end time of the certificate validity period. This value is a UNIX timestamp in seconds. |
ca | Boolean | This field is an X.509 v3 extension field that indicates whether the certificate belongs to a CA. The value is a Boolean value (true/false). |
The fields of the CertificateSubjectObject model are as follows:
Property | Data type | Description |
country(C) | String | The name of the country or region. It usually uses a two-letter ISO code, such as "US" for the United States and "CN" for China. Multiple C values are supported and separated by forward slashes (/). |
organization(O) | String | The name of the organization, such as the full name of a company or institution. Multiple O values are supported and separated by forward slashes (/). |
organizationalUnit(OU) | String | The department or unit within the organization, such as "IT Department" or "Security Team". Multiple OU values are supported and separated by forward slashes (/), for example, IT/fiance/HR. |
commonName(CN) | String | The common name of the certificate issuer, which is usually used to identify a specific server or individual. |
distinguishedNameQualifier | String | Used to distinguish between entities with the same name. |
state(ST) | String | The state or province. Multiple values are supported and separated by forward slashes (/). |
serialNumber | String | The unique identifier within the organization. |
locality(L) | String | The name of the city or region. Multiple values are supported and separated by forward slashes (/). |
title(T) | String | The job title, such as "Manager". |
surname | String | The surname or name, such as "John" or "Doe". |
givenName | String | The name displayed to the user, such as "J. Doe" or "John Doe". |
initials | String | The initials of the name displayed to the user, such as "J" or "J.D.". |
pseudonym | String | The alias. |
generationQualifier | String | The generation name, such as "Jr." (Junior) or "III" (the Third). |
domainComponent(DC) | String | The domain name component, such as "example.com". Multiple values are supported and separated by forward slashes (/). |
oidMap | Map<String,Object> | The OID map object. |
Function description
For more information about commonly used functions, see Function description.
Expression examples
To use any of the preceding data models in an expression, you must retrieve values based on JSON semantics. If a JSON key contains special characters, such as a period (.), hyphen (-), or underscore (_), you must enclose the key in single quotation marks.
Trust conditions for federated trust sources
PCA
// Obtain the CN field of the issuer from the uploaded PCA certificate for comparison. // For example, the certificate issuer is C=cn, ST=sichuan, L=chengdu, O=example, OU=test, CN=test. Equals(cert.issuer.CN, "test") // Determine whether the certificate is a CA certificate that can be used to issue other certificates. Equals(cert.ca, true)OIDC
// Determine whether the subject in the service account OIDC token of the Kubernetes cluster is correct. Equals(jwt.sub, "test") // Determine whether the issuer and audience are correct at the same time. And(Equals(jwt.iss, "https://example.com"), Equals(jwt.aud, "test_aud"))PKCS#7
If you select a PKCS#7 federated trust source, you do not need to enter a conditional expression for trust.
Validation conditions for federated credentials
The method for writing conditional expressions for federated credential validation is similar to writing them for federated trust source trust. You can retrieve the corresponding fields from the data model for validation. IDaaS provides a quick configuration mode that automatically generates basic validation expressions to simplify the configuration process.
PCA
// When the validation condition mode is Certificate Mode and the common name (CN) is example, the generated expression is as follows: Equals(cert.subject.CN, "example") // To customize an expression to validate other conditions, select Client Certificate Field Expression Validation Mode. // For example, you want to validate the country, location, and province in the issuer of the client certificate. // For example, the certificate issuer is C=cn, ST=sichuan, L=chengdu, O=example, OU=test, CN=test. And(Equals(cert.issuer.C, "cn"), Equals(cert.issuer.L, "chengdu"), Equals(cert.issuer.ST, "sichuan")) // Determine the serial number of the certificate. Note: The serial number is in hexadecimal format, is in lowercase, and does not contain colons. You can use a function for conversion. // For example, the serial number in the certificate is 6d:5a:28:16:af:46:7f:40:d3:8b:e7:28:0f:6e:97:4f:11:4a:06:1e. Use the StringReplace() function to remove the colons. The expression is as follows: // StringReplace("original_string","character_to_be_replaced","replacement_character") Equals(cert.serialNumber, StringReplace("6d:5a:28:16:af:46:7f:40:d3:8b:e7:28:0f:6e:97:4f:11:4a:06:1e",":","")) // If the serial number is in uppercase, such as 6D:5A:28:16:AF:46:7F:40:D3:8B:E7:28:0F:6E:97:4F:11:4A:06:1E // Use the ToLower() function to convert the string to lowercase, and then use the StringReplace() function to remove the colons. Equals(cert.serialNumber, StringReplace(ToLower("6D:5A:28:16:AF:46:7F:40:D3:8B:E7:28:0F:6E:97:4F:11:4A:06:1E"),":",""))OIDC
// When Kubernetes Mode is used, the namespace is test and the service account is test. // The automatically generated expression is as follows: And(Equals(jwt.claims.'kubernetes.io'.namespace, "test"), Equals(jwt.claims.'kubernetes.io'.serviceaccount.name, "test"), Equals(jwt.sub, "system:serviceaccount:test:test")) // When Subject Identity Mode is used, the subject identity is https://sub.example.com. // The automatically generated expression is as follows: Equals(jwt.sub, "https://sub.example.com") // To customize an expression to validate other conditions, select Claims Field Expression Validation Mode. // For example, to validate the jti field of the current OIDC token, the expression is as follows: Equals(jwt.jti, "test_XXX") // If a user defines a custom field named customValue in the claims of an OIDC token and wants to validate this field, the expression is as follows: Equals(jwt.claims.customValue, "XXX") // To determine whether the aud is correct, you need to retrieve the corresponding aud value using the array index for comparison because aud is in an array format. // We recommend that you validate the aud field of the OIDC federated trust source instead of validating it in the validation conditions for the federated credential. // When aud has only one value, the expression is as follows: Equals(jwt.aud[0], "example_aud") // When aud has multiple values, you can use the Or() function for comparison. This indicates that the validation is passed if at least one aud value matches. The expression is as follows: Or(Equals(jwt.aud[0], "https://example.com"), Equals(jwt.aud[1], "https://example2.com"))PKCS#7
// If the current federated trust source is Alibaba Cloud PKCS#7, the validation condition mode is Specify ECS Instance Mode, and the ECS instance IDs are i-123 and i-456, the generated expression is as follows: Or(Equals(pkcs7.payload.jsonData.'instance-id', "i-123"),Equals(pkcs7.payload.jsonData.'instance-id', "i-456")) // If the federated trust source is AWS PKCS#7, the validation condition mode is Specify ECS Instance Mode, and the ECS instance IDs are i-123 and i-456, the generated expression is as follows: Or(Equals(pkcs7.payload.jsonData.instanceId, "i-123"),Equals(pkcs7.payload.jsonData.instanceId, "i-456")) // To customize an expression to validate other conditions, select Signature Value Expression Validation Mode. // For example, to validate the region-id field in the signature value of Alibaba Cloud PKCS#7, the expression is as follows: Equals(pkcs7.payload.jsonData.'region-id', "cn-hangzhou")
Appendix
Available fields for Alibaba Cloud PKCS#7
Property | Type | Description |
instance-id | String | The ECS instance ID. |
region-id | String | The region ID. |
owner-account-id | String | The Alibaba Cloud account ID. |
audience | object | / |
aud | String | A custom input parameter when a user obtains an Alibaba Cloud PKCS#7 signature. This parameter supports only the IDaaS instance ID, such as idaas_XXX. |
signingTime | Long | The signature time. This value is a UNIX timestamp in seconds. This field is used to validate the signature time of the current PKCS#7. |
Amazon Web Services PKCS7 available fields
Property | Type | Description |
instanceId | String | The EC2 instance ID. |
region | String | The region ID. |
accountId | String | The AWS account ID. |