Howto do OAuth Client Registration using REST API

  • 7018895
  • 09-May-2017
  • 09-May-2017

Environment

NetIQ Access Manager 4.3
NetIQ Access Manager 4.2

Situation

How does one register a new OAuth client application using REST calls available with the NAM APIs?

Resolution

here's the way how to register apps using the REST API:

 

1. Make sure the user you login with has the role NAM_OAUTH2_DEVELOPER
2. Create an web application in OAuth
3. Create scope "urn:netiq.com:nam:scope:oauth:registration:full" with permissions to add / modify / delete / read

 

Using the AuthCode Flow do the following

1. Login with user and save cookies (I use basic auth for example)

> curl -c cookies.txt -u username:password -k login.lab.local/nidp/app/login?id=basic

2. GET request to nidp/oauth/nam/authz with Query parameters and the JSESSIONID cookie. Example:

> curl -b cookies.txt -k 'login.lab.local/nidp/oauth/nam/authz?response_type=token&client_id=clientid&redirect_uri=url&scope=urn:netiq.com:nam:scope:oauth:registration:full' -v

You will receive a 302 to redirect_uri with the auth code

... t#token_type=bearer&access_token=...&expires_in=38880000000&scope=urn:netiq.com:nam:scope:oauth:registration:full

 3. write down the auth code and request the access token with the auth code and get yourself an access token

>  curl -k -X POST -d "code=tokencode&grant_type=authorization_code&redirect_uri=uri&client_secret=secret&client_id=clientid" login.lab.local/nidp/oauth/nam/token

You will receive a JSON:

{

        "access_token":"/wEBAAMDACC02LrHAMR/wvWbfkyjLiRiXcWdlPjfOjtWXkYY33rjimu@2k3hH0jx6F2VUddIxXP70s8PJ8F3Mc38YOChtBnkHUs1diQLj0ZbRmbl/E/8iKOzR0TVWaUgGtG1aggMwvd3z@z8YZ6r@WG/CkqKYhEK0G0i9wWO3whRSGk2L@tfOD1/hJcArwJxmUrxPTt2UKAJy8AMAw5TSUJcc02LgkpkiQWqwRtK2t5JBC64@o9bm6@Ii5XKbc0oENpxxAIBpw9fnj0FzZWsiQOcJf@r06Iux/7xQpa@gzlf0OgPCAiuc@e/@0Pqq64JSwe@bEdoPGwRmUNKviGGYpiBHySo9h2xN4hpRlcS6w4zp/RO61Lr2nc4gd87JfHY74UndsmVWvh3ofoG8WUOTwXqw@ivRqoTI49ZtheFEzC7Kg7YnXRofw6qRQZ9GR3ENW50rwzuB1A~",

        "token_type":"bearer",

        "expires_in":38879999999,        "refresh_token":"/wEBAAMDACClH2H2wvAi30dJenwO6E3CNS1BIjtteUUTCMwoUuEjUGFt3KDjz3tGPSbLlbKsc8H70s8PJ8F3Mc38YOChtBnkbNaFfBWE/RVBOQz82uLHsay7/9u4zTGFf2zmKz8BHIAe2YkYJD2TCTHmedqZMwLy0G0i9wWO3whRSGk2L@tfOD1/hJcArwJxmUrxPTt2UKAJy8AMAw5TSUJcc02LgkpkiQWqwRtK2t5JBC64@o9bm6@Ii5XKbc0oENpxxAIBpw@cdYyxXHw@kyUJfGtT5hNjx/7xQpa@gzlf0OgPCAiuc@e/@0Pqq64JSwe@bEdoPGwRmUNKviGGYpiBHySo9h2xFWnP4XmDjN1FTf7euJi0d3c4gd87JfHY74UndsmVWvh3ofoG8WUOTwXqw@ivRqoT0/Kbp0Cwu9UV3FyUj7c@mVysbxwRc9l/3HsT4hwN8JHRkG3oTHh/mdb@Gw4qjKcn",

        "scope":"urn:netiq.com:nam:scope:oauth:registration:full"

}

4. Now you can use the access token to add the Client

POST request to login.lab.local/nidp/oauth/nam/clients with headers

> curl --header "Authorization: Bearer /access_token" -H "Content-Type: application/json" -d '{"client_name":"NetIQOAuthClient3","response_types":["code"],"grant_types":["authorization_code"],"application_type":"web","redirect_uris":["https://redirecturi"]}' login.lab.local/nidp/oauth/nam/clients


 

You will get back the client ID and secret in JSON Format:

 

{"developerDn":"oauthadmin","grant_types":["authorization_code"],"application_type":"web","Version":"4.1","client_secret_expires_at":1494409273040,"registration_client_uri":"http://login.lab.local/nidp/oauth/nam/clients/clientid","redirect_uris":["https://redirecturi"],"client_secret":"secret"}

 

No need to update the IDPs, the newly added application is ready to use.

Feedback service temporarily unavailable. For content questions or problems, please contact Support.