Environment
NetIQ Access Manager 4.2
Situation
Resolution
here's the way how to register apps using the REST API:
1. Make sure the user
you login with has the role NAM_OAUTH2_DEVELOPER
2. Create an web
application in OAuth
3. Create scope
"urn:netiq.com:nam:scope:oauth:registration:full" with permissions to
add / modify / delete / read
Using the AuthCode Flow do the following
1. Login with user and save cookies (I use basic auth for example)
> curl -c cookies.txt -u username:password -k login.lab.local/nidp/app/login?id=basic
2. GET request to nidp/oauth/nam/authz with Query parameters and the JSESSIONID cookie. Example:
> curl -b cookies.txt -k 'login.lab.local/nidp/oauth/nam/authz?response_type=token&client_id=clientid&redirect_uri=url&scope=urn:netiq.com:nam:scope:oauth:registration:full' -v
You will receive a 302 to redirect_uri with the auth code
... t#token_type=bearer&access_token=...&expires_in=38880000000&scope=urn:netiq.com:nam:scope:oauth:registration:full
3. write down the auth code and request the access token with the auth code and get yourself an access token
> curl -k -X POST -d "code=tokencode&grant_type=authorization_code&redirect_uri=uri&client_secret=secret&client_id=clientid" login.lab.local/nidp/oauth/nam/token
You will receive a JSON:
{
"access_token":"/wEBAAMDACC02LrHAMR/wvWbfkyjLiRiXcWdlPjfOjtWXkYY33rjimu@2k3hH0jx6F2VUddIxXP70s8PJ8F3Mc38YOChtBnkHUs1diQLj0ZbRmbl/E/8iKOzR0TVWaUgGtG1aggMwvd3z@z8YZ6r@WG/CkqKYhEK0G0i9wWO3whRSGk2L@tfOD1/hJcArwJxmUrxPTt2UKAJy8AMAw5TSUJcc02LgkpkiQWqwRtK2t5JBC64@o9bm6@Ii5XKbc0oENpxxAIBpw9fnj0FzZWsiQOcJf@r06Iux/7xQpa@gzlf0OgPCAiuc@e/@0Pqq64JSwe@bEdoPGwRmUNKviGGYpiBHySo9h2xN4hpRlcS6w4zp/RO61Lr2nc4gd87JfHY74UndsmVWvh3ofoG8WUOTwXqw@ivRqoTI49ZtheFEzC7Kg7YnXRofw6qRQZ9GR3ENW50rwzuB1A~",
"token_type":"bearer",
"expires_in":38879999999, "refresh_token":"/wEBAAMDACClH2H2wvAi30dJenwO6E3CNS1BIjtteUUTCMwoUuEjUGFt3KDjz3tGPSbLlbKsc8H70s8PJ8F3Mc38YOChtBnkbNaFfBWE/RVBOQz82uLHsay7/9u4zTGFf2zmKz8BHIAe2YkYJD2TCTHmedqZMwLy0G0i9wWO3whRSGk2L@tfOD1/hJcArwJxmUrxPTt2UKAJy8AMAw5TSUJcc02LgkpkiQWqwRtK2t5JBC64@o9bm6@Ii5XKbc0oENpxxAIBpw@cdYyxXHw@kyUJfGtT5hNjx/7xQpa@gzlf0OgPCAiuc@e/@0Pqq64JSwe@bEdoPGwRmUNKviGGYpiBHySo9h2xFWnP4XmDjN1FTf7euJi0d3c4gd87JfHY74UndsmVWvh3ofoG8WUOTwXqw@ivRqoT0/Kbp0Cwu9UV3FyUj7c@mVysbxwRc9l/3HsT4hwN8JHRkG3oTHh/mdb@Gw4qjKcn",
"scope":"urn:netiq.com:nam:scope:oauth:registration:full"
}
4. Now you can use the access token to add the Client
POST request to login.lab.local/nidp/oauth/nam/clients with headers
> curl --header "Authorization: Bearer /access_token" -H "Content-Type: application/json" -d '{"client_name":"NetIQOAuthClient3","response_types":["code"],"grant_types":["authorization_code"],"application_type":"web","redirect_uris":["https://redirecturi"]}' login.lab.local/nidp/oauth/nam/clients
You will get back the client ID and secret in JSON Format:
{"developerDn":"oauthadmin","grant_types":["authorization_code"],"application_type":"web","Version":"4.1","client_secret_expires_at":1494409273040,"registration_client_uri":"http://login.lab.local/nidp/oauth/nam/clients/clientid","redirect_uris":["https://redirecturi"],"client_secret":"secret"}
No need to update the IDPs, the newly added application is ready to use.