Task #2327
closed
Support REST API of OpenAM 13
100%
Description
Extend OpenAM module so it is compatible with the new version of OpenAM REST API.
https://backstage.forgerock.com/docs/openam/13/dev-guide/#rest-api-auth
https://backstage.forgerock.com/docs/openam/13/dev-guide/#rest-api-tokens
The old HTTP API is deprecated in the version 13 and will be removed in future versions.
We need this functionality for the LTS (9.7.16).
Exact examples and responses in our environment:
Authentication:
$ curl \
-s -k \
--request POST \
--header "X-OpenAM-Username: $user" \
--header "X-OpenAM-Password: $pass" \
--header "Content-Type: application/json" \
--header "Accept-API-Version: resource=2.0, protocol=1.0" \
--data "{}" \
https://am-test.domain.cz/openam/json/authenticate
# successful: HTTP/1.1 200, response:
{"tokenId":"AQIC5wM2LY4Sfcy4CjLjNjqG0n8QPvMA04BgrExJQBxKk44.*AAJTSQACMDIAAlNLABM1NzI4NTA3NTY5Mzk2MjQyMTQ4AAJTMQACMDE.*","successUrl":"/openam/console","realm":"/somerealm"}
# wrong username of password: HTTP/1.1 401, response:
{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}
Logout:
$ curl \
-s -k \
--request POST \
--header "Content-Type: application/json" \
--header "iPlanetDirectoryPro: $token" \
--header "Accept-API-Version: resource=1.1, protocol=1.0" \
--data "{}" \
https://am-test.domain.cz/openam/json/sessions/?_action=logout
# valid session: HTTP/1.1 200, response:
{"result":"Successfully logged out"}
# invalid session: HTTP/1.1 401, response:
{"code":401,"reason":"Unauthorized","message":"Access Denied"}
Session validation:
$ curl \
-s -k \
--request POST \
--header "Content-Type: application/json" \
--header "iPlanetDirectoryPro: $token" \
--data "{}" \
--header "Accept-API-Version: protocol=1.0,resource=1.2" \
https://am-test.domain.cz/openam/json/sessions/?_action=validate
# valid session: HTTP/1.1 200, response:
{"valid":true,"uid":"123321","realm":"/somerealm"}
# invalid session: HTTP/1.1 200 (really!), response:
{"valid":false}
Attributes retrieval (the prefix "am.protected" is required):
curl \
-s -k \
--request POST \
--header "Content-Type: application/json" \
--header "iPlanetDirectoryPro: $token" \
--data '{"properties": ["am.protected.cn", "am.protected.sn", "am.protected.destinationIndicator", "am.protected.employeeNumber", "am.protected.givenName", "am.protected.inetUserStatus", "am.protected.initials", "am.protected.mail", "am.protected.mailAlternateAddress", "am.protected.o", "am.protected.ou", "am.protected.telephoneNumber", "am.protected.uid"]}' \
--header "Accept-API-Version: protocol=1.0,resource=1.2" \
https://am-test.domain.cz/openam/json/sessions/$token?_action=getProperty
# valid session: HTTP/1.1 200, response:
{"am.protected.cn":"123321","am.protected.sn":"Testovací","am.protected.destinationIndicator":"nn|aml|portal","am.protected.employeeNumber":"AM-123321","am.protected.givenName":"Uživatel","am.protected.inetUserStatus":"Active","am.protected.initials":"","am.protected.mail":"test.test@domain.tld","am.protected.mailAlternateAddress":"","am.protected.o":"","am.protected.ou":"COU","am.protected.telephoneNumber":"+420111222333","am.protected.uid":"123321"}
# invalid session: HTTP/1.1 401, response:
{"code":401,"reason":"Unauthorized","message":"Access Denied"}
Updated by Alena Peterová almost 4 years ago
- Status changed from New to Resolved
- % Done changed from 0 to 100
Supporting a new version of REST API is implemented, the version of OpenAM is determined by a new configuration property idm.sec.openam.api.type.
The documentation is in javadoc, admin guide: https://wiki.czechidm.com/devel/documentation/adm/openam#openam_versions, installation tutorial: https://wiki.czechidm.com/tutorial/adm/modules_openam
Feedback was done by @doischert .
Released as version 1.1.0 - compatible with 9.7 - and version 2.1.0 - compatible with 10.3.
Notes:
When releasing the 2.1.0 with the Tool from downloaded 10.3.2, I got the following error after the Tool set the release version into pom and tried to commit it:
Caused by: java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider
at org.eclipse.jgit.lib.GpgSigner.<clinit>(GpgSigner.java:58)
at org.eclipse.jgit.api.CommitCommand.processOptions(CommitCommand.java:611)
at org.eclipse.jgit.api.CommitCommand.call(CommitCommand.java:195)
at eu.bcvsolutions.idm.tool.service.impl.AbstractReleaseManager.gitCommit(AbstractReleaseManager.java:459)
at eu.bcvsolutions.idm.tool.service.impl.AbstractReleaseManager.release(AbstractReleaseManager.java:160)
at eu.bcvsolutions.idm.tool.ConsoleRunner.run(ConsoleRunner.java:460)
at eu.bcvsolutions.idm.tool.ConsoleRunner.main(ConsoleRunner.java:63)
... 8 more
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
It was resolved by using the Tool from current develop (built by: https://wiki.czechidm.com/devel/documentation/modules_tool#how_to_build_the_tool_from_source)
My settings:
projects/ ├── idm-tool-10.4.0-SNAPSHOT.jar ├── openam │ ├── CHANGELOG.md │ ├── README.md │ └── Realization │ └── backend │ ├── idm-openam
Release & push to git (could be also in one command --release-publish)
cd projects java -jar idm-tool-10.4.0-SNAPSHOT.jar --module openam --release --release-version 2.1.0 --develop-version 2.2.0-SNAPSHOT --maven-home=/usr/share/maven --username peterovaa --password *** java -jar idm-tool-10.4.0-SNAPSHOT.jar --module openam --publish --release-version 2.1.0 --develop-version 2.2.0-SNAPSHOT --maven-home=/usr/share/maven --username peterovaa --password ***
Updated by Alena Peterová almost 4 years ago
- Status changed from Resolved to Closed