Project

General

Profile

Actions

Task #2327

closed

Support REST API of OpenAM 13

Added by Alena Peterová over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Alena Peterová
Target version:
Start date:
06/16/2020
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Extend OpenAM module so it is compatible with the new version of OpenAM REST API.
https://backstage.forgerock.com/docs/openam/13/dev-guide/#rest-api-auth
https://backstage.forgerock.com/docs/openam/13/dev-guide/#rest-api-tokens

The old HTTP API is deprecated in the version 13 and will be removed in future versions.

We need this functionality for the LTS (9.7.16).

Exact examples and responses in our environment:

Authentication:

$ curl \
    -s -k \
    --request POST \
    --header "X-OpenAM-Username: $user" \
    --header "X-OpenAM-Password: $pass" \
    --header "Content-Type: application/json" \
    --header "Accept-API-Version: resource=2.0, protocol=1.0" \
    --data "{}" \
    https://am-test.domain.cz/openam/json/authenticate

# successful: HTTP/1.1 200, response:
{"tokenId":"AQIC5wM2LY4Sfcy4CjLjNjqG0n8QPvMA04BgrExJQBxKk44.*AAJTSQACMDIAAlNLABM1NzI4NTA3NTY5Mzk2MjQyMTQ4AAJTMQACMDE.*","successUrl":"/openam/console","realm":"/somerealm"}
# wrong username of password: HTTP/1.1 401, response:
{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}

Logout:

$ curl \
    -s -k \
    --request POST \
    --header "Content-Type: application/json" \
    --header "iPlanetDirectoryPro: $token" \
    --header "Accept-API-Version: resource=1.1, protocol=1.0" \
    --data "{}" \
    https://am-test.domain.cz/openam/json/sessions/?_action=logout

# valid session: HTTP/1.1 200, response:
{"result":"Successfully logged out"}
# invalid session: HTTP/1.1 401, response: 
{"code":401,"reason":"Unauthorized","message":"Access Denied"}

Session validation:

$ curl \
    -s -k \
    --request POST \
    --header "Content-Type: application/json" \
    --header "iPlanetDirectoryPro: $token" \
    --data "{}" \
    --header "Accept-API-Version: protocol=1.0,resource=1.2" \
    https://am-test.domain.cz/openam/json/sessions/?_action=validate

# valid session: HTTP/1.1 200, response:
{"valid":true,"uid":"123321","realm":"/somerealm"}
# invalid session: HTTP/1.1 200 (really!), response:
{"valid":false}

Attributes retrieval (the prefix "am.protected" is required):

curl \
        -s -k \
        --request POST \
        --header "Content-Type: application/json" \
        --header "iPlanetDirectoryPro: $token" \
        --data '{"properties": ["am.protected.cn", "am.protected.sn", "am.protected.destinationIndicator", "am.protected.employeeNumber", "am.protected.givenName", "am.protected.inetUserStatus", "am.protected.initials", "am.protected.mail", "am.protected.mailAlternateAddress", "am.protected.o", "am.protected.ou", "am.protected.telephoneNumber", "am.protected.uid"]}' \
        --header "Accept-API-Version: protocol=1.0,resource=1.2" \
        https://am-test.domain.cz/openam/json/sessions/$token?_action=getProperty

# valid session: HTTP/1.1 200, response:
{"am.protected.cn":"123321","am.protected.sn":"Testovací","am.protected.destinationIndicator":"nn|aml|portal","am.protected.employeeNumber":"AM-123321","am.protected.givenName":"Uživatel","am.protected.inetUserStatus":"Active","am.protected.initials":"","am.protected.mail":"test.test@domain.tld","am.protected.mailAlternateAddress":"","am.protected.o":"","am.protected.ou":"COU","am.protected.telephoneNumber":"+420111222333","am.protected.uid":"123321"}
# invalid session: HTTP/1.1 401, response:
{"code":401,"reason":"Unauthorized","message":"Access Denied"}

Actions #2

Updated by Alena Peterová over 4 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Supporting a new version of REST API is implemented, the version of OpenAM is determined by a new configuration property idm.sec.openam.api.type.
The documentation is in javadoc, admin guide: https://wiki.czechidm.com/devel/documentation/adm/openam#openam_versions, installation tutorial: https://wiki.czechidm.com/tutorial/adm/modules_openam
Feedback was done by @doischert .

Released as version 1.1.0 - compatible with 9.7 - and version 2.1.0 - compatible with 10.3.


Notes:

When releasing the 2.1.0 with the Tool from downloaded 10.3.2, I got the following error after the Tool set the release version into pom and tried to commit it:

Caused by: java.lang.NoClassDefFoundError: org/bouncycastle/jce/provider/BouncyCastleProvider
    at org.eclipse.jgit.lib.GpgSigner.<clinit>(GpgSigner.java:58)
    at org.eclipse.jgit.api.CommitCommand.processOptions(CommitCommand.java:611)
    at org.eclipse.jgit.api.CommitCommand.call(CommitCommand.java:195)
    at eu.bcvsolutions.idm.tool.service.impl.AbstractReleaseManager.gitCommit(AbstractReleaseManager.java:459)
    at eu.bcvsolutions.idm.tool.service.impl.AbstractReleaseManager.release(AbstractReleaseManager.java:160)
    at eu.bcvsolutions.idm.tool.ConsoleRunner.run(ConsoleRunner.java:460)
    at eu.bcvsolutions.idm.tool.ConsoleRunner.main(ConsoleRunner.java:63)
    ... 8 more
Caused by: java.lang.ClassNotFoundException: org.bouncycastle.jce.provider.BouncyCastleProvider
    at java.net.URLClassLoader.findClass(URLClassLoader.java:381)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:424)
    at sun.misc.Launcher$AppClassLoader.loadClass(Launcher.java:349)
    at java.lang.ClassLoader.loadClass(ClassLoader.java:357)

It was resolved by using the Tool from current develop (built by: https://wiki.czechidm.com/devel/documentation/modules_tool#how_to_build_the_tool_from_source)

My settings:

projects/
├── idm-tool-10.4.0-SNAPSHOT.jar
├── openam
│   ├── CHANGELOG.md
│   ├── README.md
│   └── Realization
│       └── backend
│           ├── idm-openam

Release & push to git (could be also in one command --release-publish)
cd projects
java -jar idm-tool-10.4.0-SNAPSHOT.jar --module openam  --release --release-version 2.1.0 --develop-version 2.2.0-SNAPSHOT  --maven-home=/usr/share/maven  --username peterovaa --password ***
java -jar idm-tool-10.4.0-SNAPSHOT.jar --module openam  --publish --release-version 2.1.0 --develop-version 2.2.0-SNAPSHOT  --maven-home=/usr/share/maven  --username peterovaa --password ***

Actions #3

Updated by Alena Peterová over 4 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF