Project

General

Profile

Actions
Copy link

Task #2327

closed

Support REST API of OpenAM 13

Added by Alena Peterová over 4 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Alena Peterová
Target version:
1.1.0
Start date:
06/16/2020
Due date:
% Done:

100%

Estimated time:
Owner:

Description

Extend OpenAM module so it is compatible with the new version of OpenAM REST API.
https://backstage.forgerock.com/docs/openam/13/dev-guide/#rest-api-auth
https://backstage.forgerock.com/docs/openam/13/dev-guide/#rest-api-tokens

The old HTTP API is deprecated in the version 13 and will be removed in future versions.

We need this functionality for the LTS (9.7.16).

Exact examples and responses in our environment:

Authentication:

$ curl \
    -s -k \
    --request POST \
    --header "X-OpenAM-Username: $user" \
    --header "X-OpenAM-Password: $pass" \
    --header "Content-Type: application/json" \
    --header "Accept-API-Version: resource=2.0, protocol=1.0" \
    --data "{}" \
    https://am-test.domain.cz/openam/json/authenticate

# successful: HTTP/1.1 200, response:
{"tokenId":"AQIC5wM2LY4Sfcy4CjLjNjqG0n8QPvMA04BgrExJQBxKk44.*AAJTSQACMDIAAlNLABM1NzI4NTA3NTY5Mzk2MjQyMTQ4AAJTMQACMDE.*","successUrl":"/openam/console","realm":"/somerealm"}
# wrong username of password: HTTP/1.1 401, response:
{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}

Logout:

$ curl \
    -s -k \
    --request POST \
    --header "Content-Type: application/json" \
    --header "iPlanetDirectoryPro: $token" \
    --header "Accept-API-Version: resource=1.1, protocol=1.0" \
    --data "{}" \
    https://am-test.domain.cz/openam/json/sessions/?_action=logout

# valid session: HTTP/1.1 200, response:
{"result":"Successfully logged out"}
# invalid session: HTTP/1.1 401, response: 
{"code":401,"reason":"Unauthorized","message":"Access Denied"}

Session validation: 

$ curl \
    -s -k \
    --request POST \
    --header "Content-Type: application/json" \
    --header "iPlanetDirectoryPro: $token" \
    --data "{}" \
    --header "Accept-API-Version: protocol=1.0,resource=1.2" \
    https://am-test.domain.cz/openam/json/sessions/?_action=validate

# valid session: HTTP/1.1 200, response:
{"valid":true,"uid":"123321","realm":"/somerealm"}
# invalid session: HTTP/1.1 200 (really!), response:
{"valid":false}

Attributes retrieval (the prefix "am.protected" is required):

curl \
        -s -k \
        --request POST \
        --header "Content-Type: application/json" \
        --header "iPlanetDirectoryPro: $token" \
        --data '{"properties": ["am.protected.cn", "am.protected.sn", "am.protected.destinationIndicator", "am.protected.employeeNumber", "am.protected.givenName", "am.protected.inetUserStatus", "am.protected.initials", "am.protected.mail", "am.protected.mailAlternateAddress", "am.protected.o", "am.protected.ou", "am.protected.telephoneNumber", "am.protected.uid"]}' \
        --header "Accept-API-Version: protocol=1.0,resource=1.2" \
        https://am-test.domain.cz/openam/json/sessions/$token?_action=getProperty

# valid session: HTTP/1.1 200, response:
{"am.protected.cn":"123321","am.protected.sn":"Testovací","am.protected.destinationIndicator":"nn|aml|portal","am.protected.employeeNumber":"AM-123321","am.protected.givenName":"Uživatel","am.protected.inetUserStatus":"Active","am.protected.initials":"","am.protected.mail":"test.test@domain.tld","am.protected.mailAlternateAddress":"","am.protected.o":"","am.protected.ou":"COU","am.protected.telephoneNumber":"+420111222333","am.protected.uid":"123321"}
# invalid session: HTTP/1.1 401, response:
{"code":401,"reason":"Unauthorized","message":"Access Denied"}

Actions
Copy link

Also available in: Atom PDF