In this blog, we will look at how to these our OAuth Client Setup using Postman.
Configurations needed in the AEM server to accept Post Requests from outside.
This is done just for testing purposes. This configuration must not be applied to any production environments since with this configuration, we are opening the AEM server to accept post requests from outside. In regular environments usually, this is controlled by using safe user agents or allowed clients. In this case, we are just opening up the server to accept Posts so we can test if out OAuth client setup is working okay.
To do that, access these 2 configs – For Sling Referrer Filter and CSRF Filter and remove the “POST” method from the filter and save.
http://localhost:4504/system/console/configMgr/org.apache.sling.security.impl.ReferrerFilter
http://localhost:4504/system/console/configMgr/com.adobe.granite.csrf.impl.CSRFFilter
This step is needed because the OAuth Token request is a post request and in order for the postman to successfully make this call, the AEM server should accept it.
Using Out of the box set up in Postman
Create a new request in postman where the user is trying to access one of the endpoints – for eg: /bin/oauth/sample/one. The servlet for this endpoint is available in the previous blog.
Try this request without any login/authorization – It should load the login page as shown below.
Now for Authorization, choose, OAuth 2.0 :
Callback Url: https://www.getpostman.com/oauth2/callback
Token Name: new-token
Auth URL: http://localhost:4504/oauth/authorize
Access Token URL: http://localhost:4504/oauth/token
Client Id: To be taken from the OAuth client that was setup
Client Secret: To be taken from the OAuth client that was setup
Scope: Whatever scopes were setup. This is a sample: sampleScopeOne%20sampleScopeTwo – Notice that when there are multiple scopes they need to be separated by space (encoded as %20)
Grant Type – Authorization code.
On clicking on getting token button, It will first try to open the Authorization screen that prompts the user to accept the access. If the user is not logged in to AEM, then it will first ask the user to login and then show the authorization screen. After the user clicks on Accept in the AEM Authorization screen, we can see a new entry in postman for the token.
Postman gives an option to add the token to the URL or to the header. AEM OAuth implementation accepts the token only in the header and not in the URL.
On clicking on “Use Token”, the token returned would get added in the header with Key – Authorization, and entry “Bearer” and then the token. Sometimes, the token will not get added properly and the header would show “Bearer undefined”, as shown below, in this case, we have to manually test it out.
Once the Bearer is added to the Authorization header, access the sample one scope endpoint. Now it should let the user through.
Testing Step by Step.
In case Postman does not add the access token generated to the header properly, we can test the authorization call and the token call manually.
Call the Authorization URL
For this first, we call the Authorization URL passing all the necessary parameters. This is a get call.
http://localhost:4504/oauth/authorize?client_id=p1huuknrm19olc2ppbh7lrrjg2-iqelpf81&scope=sampleScopeOne%20sampleScopeTwo&response_type=code&redirect_uri=https://www.getpostman.com/oauth2/callback
This opens the Authorization page ( If the user is not logged in then first prompts for login and then shows the authorization page). After clicking on accept, it returns the authorization code to the redirect URL. The response would be like this.
https://app.getpostman.com/oauth2/callback?code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwMWh1dWtucm0xOW9sYzJwcGJoN2xycmpnMi1pcWVscGY4MSIsInN1YiI6ImFkbWluIiwiZXhwIjoxNTAxNjU4NjE3LCJpYXQiOjE1MDE2NTgwMTcsInNjb3BlIjoic2FtcGxlU2NvcGVUd28sc2FtcGxlU2NvcGVPbmUiLCJjdHkiOiJjb2RlIn0.q9dqSPEgrFZoUWrWyHPDgw2RUxIhdB3UTO_aztkSa3g&state=null
Out of this, the value in “code=” is our authorization code.
It is possible to analyze this authorization code which us a JSON Web Token for details here: https://www.jsonwebtoken.io/
This is a sample where we have placed this JWT from the previous URL :
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwMWh1dWtucm0xOW9sYzJwcGJoN2xycmpnMi1pcWVscGY4MSIsInN1YiI6ImFkbWluIiwiZXhwIjoxNTAxNjU4NjE3LCJpYXQiOjE1MDE2NTgwMTcsInNjb3BlIjoic2FtcGxlU2NvcGVUd28sc2FtcGxlU2NvcGVPbmUiLCJjdHkiOiJjb2RlIn0.q9dqSPEgrFZoUWrWyHPDgw2RUxIhdB3UTO_aztkSa3g
Note that category of code implies that this is an authorization code (not an access token)
Call the access token URL
The request for access token URL is a post request and can be made through Postman.
This is a sample
URL: http://localhost:4504/oauth/token
grant_type : authorization_code
code: authorization code returned by the previous URL. In this case :
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwMWh1dWtucm0xOW9sYzJwcGJoN2xycmpnMi1pcWVscGY4MSIsInN1YiI6ImFkbWluIiwiZXhwIjoxNTAxNjU4NjE3LCJpYXQiOjE1MDE2NTgwMTcsInNjb3BlIjoic2FtcGxlU2NvcGVUd28sc2FtcGxlU2NvcGVPbmUiLCJjdHkiOiJjb2RlIn0.q9dqSPEgrFZoUWrWyHPDgw2RUxIhdB3UTO_aztkSa3g
redirect_uri : https://www.getpostman.com/oauth2/callback
client_id: client id of the OAuth client.
client_secret: Client secret of the OAuth client.
This call if successful, returns the results in this format :
{"access_token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJwMWh1dWtucm0xOW9sYzJwcGJoN2xycmpnMi1pcWVscGY4MSIsImlzcyI6IkFkb2JlIEdyYW5pdGUiLCJzdWIiOiJhZG1pbiIsImV4cCI6MTUwMTY2MTk1MSwiaWF0IjoxNTAxNjU4MzUxLCJzY29wZSI6InNhbXBsZVNjb3BlVHdvLHNhbXBsZVNjb3BlT25lIiwiY3R5IjoiYXQifQ.lb7j19Sc9Vg-5hsvI7-BWJte8DQIwFGQNLFulJRC1Ac","expires_in":3600}
This token can also be placed in https://www.jsonwebtoken.io/ to check out details.
Here is a sample :
Place the access token in Request Header – Authorization
Place the access token received in request header under “Authorization” as shown below :
and now send the request. The request now sends the appropriate response, since we have a valid access token returned in the OAuth flow.
Note the user id in this case is something like : This is the OAuth user id that AEM creates on an OAuth login – oauth-cA1CRJluFLNQGFwIQD8etJWB-7Ivsh5-gV9cS91j7bl.QfiQXYiojI5R3YiwiIl52TlB3bjNVZsBXbhNHLvdHVlB3bjNVZsBXbhNnI6ISZw92YzJCLxUzM4UjNxATNxojI0FWaiwSM1kTM2YTMwUTM6ICc4VmIsIibp1GZhJiOiIWdzJCLiUGdp5WYydEIlJ2bkFkI6IyczlmIsISM4YGcsVWcp1iMnpmcyx2NoJGcwJzYs9WOx0mcutWd1hWMwJiOiQWdhJye.9JCVXpkI6ICc5RnIsIiN1IzUIJiOicGbhJye
How to get the logged in user using the OAuth User Id
This is just an extra snippet, which is not related to testing, however, maybe be useful. On successful login using OAuth, the OAuth login is different from the user login who authorized it.
Using the OAuth userid, it is possible to retrieve the actual user who logged in and authorized the request.
This is a sample which is from the decompiled jar that contains AEM’s OAuth server implementation.
public static String getJwtFromUserId(String userId) {
return new StringBuilder(userId.substring("oauth-
".length())).reverse().toString();
}
public static String getSubject(String accessToken) {
JWT jwt = (JWT) new JWTReader().read(accessToken);
return jwt.getClaimsSet().getSubject();
}
}
public static String getSubject(String accessToken) {
JWT jwt = (JWT) new JWTReader().read(accessToken);
return jwt.getClaimsSet().getSubject();
}
public static String getSubjectUsingOAuthUserId(String oAuthUserId) {
String subjectUserId = null;
String accessToken = getJwtFromUserId(oAuthUserId);
subjectUserId = getSubject(accessToken);
return subjectUserId;
}
Sample Project for AEM as OAuth server implementation
This is a sample maven-AEM project that has OAuth Scopes and necessary configs in them.
oAuthExample
String subjectUserId = null;
String accessToken = getJwtFromUserId(oAuthUserId);
subjectUserId = getSubject(accessToken);
return subjectUserId;
}
Sample Project for AEM as OAuth server implementation
This is a sample maven-AEM project that has OAuth Scopes and necessary configs in them.
oAuthExample
No comments:
Post a Comment
If you have any doubts or questions, please let us know.