Expand my Community achievements bar.

SOLVED

AEM 6.4 - Oauth 2 legged authorization

Avatar

Level 4

Hi All, I am trying to implement Oauth authorization in AEM publisher for certain resources.   As per the link https://www.albinsblog.com/2017/07/exposing-resources-through-oauth-aem.html#.XJByjSIzbIW  I undestand AEM supports 3 legged Oauth. I want to try 2 legged(Client credentials) and didnt see any helping documents for the same.

Have someone already tried this. Can you please share some pointers to the same

Regards,

Anand

1 Accepted Solution

Avatar

Correct answer by
Level 4

Hello Gaurav, Confimed by checking  the bundle "OSGi Bundle for Granite OAuth Server" that only 2 grant types are supported by Adobe for token generation.

1. AUTHORIZATION_CODE

2. REFRESH_TOKEN

3. JWT_BEARER

View solution in original post

13 Replies

Avatar

Level 10

Per my understanding, the implementation is same as 3-legged except you won't pass token and secret but empty strings. Client Application will need to have its client ID and secret stored in a secure manner

check the flow-

The OAuth Bible

Avatar

Level 4

Thanks Gaurav. I tried to create the token but am getting the below error . I am trying to do POST request using Rest client and  seeing the below error in POSTMAN.

1715234_pastedImage_0.png

Error in error.log -- >

20.03.2019 12:38:38.876 *ERROR* [qtp1411610424-69] org.apache.felix.http.jetty Exception while processing request to /oauth/token (java.lang.IllegalStateException: Committed)

java.lang.IllegalStateException: Committed

at org.eclipse.jetty.server.HttpChannel.resetBuffer(HttpChannel.java:894) [org.apache.felix.http.jetty:4.0.6]

at org.eclipse.jetty.server.HttpOutput.resetBuffer(HttpOutput.java:959) [org.apache.felix.http.jetty:4.0.6]

at org.eclipse.jetty.server.Response.resetBuffer(Response.java:1312) [org.apache.felix.http.jetty:4.0.6]

at javax.servlet.ServletResponseWrapper.resetBuffer(ServletResponseWrapper.java:195) [org.apache.felix.http.servlet-api:1.1.2]

at org.apache.felix.http.base.internal.dispatch.ServletResponseWrapper.sendError(ServletResponseWrapper.java:67) [org.apache.felix.http.jetty:4.0.6]

at org.apache.felix.http.base.internal.dispatch.ServletResponseWrapper.sendError(ServletResponseWrapper.java:61) [org.apache.felix.http.jetty:4.0.6]

at com.adobe.granite.oauth.server.impl.OAuth2TokenEndpointServlet.doPost(OAuth2TokenEndpointServlet.java:183) [com.adobe.granite.oauth.server:1.1.26]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:644) [org.apache.felix.http.servlet-api:1.1.2]

at javax.servlet.http.HttpServlet.service(HttpServlet.java:725) [org.apache.felix.http.servlet-api:1.1.2]

Avatar

Level 10

Probably, you are missing required headers via POSTMAN. Make required config changes to CSRF and Sling Referrer Filter for testing via POSTMAN - allow empty headers for testing. Enable Postman Interceptor and check

Have you tested your setup with usual 3 legged config to rule out any configuration related issues?

Couple of examples --https://www.practicalaem.com/2016/02/02/using-oauth-authentication-in-aem/

https://www.practicalaem.com/2016/02/02/using-oauth-authentication-in-aem/

OAuth Server functionality in AEM - Embrace Federation and unleash your REST APIs!

Avatar

Level 4

Yes. I am trying 3 legged only now. Followin the steps here: https://www.albinsblog.com/2017/05/how-to-get-basic-profile-details-of-user-through-oauth.html#.XJHd...

Here the Receive the access token step is failing.  The post request to http://localhost:4502/oauth/token is failing from POSTMAN.

Avatar

Level 10

Could you please explain what step are you on based on the flow diagram @ Adobe Experience Manager Help | Developing OAuth Scopes in AEM

Did you pass correct parameters(grant_type, redirect_uri, client_id etc.) in POSTMAN?

Avatar

Level 4

After step 9  , While requesting for Access token , the post request is failing in POSTMAN. However as mentioned in the link that I have pointed out , I was able to generate the access token using curl command. So 3 legged flow is working as expected in AEM. However I tried 2 legged (client_credentials ). But got the below error.

1716932_pastedImage_0.png

Any pointers??  smacdonald2008kautuksahni

Regards,

Anand.

Avatar

Level 10

json format example-

curl --request POST \ --url 'https://YOUR_DOMAIN/oauth/token' \ --header 'content-type: application/json' \ --data '{"grant_type":"client_credentials","client_id": "YOUR_CLIENT_ID","client_secret": "YOUR_CLIENT_SECRET","audience": "YOUR_API_IDENTIFIER"}'

I don't see "POST" in your screenshot.

Avatar

Correct answer by
Level 4

Hello Gaurav, Confimed by checking  the bundle "OSGi Bundle for Granite OAuth Server" that only 2 grant types are supported by Adobe for token generation.

1. AUTHORIZATION_CODE

2. REFRESH_TOKEN

3. JWT_BEARER

Avatar

Level 1
Hi, just a question we are trying to implement oauth2 using client_credentials, is it already supported?

Avatar

Level 10

If that's the case, then you may reach out to DayCare and find out the reason/next steps.

Avatar

Level 4

Sure. Have already raised a ticket with Daycare

Avatar

Employee

Hi Anand,

As discussed, currently AEM do not support the client_credentials flow and internal discussions have triggered for including but there is no short-sighted plan to support it in the near future.

Regards.