As a first configuration step it looks like you need to set up an OAUTH Granite Application and Provider configuration, using the Client ID and Provider ID created by your provider. Then save the Granite OAUTH Authentication Handler to enable (just have to save it with no configuration change apparently (or add node info here I think). https://aemcorner.com/adobe-granite-oauth-authentication-handler/
I have watched the presentation almost 10 times to get a solid understanding & antonia has confirmed have both server & client. In fact location to configure client is [A]. If you have used adobe marketing cloud (AMC) AND aem Integration, The AMC itself is using the oAuth Client. Documentation needs major improvement in this area & reach out to official support channel for further detailed steps. You can make use of Provider if needs additinal information to be passed during authorization process.
To give a little more context -- the client has the below functionality on a non-AEM system today and wants to migrate it to AEM. They are essentially simulating single sign on (but not in its true sense) to protect a sub-tree in the system using OAuth based authorization system.
Below are the details -
- For a sub-domain or a sub-directory (i.e., something.example.com OR example.com/something) that maps to a landing page in the content tree (say /content/example/something/landing-page), if the user is not Authorized already, he should be taken to a Login Screen on an enterprise system that is a NetIQ system.
- From there the user logs in using Corporate Credentials. The user is authenticated on the NetIQ system and it sends back an OAuth Token. AEM then validates that token and the user is then served the landing-page.
This example has a sample implementation of the OAuth Provider. Do you think this is the right approach for what I am trying to do?
Also, to clarify -- the use case for me is to use AEM as an OAuth client on the publish instances and not author instances.