Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.
SOLVED

GraphQL persisted queries - Access token for 3rd Party Application with OAuth Client

Avatar

Level 1

I'm trying to generate an access token, so i can GET persisted queries results from a 3rd party java application.

To test this access, i'm doing the following steps:

1- Create a local user on https://<author instance>/

ex: camel-integration

2- Allow jcr:read permissions form created user at "/" path

3- Login with local user

4- Register OAuth Client

https://<author instance>/libs/granite/oauth/content/clients.html

5- Download Private Key as store.p12

6- Extract private key

openssl pkcs12 -in store.p12 -passin pass:notasecret -nocerts -nodes -out store.private.key.txt

7- Generate a JWT Token:

https://jwt.io/

Header

{

"alg":"RS256",

"typ":"JWT"

}

Payload

{

"aud":"https://<author instance>/oauth/token",

"iss":"<Client Id of the OAuth Client created at step 3>",

"sub":"<local user name created at step 1>",

"exp":"<Current time in milliseconds + expiry>",

"iat":"<Current time in milliseconds>",

"scope":"profile",

"cty":"code"

}

Signature

<Extracted private key at step 5>,

<Extracted private key at step 5>

8- Retrieve token from AEM

curl -H "Content-Type:application/x-www-form-urlencoded" -d "assertion=<JWT token from step 6>&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&redirect_uri=<redirect URI from step 3>&client_id=<client id from step 3>&client_secret=<client secret from step 3>" https://<author instance>/oauth/token

9- Test access

curl -H "Authorization:Bearer <token from step 7>" https://<author instance>/libs/oauth/profile

 

I have succeeded on my local environment, but getting 401 error code on a cloud dev environment.

Does any one knows why?

1 Accepted Solution

Avatar

Correct answer by
Community Advisor

Hello @Marcos_Paulode 

 

 

Please find below the link of the Blog where a java code snippet is available.

It generates JWT token, and then access token from Service account credentials. 

 

https://techrevel.blog/2023/09/06/access-restricted-resources-on-aemaacs-with-java-and-service-accou...

 

It is the recommended way of authentication, when needed for GraphQL queries

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/security/a...


Aanchal Sikka

View solution in original post

8 Replies

Avatar

Community Advisor

@Marcos_Paulode - 

 

Could you please double-check that you are using the correct credentials (username, password, client ID, client secret) for the cloud dev environment. Ensure that the username and client ID used in the JWT payload match the user and client created in the cloud dev environment.

Avatar

Employee Advisor

Hi,

 

The 401 error you're encountering in your cloud dev environment indicates an authentication issue. 

  1. Verify OAuth Client configuration matches the one used during token generation.
  2. Check token expiration to ensure it is still valid.
  3. Validate the correctness of the token's signature and associated private key.
  4. Verify the accuracy of the token retrieval request parameters.
  5. Review cloud dev environment configuration and any additional security measures.
  6. Check access permissions for the user account created.
 

Avatar

Level 1
  1. Verify OAuth Client configuration matches the one used during token generation. [Marcos] Checked
  2. Check token expiration to ensure it is still valid. [Marcos] Checked
  3. Validate the correctness of the token's signature and associated private key. [Marcos] Checked
  4. Verify the accuracy of the token retrieval request parameters. [Marcos] Checked
  5. Review cloud dev environment configuration and any additional security measures. [Marcos] What do you mean?
  6. Check access permissions for the user account created.

Local env:
OAuht client user: 6an9gj0505sgicsj4o5dtb76u-imj8z0bl
Local user: mpma06

 

Cloud dev env:
OAyth client user: vs5khimemmmn4ttq02anuqs9ur-0_mutpe4
Local user: camel-integration

Avatar

Community Advisor

401 resolves to authentication error.

can you share the curl log that you are getting after executing the curl command on step9

Avatar

Community Advisor

It is caused when you don't have proper permissions, i would suggest you to re-check the permissions.

Avatar

Community Advisor

Hello @Marcos_Paulode 

 

I would suggest to use AEM Service credentials to achieve the App-to-App integration.

Please refer to the detailed set up on https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-with-aem-headless/a...

 

The Oauth from https://developer.adobe.com/ is not supported in AEM currently.

 

Doubtful if OAuth from https://<author instance>/libs/granite/oauth/content/clients.html is a recommended way


Aanchal Sikka

Avatar

Correct answer by
Community Advisor

Hello @Marcos_Paulode 

 

 

Please find below the link of the Blog where a java code snippet is available.

It generates JWT token, and then access token from Service account credentials. 

 

https://techrevel.blog/2023/09/06/access-restricted-resources-on-aemaacs-with-java-and-service-accou...

 

It is the recommended way of authentication, when needed for GraphQL queries

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/security/a...


Aanchal Sikka