Adobe Experience Manager Sites & More

Marcos_Paulode · 7/11/23

I'm trying to generate an access token, so i can GET persisted queries results from a 3rd party java application.

To test this access, i'm doing the following steps:

1- Create a local user on https://<author instance>/

ex: camel-integration

2- Allow jcr:read permissions form created user at "/" path

3- Login with local user

4- Register OAuth Client

https://<author instance>/libs/granite/oauth/content/clients.html

5- Download Private Key as store.p12

6- Extract private key

openssl pkcs12 -in store.p12 -passin pass:notasecret -nocerts -nodes -out store.private.key.txt

7- Generate a JWT Token:

https://jwt.io/

Header

{

"alg":"RS256",

"typ":"JWT"

}

Payload

{

"aud":"https://<author instance>/oauth/token",

"iss":"<Client Id of the OAuth Client created at step 3>",

"sub":"<local user name created at step 1>",

"exp":"<Current time in milliseconds + expiry>",

"iat":"<Current time in milliseconds>",

"scope":"profile",

"cty":"code"

}

Signature

<Extracted private key at step 5>,

8- Retrieve token from AEM

curl -H "Content-Type:application/x-www-form-urlencoded" -d "assertion=<JWT token from step 6>&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&redirect_uri=<redirect URI from step 3>&client_id=<client id from step 3>&client_secret=<client secret from step 3>" https://<author instance>/oauth/token

9- Test access

curl -H "Authorization:Bearer <token from step 7>" https://<author instance>/libs/oauth/profile

I have succeeded on my local environment, but getting 401 error code on a cloud dev environment.

Does any one knows why?

aanchal-sikka · 9/6/23

Hello @Marcos_Paulode

Please find below the link of the Blog where a java code snippet is available.

It generates JWT token, and then access token from Service account credentials.

https://techrevel.blog/2023/09/06/access-restricted-resources-on-aemaacs-with-java-and-service-accou...

It is the recommended way of authentication, when needed for GraphQL queries

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/security/a...

Aanchal Sikka

View solution in original post

Tanika02 · 7/11/23

@Marcos_Paulode -

Could you please double-check that you are using the correct credentials (username, password, client ID, client secret) for the cloud dev environment. Ensure that the username and client ID used in the JWT payload match the user and client created in the cloud dev environment.

Marcos_Paulode · 7/11/23

Yes, i have just checked.

ManviSharma · 7/11/23

Hi,

The 401 error you're encountering in your cloud dev environment indicates an authentication issue.

Verify OAuth Client configuration matches the one used during token generation.
Check token expiration to ensure it is still valid.
Validate the correctness of the token's signature and associated private key.
Verify the accuracy of the token retrieval request parameters.
Review cloud dev environment configuration and any additional security measures.
Check access permissions for the user account created.

Marcos_Paulode · 7/12/23

Verify OAuth Client configuration matches the one used during token generation. [Marcos] Checked
Check token expiration to ensure it is still valid. [Marcos] Checked
Validate the correctness of the token's signature and associated private key. [Marcos] Checked
Verify the accuracy of the token retrieval request parameters. [Marcos] Checked
Review cloud dev environment configuration and any additional security measures. [Marcos] What do you mean?
Check access permissions for the user account created.

Local env:
OAuht client user: 6an9gj0505sgicsj4o5dtb76u-imj8z0bl
Local user: mpma06

Cloud dev env:
OAyth client user: vs5khimemmmn4ttq02anuqs9ur-0_mutpe4
Local user: camel-integration

DPrakashRaj · 7/11/23

401 resolves to authentication error.

can you share the curl log that you are getting after executing the curl command on step9

Nikhil-Kumar · 7/12/23

It is caused when you don't have proper permissions, i would suggest you to re-check the permissions.

aanchal-sikka · 7/12/23

Hello @Marcos_Paulode

I would suggest to use AEM Service credentials to achieve the App-to-App integration.

Please refer to the detailed set up on https://experienceleague.adobe.com/docs/experience-manager-learn/getting-started-with-aem-headless/a...

The Oauth from https://developer.adobe.com/ is not supported in AEM currently.

Doubtful if OAuth from https://<author instance>/libs/granite/oauth/content/clients.html is a recommended way

Aanchal Sikka

aanchal-sikka · 9/6/23

Hello @Marcos_Paulode

Please find below the link of the Blog where a java code snippet is available.

It generates JWT token, and then access token from Service account credentials.

https://techrevel.blog/2023/09/06/access-restricted-resources-on-aemaacs-with-java-and-service-accou...

It is the recommended way of authentication, when needed for GraphQL queries

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/security/a...

Aanchal Sikka

Adobe Experience Manager Sites & More

GraphQL persisted queries - Access token for 3rd Party Application with OAuth Client

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe