Solved

GraphQL persisted queries - Access token for 3rd Party Application with OAuth Client

Forum|Forum|2 years ago
July 11, 2023
5 replies
2103 views

I'm trying to generate an access token, so i can GET persisted queries results from a 3rd party java application.

To test this access, i'm doing the following steps:

1- Create a local user on https://<author instance>/

ex: camel-integration

2- Allow jcr:read permissions form created user at "/" path

3- Login with local user

4- Register OAuth Client

https://<author instance>/libs/granite/oauth/content/clients.html

5- Download Private Key as store.p12

6- Extract private key

openssl pkcs12 -in store.p12 -passin pass:notasecret -nocerts -nodes -out store.private.key.txt

7- Generate a JWT Token:

https://jwt.io/

Header

{

"alg":"RS256",

"typ":"JWT"

}

Payload

{

"aud":"https://<author instance>/oauth/token",

"iss":"<Client Id of the OAuth Client created at step 3>",

"sub":"<local user name created at step 1>",

"exp":"<Current time in milliseconds + expiry>",

"iat":"<Current time in milliseconds>",

"scope":"profile",

"cty":"code"

}

Signature

<Extracted private key at step 5>,

8- Retrieve token from AEM

curl -H "Content-Type:application/x-www-form-urlencoded" -d "assertion=<JWT token from step 6>&grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&redirect_uri=<redirect URI from step 3>&client_id=<client id from step 3>&client_secret=<client secret from step 3>" https://<author instance>/oauth/token

9- Test access

curl -H "Authorization:Bearer <token from step 7>" https://<author instance>/libs/oauth/profile

I have succeeded on my local environment, but getting 401 error code on a cloud dev environment.

Does any one knows why?

This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.

Best answer by aanchal-sikka

Hello @marcos_paulode

Please find below the link of the Blog where a java code snippet is available.

It generates JWT token, and then access token from Service account credentials.

https://techrevel.blog/2023/09/06/access-restricted-resources-on-aemaacs-with-java-and-service-accounts/

It is the recommended way of authentication, when needed for GraphQL queries

https://experienceleague.adobe.com/docs/experience-manager-cloud-service/content/headless/security/authentication.html?lang=en

Tanika02

Level 7

@marcos_paulode -

Could you please double-check that you are using the correct credentials (username, password, client ID, client secret) for the cloud dev environment. Ensure that the username and client ID used in the JWT payload match the user and client created in the cloud dev environment.

M

Marcos_PaulodeAuthor

Yes, i have just checked.

ManviSharma

Adobe Employee

Hi,

The 401 error you're encountering in your cloud dev environment indicates an authentication issue.

Verify OAuth Client configuration matches the one used during token generation.
Check token expiration to ensure it is still valid.
Validate the correctness of the token's signature and associated private key.
Verify the accuracy of the token retrieval request parameters.
Review cloud dev environment configuration and any additional security measures.
Check access permissions for the user account created.

M

Marcos_PaulodeAuthor

Verify OAuth Client configuration matches the one used during token generation. [Marcos] Checked
Check token expiration to ensure it is still valid. [Marcos] Checked
Validate the correctness of the token's signature and associated private key. [Marcos] Checked
Verify the accuracy of the token retrieval request parameters. [Marcos] Checked
Review cloud dev environment configuration and any additional security measures. [Marcos] What do you mean?
Check access permissions for the user account created.

Local env:
OAuht client user: 6an9gj0505sgicsj4o5dtb76u-imj8z0bl
Local user: mpma06

Cloud dev env:
OAyth client user: vs5khimemmmn4ttq02anuqs9ur-0_mutpe4
Local user: camel-integration