How to get metadata of Dam Asset while accessing an asset through Asset API from 3rd party app

Avatar

Avatar
Validate 1
Level 1
kpsolanki_1204
Level 1

Like

1 like

Total Posts

8 posts

Correct reply

1 solution
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 1
kpsolanki_1204
Level 1

Like

1 like

Total Posts

8 posts

Correct reply

1 solution
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile
kpsolanki_1204
Level 1

16-04-2021

I am using the JWT Bearer Token Server to Server Integration.

and trying to access the asset in AEM through the asset api endpoint from 3rd party application:

I am facing few issues:

1. Everytime a new access token is generated using the JWT Bearer and a call is made to access asset, a new oauth user is generated. Is there a way to restrict this and only use one oauth user over multiple tokens.

2. The oauth user generated has only read permissions on content/dam assets, because of which im not getting the asset metadata in the response as it requires either write/modify/all privileges. Is there a way where we can add these generated oauth user to some group.

View Entire Topic

Avatar

Avatar
Validate 1
Level 1
kpsolanki_1204
Level 1

Like

1 like

Total Posts

8 posts

Correct reply

1 solution
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile

Avatar
Validate 1
Level 1
kpsolanki_1204
Level 1

Like

1 like

Total Posts

8 posts

Correct reply

1 solution
Top badges earned
Validate 1
Boost 1
Affirm 1
View profile
kpsolanki_1204
Level 1

19-04-2021

Resolved!

The "oauthservice" user defines the privileges on the newly created oauth users when a request with access token comes in.

Added the required privileges to oauthservice system user on the desired path to help it assign the required ACL's to newly generated oauth users.

kautuk_sahni
@kpsolanki_1204, thank you for sharing the solution with community. This would help in posterity. looking forward for more contribution from SME like you.
Stuart-Downing
What were the required privileges? I tried adding jcr:all to /content/dam, but this wasn't sufficient. My http assets api requests return empty metadata property. When logged into the instance, or using a local development token instead of JWT, metadata is populated. We are trialing AEM and using a consultant who suggested that perhaps our license doesn't support metadata in this context.
kpsolanki1204

@Stuart-Downing

So every time an access token is generated from AEM, a new user is generated which is a shadow of the "oauthservice" user and has similar permission to it. 

Points to check:

1. Are you providing the required permissions to "oauthservice" user. If yes, Check the new oauth user which gets generated and check if similar permissions are inherited by it.

2. Are you providing the required privileges at the correct path.

3. For accessing the metadata of node, only jcr:read privilege over the content node wont work. I had given additional jcr:write permission to the user for getting the metadata. You will need to add this scope in "getPrivileges" method of ScopeWithPrivileges implementation class as well.

Stuart-Downing
1. I have no insight into the user generation process you describe. Presumably this user "lives" as long as the lifespan of the access token returned by the JWT exchange process. After the exchange process, I searched the user/group lists for plausible candidates ("oauth", "api", "cloud", "integration") with no luck.
shelly-goel
@kpsolanki_1204 - It would be greate if you could share the code to get the metadata with jwt token and required priviledges on it. Additionally, where do you see the new oauth user getting generated with each call?