Expand my Community achievements bar.

Guidelines for the Responsible Use of Generative AI in the Experience Cloud Community.

Simple OAuth client app that allows a user to authenticate against AEM 6.2 , get an Access Token and use it to fetch an Asset fails with 401 error: Why?

Avatar

Level 2

What we want to achieve is to make a simple OAuth client app that allows a user to authenticate against AEM 6.2, get an Access Token and use it to fetch an Asset.

I will try to describe what we have done so far.
In AEM we have created a new OAuth Client in page /libs/granite/oauth/content/clients.html, by setting Client ID, Secret and Return URL.
This information is used when redirecting from our custom app to the AEM authorize endpoint ( /oauth/authorize?client_id=...&scope=profile&response_type=code&redirect_uri=...&state=... ). This seems to  work fine; the page redirects to AEM log in page, the to the request authorization page, finally it redirects back to the app where the Authorization Code is exchanged for an Access Token, by making a POST request to the /oauth/token endpoint.
What it fails is the next step. When making a GET call to /libs/oauth/profile we get a 401 response. The request sets the Authorization header to Bearer {access token from previous step}, so it should authenticate; but for some reason it doesn't.

My first question is if there is any documentation about the OAuth endpoints in AEM related to what we want to implement. Maybe there is but it is not public?
Also, do we need to configure OAuth Client with Allowed Scopes? Is that why profile scope fails at the moment? If so, then how can we do this?
Moreover on defining scopes, our actual goal is to fetch an Asset (/api/assets/{uri to my DITA file}). What scope do we need for this? How does it work with permissions?
Finally, we use AEM 6.2, and Adobe Granite OAuth Resource Server (mentioned in the OAuth_Server_functionality_in_AEM 7 23 14.pdf file) is not listed in /system/console/configMgr

Resources we've used so far:

We also followed the steps described in this blog. The final call to get profile details fails. 

Thanks for any help you can provide.

5 Replies

Avatar

Level 1

Hi Mike,

I'm getting the same error (401) when making a GET call to /libs/oauth/profile.

In the error.log I can find the following message: 21.05.2017 16:48:49.119 *ERROR* [qtp2056596260-180] com.adobe.granite.auth.oauth.impl.BearerAuthenticationHandler createCredentials: invalid config: helper is null provider is null

Could you solve it in the meantime?

Thanks,
Samuel

Avatar

Level 1

Ok, I got it to work with the hint to edit the Adobe Granite OAuth Server Authentication Handler's service rank to 1100.

(Found here: https://github.com/Adobe-Marketing-Cloud/rest-api-browser/tree/master/java-api-proxy)

Avatar

Level 2

Hi Samuel,

Yes, setting rank to 1100 (I guess it means 'use this auth module first') worked, so I can get now profile details instead of the 401 failure response.

Next step is to change scope from 'profile' to '/content/dam' in order to fetch content. This gives me an error 'invalid_scope', which makes sense as the OAuth Client is not configured to allow this scope yet. Trying to configure it and on /system/console/configMgr I see no 'OAuth Resource Server' configurations. Also, if I browse to /system/console/configMgr/com.adobe.granite.oauth.server.impl.OAuth2ResourceServerImpl I will get this error message:

        
    

This form is automatically generated from existing properties because no property descriptors are available for this configuration. This may be cause by the absence of the OSGi Metatype Service or the absence of a MetaType descriptor for this configuration.

  


Does it mean that our installation is missing a module required for OAuth?

Thanks for any help you can give.

Mike

Avatar

Level 1

Hey Mike,

I am using AEM 6.1 SP1 in my project. I guess they renamed the OAuth Resource Server service in AEM 6.2. It's discussed in this thread: http://help-forums.adobe.com/content/adobeforums/en/experience-manager-forum/adobe-experience-manage...

Regards,

Samuel