Verify JWT Token - Registered OAuth Clients | Community
Skip to main content
J
jarvis_cl_lukow
Level 2
August 18, 2021
Solved

Verify JWT Token - Registered OAuth Clients

  • August 18, 2021
  • 1 reply
  • 5320 views

I am looking for documentation on the correct approach/pattern for JWT OAuth validation when using the Registered OAuth Clients in AEM. I have searched the internet and I have not found any good examples of how to validate the JWT OAuth Registered Client token.

 

I understand the flow from a 3rd Party OAuth Authentication server (ie: FaceBook, Google), but I am looking for the pattern when using the OOTB Registered OAuth Clients in AEM (/libs/granite/oauth/content/clients.html).

 

Can anyone please provide me with some direction or an approved validation pattern.

    This post is no longer active and is closed to new replies. Need help? Start a new post to ask your question.
    Best answer by AlbinIs1

    @albinis1 Turns out I was overthinking the solution,  but to be fair there is so little documentation on this pattern.  Using the ScopeWithPrivileges does work as expected...  with one issue.  AEM returns a 404 when the token is not valid.  Can this be modified to return a 404 is the resource is not found, and a 401 if the token is not valid?


    @jarvis_cl_lukow - I never tried this but should be possible with some effort - Extend the OAuth2ServerAuthenticationHandler

     

    The OAuth2ServerAuthenticationHandler is responsibe for validating the token and sending the AuthenticationInfo object  on sucessfull validation/login(null response incase of validation/login failure) - The class is available in "Adobe Granite OAuth Server(com.adobe.granite.oauth.server)" bundle

     

    You can create a custom AuthenticationHandler(extend - adjust the ranking) and respond with Auth Fail status code from extractCredentials method for token validation errors - currently extractCredentials respond with null for invalid tokens

     

    e.g 

     

    if (validAccessToken) {

     

    .......

     

    }else

    {

    request.setAttribute("j_reason", "invalid_token");
    return AuthenticationInfo.FAIL_AUTH;

    }

     

    Regards

    Albin I

    www.albinsblog.com

    1 reply

    A
    Community Advisor
    AlbinIs1Community Advisor
    Community Advisor
    August 19, 2021

    Please check if this URL helps - https://medium.com/tech-learnings/how-to-manage-the-protected-aem-resources-through-oauth-2-0-851ce4c7a5ef

     

    Regards

    Albin I

      J
      jarvis_cl_lukowAuthor
      Level 2
      August 19, 2021

      Thanks.  I have read this.  But, I'll have a read though it again... this time in more detail.
      Thanks again

        J
        jarvis_cl_lukowAuthor
        Level 2
        August 20, 2021

        @albinis1 Turns out I was overthinking the solution,  but to be fair there is so little documentation on this pattern.  Using the ScopeWithPrivileges does work as expected...  with one issue.  AEM returns a 404 when the token is not valid.  Can this be modified to return a 404 is the resource is not found, and a 401 if the token is not valid?

          Terms & ConditionsAccessibility statement

          Loading footer...