Adobe Developer

Urs_Boller · 9/17/20

I want to check access credentials within an action of a firefly app. I can see the bearer token in the params, but how can I exctract any information about the user or access credentials? best would be to know what product profiles the user has to make a check against needed permissions. is there any way to retrieve more information about the user to which the bearer token belongs?

dr_venture · 9/17/20

You should be able to decode the bearer token and get the following

{
  "id" : "1600361729831_7c314c691",
  "client_id" : "UDPWeb1",
  "user_id" : "8E5E47DA4706D5D@AdobeID",
  "state" : "{\"session\":\"https://ims-na1.adobelogin.com/ims/session/v1/ZjZmMWE3YTQtmRlLS04RTVFNDdEQTQ3MDZENUQ1OTYmVJRA\"}",
  "type" : "access_token",
  "as" : "ims-na1",
  "fg" : "UY6ROZRAVLPBL37QAP4======",
  "sid" : "1599771421938_-8d32-425e-815d-b734beb48abc_ue1",
  "moi" : "db01",
  "c" : "kg9B1xnV4UpPgkVi/gQ==",
  "expires_in" : "86400000",
  "scope" : "AdobeID,openid,adobeio_api,gnav,read_organizations,additional_info.projectedProductContext,unified_dev_portal,additional_info.roles,read_pc.dma_bullseye,session,adobeio.appregistry.read,adobeio.appregistry.write,sao.creative_cloud,account_cluster.read",
  "created_at" : "1600361729831"
}

The following libs will help you decode.
jwt-decode

njwt

The scopes property defines access granted to the token.

There are also IMS apis you can call using the token to get information about the user.

Also, I found this lib https://github.com/adobe/aio-lib-ims

It might help you out.

View solution in original post

SarahXu · 9/17/20

Hi @Urs_Boller

What level of access are you looking for? One way I can think of is to pass in the user profile (like product context) from client side as a param into your action, and have your action check that before executing anything. This way you can further restrict access based on user information.

Sarah

dr_venture · 9/17/20

You should be able to decode the bearer token and get the following

{
  "id" : "1600361729831_7c314c691",
  "client_id" : "UDPWeb1",
  "user_id" : "8E5E47DA4706D5D@AdobeID",
  "state" : "{\"session\":\"https://ims-na1.adobelogin.com/ims/session/v1/ZjZmMWE3YTQtmRlLS04RTVFNDdEQTQ3MDZENUQ1OTYmVJRA\"}",
  "type" : "access_token",
  "as" : "ims-na1",
  "fg" : "UY6ROZRAVLPBL37QAP4======",
  "sid" : "1599771421938_-8d32-425e-815d-b734beb48abc_ue1",
  "moi" : "db01",
  "c" : "kg9B1xnV4UpPgkVi/gQ==",
  "expires_in" : "86400000",
  "scope" : "AdobeID,openid,adobeio_api,gnav,read_organizations,additional_info.projectedProductContext,unified_dev_portal,additional_info.roles,read_pc.dma_bullseye,session,adobeio.appregistry.read,adobeio.appregistry.write,sao.creative_cloud,account_cluster.read",
  "created_at" : "1600361729831"
}

The following libs will help you decode.
jwt-decode

njwt

The scopes property defines access granted to the token.

There are also IMS apis you can call using the token to get information about the user.

Also, I found this lib https://github.com/adobe/aio-lib-ims

It might help you out.

Urs_Boller · 9/17/20

awesome, exactly what I was looking for! thanks a lot!!!

dr_venture · 9/17/20

I edited it to point out the scopes property which might be of use to you.

Urs_Boller · 9/17/20

no, don't want to use the "scopes" property. I'll try to get information about a specific product profile. this would allow to manage all users (both real users as well as tech user accounts) in the adminconsole. my current idea is calling the "users/me" with the given token, then check "v2/usermanagement/ if user belongs to the desired product profile (which is set as .env variable)

dr_venture · 9/17/20

that is cool. Should work nicely

Adobe Developer

Checking Access Credentials within an action

Learn

Documentation

Community

Support

Resources

Adobe account

Adobe