Your achievements

Level 1

0% to

Level 2

Tip /
Sign in

Sign in to Community

to gain points, level up, and earn exciting badges like the new
BedrockMission!

Learn more

View all

Sign in to view all badges

SOLVED

Checking Access Credentials within an action

ursboller
Community Advisor
Community Advisor

I want to check access credentials within an action of a firefly app. I can see the bearer token in the params, but how can I exctract any information about the user or access credentials? best would be to know what product profiles the user has to make a check against needed permissions. is there any way to retrieve more information about the user to which the bearer token belongs?

1 Accepted Solution
dr_venture
Correct answer by
Employee
Employee

You should be able to decode the bearer token and get the following 

{
  "id" : "1600361729831_7c314c691",
  "client_id" : "UDPWeb1",
  "user_id" : "8E5E47DA4706D5D@AdobeID",
  "state" : "{\"session\":\"https://ims-na1.adobelogin.com/ims/session/v1/ZjZmMWE3YTQtmRlLS04RTVFNDdEQTQ3MDZENUQ1OTYmVJRA\"}",
  "type" : "access_token",
  "as" : "ims-na1",
  "fg" : "UY6ROZRAVLPBL37QAP4======",
  "sid" : "1599771421938_-8d32-425e-815d-b734beb48abc_ue1",
  "moi" : "db01",
  "c" : "kg9B1xnV4UpPgkVi/gQ==",
  "expires_in" : "86400000",
  "scope" : "AdobeID,openid,adobeio_api,gnav,read_organizations,additional_info.projectedProductContext,unified_dev_portal,additional_info.roles,read_pc.dma_bullseye,session,adobeio.appregistry.read,adobeio.appregistry.write,sao.creative_cloud,account_cluster.read",
  "created_at" : "1600361729831"
}

The following libs will help you decode.
jwt-decode

njwt

 

The scopes property defines access granted to the token.  

 

There are also IMS apis you can call using the token to get information about the user.  

 

Also, I found this lib https://github.com/adobe/aio-lib-ims

It might help you out. 

 

 

 

View solution in original post

6 Replies
SarahXu
Level 3
Level 3

Hi @ursboller 

What level of access are you looking for? One way I can think of is to pass in the user profile (like product context) from client side as a param into your action, and have your action check that before executing anything. This way you can further restrict access based on user information. 

 

Sarah

dr_venture
Correct answer by
Employee
Employee

You should be able to decode the bearer token and get the following 

{
  "id" : "1600361729831_7c314c691",
  "client_id" : "UDPWeb1",
  "user_id" : "8E5E47DA4706D5D@AdobeID",
  "state" : "{\"session\":\"https://ims-na1.adobelogin.com/ims/session/v1/ZjZmMWE3YTQtmRlLS04RTVFNDdEQTQ3MDZENUQ1OTYmVJRA\"}",
  "type" : "access_token",
  "as" : "ims-na1",
  "fg" : "UY6ROZRAVLPBL37QAP4======",
  "sid" : "1599771421938_-8d32-425e-815d-b734beb48abc_ue1",
  "moi" : "db01",
  "c" : "kg9B1xnV4UpPgkVi/gQ==",
  "expires_in" : "86400000",
  "scope" : "AdobeID,openid,adobeio_api,gnav,read_organizations,additional_info.projectedProductContext,unified_dev_portal,additional_info.roles,read_pc.dma_bullseye,session,adobeio.appregistry.read,adobeio.appregistry.write,sao.creative_cloud,account_cluster.read",
  "created_at" : "1600361729831"
}

The following libs will help you decode.
jwt-decode

njwt

 

The scopes property defines access granted to the token.  

 

There are also IMS apis you can call using the token to get information about the user.  

 

Also, I found this lib https://github.com/adobe/aio-lib-ims

It might help you out. 

 

 

 

View solution in original post

ursboller
Community Advisor
Community Advisor
awesome, exactly what I was looking for! thanks a lot!!!
dr_venture
Employee
Employee
I edited it to point out the scopes property which might be of use to you.
ursboller
Community Advisor
Community Advisor
no, don't want to use the "scopes" property. I'll try to get information about a specific product profile. this would allow to manage all users (both real users as well as tech user accounts) in the adminconsole. my current idea is calling the "users/me" with the given token, then check "v2/usermanagement/ if user belongs to the desired product profile (which is set as .env variable)