Oauth Consent Management Operations

1 Likes

This article explains how to perform oauth consent management operations like approve user consent and revoke grant access for OAuth client application and to list user consent approved client list. These operations can be applicable to any of the custom end user portal and is supported for all oauth client applications.

Sample Query

Here's a sample query to Perform consent management operations using rest api and few screenshots are also shared which helps in viewing/performing same operations through UI. These operations are only applicable when require user permissions per scope is enabled.

User Consent Grant Endpoint

The scopes requested by the client application must be authorized by the user if the user is not already authorized. The authorization endpoint is used for and requires a valid user session. Along with the authorization code/token request the below parameters has to be added.

Grant Endpoint: https://<Identity Server URL: Port Number>/nidp/oauth/nam/authz

HTTP Method: POST

Content-Type: application/x-www-form-urlencoded

Request URI Parameters: Parameter

Required

Description

given_scopes

Yes

The list of scope user authorized in JSON format of URL encoded and Base64 encoded value. Sample Value: JTVCJTdCJTIyc2NvcGUlMjIlM0ElMjJwcm9maWxlJTIyJTJDJTIyYXR0cmlidXRlcyUyMiUzQSU1QiUyMndlYnNpdGUlMjIlMkMlMjIlMjBiaXJ0aGRhdGUlMjIlMkMlMjIlMjBnZW5kZXIlMjIlMkMlMjIlMjBwcm9maWxlJTIyJTJDJTIyJTIwcHJlZmVycmVkX3VzZXJuYW1lJTIyJTJDJTIyJTIwZ2l2ZW5fbmFtZSUyMiUyQyUyMiUyMG1pZGRsZV9uYW1lJTIyJTJDJTIyJTIwbG9jYWxlJTIyJTJDJTIyJTIwcGljdHVyZSUyMiUyQyUyMiUyMHpvbmVfaW5mbyUyMiUyQyUyMiUyMHVwZGF0ZWRfYXQlMjIlMkMlMjIlMjBuaWNrbmFtZSUyMiUyQyUyMiUyMG5hbWUlMjIlMkMlMjIlMjBmYW1pbHlfbmFtZSUyMiU1RCU3RCUyQyU3QiUyMnNjb3BlJTIyJTNBJTIydGVzdFNjb3BlJTIyJTJDJTIyYXR0cmlidXRlcyUyMiUzQSU1QiUyMm5pY2tuYW1lJTIyJTVEJTdEJTJDJTdCJTIyc2NvcGUlMjIlM0ElMjJ1cm4lM0FuZXRpcS5jb20lM0FuYW0lM0FzY29wZSUzQW9hdXRoJTNBcmVnaXN0cmF0aW9uJTNBZnVsbCUyMiUyQyUyMmF0dHJpYnV0ZXMlMjIlM0ElNUIlMjJhZGQlMjIlMkMlMjIlMjBtb2RpZnklMjIlMkMlMjIlMjBkZWxldGUlMjIlMkMlMjIlMjByZWFkJTIyJTVEJTdEJTVE

 

The above sample is of JSON format [{"scope":"profile","attributes":["website"," birthdate"," gender"," profile"," preferred_username"," given_name"," middle_name"," locale"," picture"," zone_info"," updated_at"," nickname"," name"," family_name"]},{"scope":"testScope","attributes":["nickname"]},{"scope":"urn:netiq.com:nam:scope:oauth:registration:full","attributes":["add"," modify"," delete"," read"]}].

 

This can be captured from fiddler while making sample request as: POST https://namapppragya.blr.novell.com/nidp/oauth/nam/authz?response_type=code&client_id=83028d3c-d039-4212-ae40-d3f9fa12d10c&redirect_uri=https://164.99.86.160/bajesh/oauth.php&scope=profile+openid+urn:netiq.com:nam:scope:oauth:registration:full+testScope&state=new HTTP/1.1

 

accept

Yes

The value must be Accept

 

other authorization endpoint parameters must be presented. Refer Authorization Endpoint for more details

 

Sample Request

URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/authz

Request Parameters: given_scopes=JTVCJTdCJTIyc2NvcGUlMjIlM0ElMjJwcm9maWxlJTIyJTJDJTIyYXR0cmlidXRlcyUyMiUzQSU1QiUyMndlYnNpdGUlMjIlMkMlMjIlMjBiaXJ0aGRhdGUlMjIlMkMlMjIlMjBnZW5kZXIlMjIlMkMlMjIlMjBwcm9maWxlJTIyJTJDJTIyJTIwcHJlZmVycmVkX3VzZXJuYW1lJTIyJTJDJTIyJTIwZ2l2ZW5fbmFtZSUyMiUyQyUyMiUyMG1pZGRsZV9uYW1lJTIyJTJDJTIyJTIwbG9jYWxlJTIyJTJDJTIyJTIwcGljdHVyZSUyMiUyQyUyMiUyMHpvbmVfaW5mbyUyMiUyQyUyMiUyMHVwZGF0ZWRfYXQlMjIlMkMlMjIlMjBuaWNrbmFtZSUyMiUyQyUyMiUyMG5hbWUlMjIlMkMlMjIlMjBmYW1pbHlfbmFtZSUyMiU1RCU3RCUyQyU3QiUyMnNjb3BlJTIyJTNBJTIydGVzdFNjb3BlJTIyJTJDJTIyYXR0cmlidXRlcyUyMiUzQSU1QiUyMm5pY2tuYW1lJTIyJTVEJTdEJTJDJTdCJTIyc2NvcGUlMjIlM0ElMjJ1cm4lM0FuZXRpcS5jb20lM0FuYW0lM0FzY29wZSUzQW9hdXRoJTNBcmVnaXN0cmF0aW9uJTNBZnVsbCUyMiUyQyUyMmF0dHJpYnV0ZXMlMjIlM0ElNUIlMjJhZGQlMjIlMkMlMjIlMjBtb2RpZnklMjIlMkMlMjIlMjBkZWxldGUlMjIlMkMlMjIlMjByZWFkJTIyJTVEJTdEJTVE&accept=Accept&response_type=code&client_id=83028d3c-d039-4212-ae40-d3f9fa12d10c&client_secret=r8RSXtoxQja7ELfM390f68xiD00-vuy_1jdJ7-2U5Urhpg0oF2MnPDw5_f1QxOBdLPH8hAuFOq1cNOxoordqug&redirect_uri=https://164.99.86.160/bajesh/oauth.php&scope=profile openid urn:netiq.com:nam:scope:oauth:registration:full testScope&state=new

Sample Response: HTTPStatus302

https://164.99.86.160/bajesh/oauth.php?code=/wEBAAICACCkTrG8riEJzYSj@rdbtp7BoDaROj/Pn2@Jam6MSVHPnpuX8SG9dYxHasVevTmeY...

 

Page seen in the UI after the user accept the consent is as below :

For this you need to navigate through NAM nidp Portal(ex- https://xxxxxxxxxxxxx/nidp) -> Right top most corner click on user -> Manage App Permissions

1.png

User Consent Approved Clients List

This endpoint returns all client applications and scopes that user had approved so far. To access this endpoint requires either user login or access token. The endpoint details are below


Grant Endpoint: https://<Identity Server URL: Port Number>/nidp/oauth/nam/account/authzClients/


HTTP Method: GET

Sample Request using Access Token:

URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/account/authzClients

Authorization Header:
Bearer eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwidHlwIjoiSldUIiwiY3R5IjoiSldUIiwiemlwIjoiREVGIiwia2lkIjoiMiJ9.hLzNTPnB6GUO3-yNJAeZR7M1Vmy_fz0r.MANr8ak7dwjvWEbo.XG9hFDQbB8zSTdpyu_2J18V.......

Sample Response:

HTTP Status 200

{ {"grants":[{"clientId":"83028d3c-d039-4212-ae40-d3f9fa12d10c","clientName":"Client_All_no_refresh_token","scopes":[{"name":"urn:netiq.com:nam:scope:oauth:registration:full","desc":"Full client registration capability including registering new clients, modify clients and delete.","claims":["add","modify","delete","read"]},{"name":"profile","desc":"Access your basic profile","claims":["website","birthdate","gender","profile","preferred_username","given_name","middle_name","locale","picture","zone_info","updated_at","nickname","name","family_name"]},{"name":"testScope","desc":"custom Scope for test purpose","claims":["nickname"]}]},{"clientId":"1c0453e6-899b-48bd-b4fe-b459c126b311","clientName":"Client_Refresh_Token_Auth_RO_flow","scopes":[{"name":"email","desc":"Access your email address","claims":["email_verified","email"]}]}]}

 

Sample Error Response:

HTTP Status 401

{"error": "oauth authentication required"}

 

Page seen in UI as below to view the user consent approved client list:
For this you need to navigate through NAM nidp Portal(ex- https://xxxxxxxxxxxxx/nidp) -> Right top most corner click on user -> Manage App Permissions -> Click on some particular client application.

2.png

User Consent Revoke Endpoint

The scopes approved for a client by the user can be revoked using this endpoint. To access this endpoint requires either user login or access token. The endpoint details are below

Grant Endpoint: https://<Identity Server URL: Port Number>/nidp/oauth/nam/account/authzClients/{clientId} - where{clientId} is the OAuth client application id

HTTP Method: DELETE

Sample Request using Access Token:
URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/account/authzClients/83028d3c-d039-4212-ae40-d3f9fa12d10c

Authorization Header:
Bearer eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwidHlwIjoiSldUIiwiY3R5IjoiSldUIiwiemlwIjoiREVGIiwia2lkIjoiMiJ9.hLzNTPnB6GUO3-yNJAeZR7M1Vmy_fz0r.MANr8ak7dwjvWEbo.XG9hFDQbB8zSTdpyu_2J18V.......

Sample Response:

HTTP Status 200

{ "status": "success", "msg": "successfully revoked grants to clients" }

 

Page seen as below will revoke user consent through UI:
For this you need to navigate through NAM nidp Portal(ex- https://xxxxxxxxxxxxx/nidp) -> Right top most corner click on user -> Manage App Permissions -> Click on some particular client -> click on revoke access -> Select OK.

3.png

 

4.png

Labels:

How To-Best Practice
Comment List
Anonymous
Related Discussions
Recommended