Identity Application Rest API Authentication

Hi, I am new to the Identity App and Rest APIs. I am attempting to access the /osp/a/idm/auth/oauth2/grant URL to obtain an access token. I am using the PowerShell Invoke-WebRequest command to make the call and I keep getting a 401 Unauthorized error. I am guessing I have the wrong credentials entered but I am not sure where to configure or find the credentials. Any advise would be appreciated.

Documentation I have been using:
https://www.netiq.com/documentation/identity-manager-developer/rest-api-documentation/idmappsdoc/#/Access
  • I managed to make some progress. I was not adding the Authorization header. Adding that header got me to a new error page "NetIQ Access Error". I imagine it is some kind of permissions configuration but I have not yet found the answer.
  • Hi,

    Usually I use "insomnia" third party to test IDM REST connection and request .

    here is an extract of my request to get the token :

    curl --request POST \
    --url http://win-idm2.demo.com:8080/osp/a/idm/auth/oauth2/grant/ \
    --header 'accept: application/json' \
    --header 'accept-charset: UTF-8' \
    --header 'authorization: Basic cmJwbTpub3ZlbGw=' \
    --header 'content-type: application/x-www-form-urlencoded' \
    --cookie netiq_idm_rbpm_acsrf=0dc0efbb-20b3-41ad-a4ab-d828fd3936db \
    --data 'grant_type=password
  • This information is very helpful, unfortunately I am still getting the NetIQ Access Error page in response. The osp logs are throwing an illegalArgumentException "Illegal base64" java error.
  • Are you able to get the token from the first POST request ?
  • Yes, last night I finally figured out what was hanging things up. As expected it was bad credentials. Once I was able to get the correct password for rbpm, I was able to obtain a token using the curl command similar to yours above. Again I really appreciate you lining that out. Unfortunately now I am running into a 401 Access Denied error when trying to run the second curl command you sent. I used rbpm to get the token and included the uaadmin account in the body of the call. So I am trying to work through that issue now. Also a helpful tip to anyone troubleshooting this process. Check out the localhost_access_log file under the tomcat logs, it will actually show api call attempts. The curl command wasn't returning useful information but this log will give you the client IP, the call that was passed, the time, and the http code returned. In my case its a 401.
  • stampsr;2494686 wrote:
    Yes, last night I finally figured out what was hanging things up. As expected it was bad credentials. Once I was able to get the correct password for rbpm, I was able to obtain a token using the curl command similar to yours above. Again I really appreciate you lining that out. Unfortunately now I am running into a 401 Access Denied error when trying to run the second curl command you sent. I used rbpm to get the token and included the uaadmin account in the body of the call. So I am trying to work through that issue now. Also a helpful tip to anyone troubleshooting this process. Check out the localhost_access_log file under the tomcat logs, it will actually show api call attempts. The curl command wasn't returning useful information but this log will give you the client IP, the call that was passed, the time, and the http code returned. In my case its a 401.


    Once you have the token, you must send your request with an "Authorization header" with exact text : Bearer token as per my example:

    curl --request GET \
    --url 'win-idm2.demo.com:8080/.../resources \
    --header 'authorization: Bearer eH8AIGgaLNxJ6ofJ/sxDPNv3PZrWsVrTp5xU@btuYbu54qYoI5mSBk4znR0cCwnHO2b 9iamiNxUpxfvYKiYQu13DniTrbOur7N8o4Z8O5dIq2sDtw9wrO QUIba@rHKK54efOtkH25nEL5tuF8cezxNSurTkjv3KsBbUePJu ezUQBnGVy@jrOeDJp1cWIxwKm2@Tw9bL6zIc0yqUctYbkJjs02 IEVQLq6LGTO26vyujl6Lb/W' \
    --header 'content-type: application/json' \
  • Yes I had included my token and the headers how you had mentioned. I am wondering if something is miss configured some where.
  • Opened a support ticket on this one. I will update if we are able to find a solution.
  • I am seemingly stuck as well. I am able to see the different errors in the body of the response. For a user that doesn't exist I get a 400 '{"error":"invalid_grant","error_description":"No principal found.","sub_error":"noprincipal"}'. For a good password or a bad password, I get a 401 '{"error":"invalid_client"}'.
  • I found my error for the Authentication. I was using the same credentials for both the Header and the Body. After looking closer, I needed to use the OSP credential for the Header, and the user credential for the Body. Read the Manual issue... doh!!!