OAuth2 Service Broker Custom Endpoint



Modern application development interacts with multiple services. These services can be internal or external. Most of the services are developed with Oauth2 support. When the user or mobile access a service, that particular service might be interacting with other services either internal or cloud service. To access other services, it needs the access token. This Oauth2 service broker will issue a new access token with different scopes to protect the user by without giving token with full rights.


When the user or mobile application access backend service it has to gather various information or data from different service endpoints. These services can be a cloud or internal different department or partner services that are protected by Oauth2 access tokens. In this scenario, received a token at the first service cannot send the same token to different service which is owned by a different group or a cloud service. Limited scopes token is required to access other services.

Why is this useful?

This solution will help to get a new oauth2 access token with different scopes by authenticating with existing oauth2 Access token at back-end service where it has to call multiple other services to provide the response to the user request.


NetIQ Access Manager should be enabled with oauth2 protocol. Deploy the jar file to the Identity provider (IDP) and restart the IDP.

Configuration steps

    1. Download Oauth2 service broker endpoint zip file and extract to a temporary folder


    1. Copy the jar file to NAM IDP lib folder location /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib


    1. Restart IDP /etc/init.d/novell-idp restart


    1. Login to administration console and navigate to Oauth2


    1. Create new Oauth2 client


    1. Generated ClientId note down. This will be used with Service A to request access token for Service B


    1. Apply configuration


  1. Update IDP configuration


    1. Using Oauth2 Play ground or any other Oauth2 sample or script example to request Oauth2 access token to send it to first service.


  1. Using Oauth2 Access token obtained at previous step do send the similar sample request to service broker endpoint.
    POST /nidp/oauth/nam/tokenbroker HTTP/1.1
    Host: login.idp.com
    Content-Type: application/x-www-form-urlencoded
    Authorization: <>


Note: This solution doesn’t validate resource or any sort of additional authorization. This solution is very close to Microsoft on_behalf_of Oauth2 profile but doesn’t follow that specification, it needs little more modification to support that profile.

Please share your comments!!


How To-Best Practice
Support Tip
Comment List