Application Delivery Management
Application Modernization & Connectivity
CyberRes
IT Operations Management
This article explains how to perform oauth consent management operations like approve user consent and revoke grant access for OAuth client application and to list user consent approved client list. These operations can be applicable to any of the custom end user portal and is supported for all oauth client applications.
Sample Query
Here's a sample query to Perform consent management operations using rest api and few screenshots are also shared which helps in viewing/performing same operations through UI. These operations are only applicable when require user permissions per scope is enabled.
User Consent Grant Endpoint
The scopes requested by the client application must be authorized by the user if the user is not already authorized. The authorization endpoint is used for and requires a valid user session. Along with the authorization code/token request the below parameters has to be added.
Grant Endpoint: https://<Identity Server URL: Port Number>/nidp/oauth/nam/authz
HTTP Method: POST
Content-Type: application/x-www-form-urlencoded
Request URI Parameters: Parameter |
Required |
Description |
given_scopes |
Yes |
The list of scope user authorized in JSON format of URL encoded and Base64 encoded value. Sample Value: JTVCJTdCJTIyc2NvcGUlMjIlM0ElMjJwcm9maWxlJTIyJTJDJTIyYXR0cmlidXRlcyUyMiUzQSU1QiUyMndlYnNpdGUlMjIlMkMlMjIlMjBiaXJ0aGRhdGUlMjIlMkMlMjIlMjBnZW5kZXIlMjIlMkMlMjIlMjBwcm9maWxlJTIyJTJDJTIyJTIwcHJlZmVycmVkX3VzZXJuYW1lJTIyJTJDJTIyJTIwZ2l2ZW5fbmFtZSUyMiUyQyUyMiUyMG1pZGRsZV9uYW1lJTIyJTJDJTIyJTIwbG9jYWxlJTIyJTJDJTIyJTIwcGljdHVyZSUyMiUyQyUyMiUyMHpvbmVfaW5mbyUyMiUyQyUyMiUyMHVwZGF0ZWRfYXQlMjIlMkMlMjIlMjBuaWNrbmFtZSUyMiUyQyUyMiUyMG5hbWUlMjIlMkMlMjIlMjBmYW1pbHlfbmFtZSUyMiU1RCU3RCUyQyU3QiUyMnNjb3BlJTIyJTNBJTIydGVzdFNjb3BlJTIyJTJDJTIyYXR0cmlidXRlcyUyMiUzQSU1QiUyMm5pY2tuYW1lJTIyJTVEJTdEJTJDJTdCJTIyc2NvcGUlMjIlM0ElMjJ1cm4lM0FuZXRpcS5jb20lM0FuYW0lM0FzY29wZSUzQW9hdXRoJTNBcmVnaXN0cmF0aW9uJTNBZnVsbCUyMiUyQyUyMmF0dHJpYnV0ZXMlMjIlM0ElNUIlMjJhZGQlMjIlMkMlMjIlMjBtb2RpZnklMjIlMkMlMjIlMjBkZWxldGUlMjIlMkMlMjIlMjByZWFkJTIyJTVEJTdEJTVE
The above sample is of JSON format [{"scope":"profile","attributes":["website"," birthdate"," gender"," profile"," preferred_username"," given_name"," middle_name"," locale"," picture"," zone_info"," updated_at"," nickname"," name"," family_name"]},{"scope":"testScope","attributes":["nickname"]},{"scope":"urn:netiq.com:nam:scope:oauth:registration:full","attributes":["add"," modify"," delete"," read"]}].
This can be captured from fiddler while making sample request as: POST https://namapppragya.blr.novell.com/nidp/oauth/nam/authz?response_type=code&client_id=83028d3c-d039-4212-ae40-d3f9fa12d10c&redirect_uri=https://164.99.86.160/bajesh/oauth.php&scope=profile+openid+urn:netiq.com:nam:scope:oauth:registration:full+testScope&state=new HTTP/1.1
|
accept |
Yes |
The value must be Accept |
other authorization endpoint parameters must be presented. Refer Authorization Endpoint for more details |
Sample Request
URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/authz
Request Parameters: given_scopes=JTVCJTdCJTIyc2NvcGUlMjIlM0ElMjJwcm9maWxlJTIyJTJDJTIyYXR0cmlidXRlcyUyMiUzQSU1QiUyMndlYnNpdGUlMjIlMkMlMjIlMjBiaXJ0aGRhdGUlMjIlMkMlMjIlMjBnZW5kZXIlMjIlMkMlMjIlMjBwcm9maWxlJTIyJTJDJTIyJTIwcHJlZmVycmVkX3VzZXJuYW1lJTIyJTJDJTIyJTIwZ2l2ZW5fbmFtZSUyMiUyQyUyMiUyMG1pZGRsZV9uYW1lJTIyJTJDJTIyJTIwbG9jYWxlJTIyJTJDJTIyJTIwcGljdHVyZSUyMiUyQyUyMiUyMHpvbmVfaW5mbyUyMiUyQyUyMiUyMHVwZGF0ZWRfYXQlMjIlMkMlMjIlMjBuaWNrbmFtZSUyMiUyQyUyMiUyMG5hbWUlMjIlMkMlMjIlMjBmYW1pbHlfbmFtZSUyMiU1RCU3RCUyQyU3QiUyMnNjb3BlJTIyJTNBJTIydGVzdFNjb3BlJTIyJTJDJTIyYXR0cmlidXRlcyUyMiUzQSU1QiUyMm5pY2tuYW1lJTIyJTVEJTdEJTJDJTdCJTIyc2NvcGUlMjIlM0ElMjJ1cm4lM0FuZXRpcS5jb20lM0FuYW0lM0FzY29wZSUzQW9hdXRoJTNBcmVnaXN0cmF0aW9uJTNBZnVsbCUyMiUyQyUyMmF0dHJpYnV0ZXMlMjIlM0ElNUIlMjJhZGQlMjIlMkMlMjIlMjBtb2RpZnklMjIlMkMlMjIlMjBkZWxldGUlMjIlMkMlMjIlMjByZWFkJTIyJTVEJTdEJTVE&accept=Accept&response_type=code&client_id=83028d3c-d039-4212-ae40-d3f9fa12d10c&client_secret=r8RSXtoxQja7ELfM390f68xiD00-vuy_1jdJ7-2U5Urhpg0oF2MnPDw5_f1QxOBdLPH8hAuFOq1cNOxoordqug&redirect_uri=https://164.99.86.160/bajesh/oauth.php&scope=profile openid urn:netiq.com:nam:scope:oauth:registration:full testScope&state=new
Sample Response: HTTPStatus302
https://164.99.86.160/bajesh/oauth.php?code=/wEBAAICACCkTrG8riEJzYSj@rdbtp7BoDaROj/Pn2@Jam6MSVHPnpuX8SG9dYxHasVevTmeY...
Page seen in the UI after the user accept the consent is as below :
For this you need to navigate through NAM nidp Portal(ex- https://xxxxxxxxxxxxx/nidp) -> Right top most corner click on user -> Manage App Permissions
User Consent Approved Clients List
This endpoint returns all client applications and scopes that user had approved so far. To access this endpoint requires either user login or access token. The endpoint details are below
Grant Endpoint: https://<Identity Server URL: Port Number>/nidp/oauth/nam/account/authzClients/
HTTP Method: GET
Sample Request using Access Token:
URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/account/authzClients
Authorization Header:
Bearer eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwidHlwIjoiSldUIiwiY3R5IjoiSldUIiwiemlwIjoiREVGIiwia2lkIjoiMiJ9.hLzNTPnB6GUO3-yNJAeZR7M1Vmy_fz0r.MANr8ak7dwjvWEbo.XG9hFDQbB8zSTdpyu_2J18V.......
Sample Response:
HTTP Status 200
{ {"grants":[{"clientId":"83028d3c-d039-4212-ae40-d3f9fa12d10c","clientName":"Client_All_no_refresh_token","scopes":[{"name":"urn:netiq.com:nam:scope:oauth:registration:full","desc":"Full client registration capability including registering new clients, modify clients and delete.","claims":["add","modify","delete","read"]},{"name":"profile","desc":"Access your basic profile","claims":["website","birthdate","gender","profile","preferred_username","given_name","middle_name","locale","picture","zone_info","updated_at","nickname","name","family_name"]},{"name":"testScope","desc":"custom Scope for test purpose","claims":["nickname"]}]},{"clientId":"1c0453e6-899b-48bd-b4fe-b459c126b311","clientName":"Client_Refresh_Token_Auth_RO_flow","scopes":[{"name":"email","desc":"Access your email address","claims":["email_verified","email"]}]}]}
Sample Error Response:
HTTP Status 401
{"error": "oauth authentication required"}
Page seen in UI as below to view the user consent approved client list:
For this you need to navigate through NAM nidp Portal(ex- https://xxxxxxxxxxxxx/nidp) -> Right top most corner click on user -> Manage App Permissions -> Click on some particular client application.
User Consent Revoke Endpoint
The scopes approved for a client by the user can be revoked using this endpoint. To access this endpoint requires either user login or access token. The endpoint details are below
Grant Endpoint: https://<Identity Server URL: Port Number>/nidp/oauth/nam/account/authzClients/{clientId} - where{clientId} is the OAuth client application id
HTTP Method: DELETE
Sample Request using Access Token:
URL: https://<Identity Server URL: Port Number>/nidp/oauth/nam/account/authzClients/83028d3c-d039-4212-ae40-d3f9fa12d10c
Authorization Header:
Bearer eyJhbGciOiJBMTI4S1ciLCJlbmMiOiJBMTI4R0NNIiwidHlwIjoiSldUIiwiY3R5IjoiSldUIiwiemlwIjoiREVGIiwia2lkIjoiMiJ9.hLzNTPnB6GUO3-yNJAeZR7M1Vmy_fz0r.MANr8ak7dwjvWEbo.XG9hFDQbB8zSTdpyu_2J18V.......
Sample Response:
HTTP Status 200
{ "status": "success", "msg": "successfully revoked grants to clients" }
Page seen as below will revoke user consent through UI:
For this you need to navigate through NAM nidp Portal(ex- https://xxxxxxxxxxxxx/nidp) -> Right top most corner click on user -> Manage App Permissions -> Click on some particular client -> click on revoke access -> Select OK.