The Resource Owner Flow is one of the modes in the OAuth protocol. In this flow, a user can authenticate using the IDP contract that uses form-based authentication. Sometime during client application development, the application expects more than user credentials and wants to use additional information such as user DOB, PAN Card, etc. In such cases, it is not possible to use default contracts. To achieve such use cases, NAM provides a functionality to create and use a custom contract class.
From Access Manager 4.3 onwards, it’s possible to define which contract must be executed based on the parameter value sent during OAuth request or it can be configured through the admin console oauth configuration section.
How it works:
Create a custom authentication class with the desired additional parameter (sample attached - MultiParameterAuthClass). To learn more about how to use sample class, check the access manager developer documentation. How to deploy authentication class.
Define this either in the Oauth Resource Owner Configuration UI in the global setting or pass this parameter as acr value of the Oauth Resource owner request.
Note: This will work with NAM 4.4. For an alternate option, "Send additional param as part of password by some delimiter not contained in usual password like ppp$param2$param3. Let the custom auth class split the password into constituent part and validate."
Let us consider a scenario where a client application requires the user's PAN number along with the user's credentials for authentication. For this requirement, the administrator can configure Access Manager using the following steps:
Create a resource owner flow request such as the following:
Case 1: When Parameters are correct:
curl -v -k -X POST -d 'grant_type=password&client_id=9fb726a1-1dd0-4717-874-bfc34b90d423&client_secret=j-L5uKeRnarmPNuoXos-h1EqeUjR3AWSZvwwDNtxbONEvmCI3vu0kPAMKQBGxkHvdfqkNXiXC-SmodPRoqFFBQ&username=vneeraj&password=novell&pan=pan123&acr=/custom/contract' https://sles12-acidp.labs.blr.novell.com:8443/nidp/oauth/nam/token
For information on the parameter click here.
If all of the parameters in the request are correct, the server will return the token and refresh token (optionally).
Case 2: In case parameter PAN value is incorrect:
"error_description":"invalid_grant: Invalid pan"