UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21. Read more.
UPDATE! The community will be go into read-only on April 19, 8am Pacific in preparation for migration on April 21.Read more.

OAuth2 Service Broker Custom Endpoint

OAuth2 Service Broker Custom Endpoint


Modern application development interacts with multiple services. These services can be internal or external. Most of the services are developed with Oauth2 support. When the user or mobile access a service, that particular service might be interacting with other services either internal or cloud service. To access other services, it needs the access token. This Oauth2 service broker will issue a new access token with different scopes to protect the user by without giving token with full rights.


When the user or mobile application access backend service it has to gather various information or data from different service endpoints. These services can be a cloud or internal different department or partner services that are protected by Oauth2 access tokens. In this scenario, received a token at the first service cannot send the same token to different service which is owned by a different group or a cloud service. Limited scopes token is required to access other services.

Why is this useful?

This solution will help to get a new oauth2 access token with different scopes by authenticating with existing oauth2 Access token at back-end service where it has to call multiple other services to provide the response to the user request.


NetIQ Access Manager should be enabled with oauth2 protocol. Deploy the jar file to the Identity provider (IDP) and restart the IDP.

Configuration steps

    1. Download Oauth2 service broker endpoint zip file and extract to a temporary folder


    1. Copy the jar file to NAM IDP lib folder location /opt/novell/nam/idp/webapps/nidp/WEB-INF/lib


    1. Restart IDP /etc/init.d/novell-idp restart


    1. Login to administration console and navigate to Oauth2


    1. Create new Oauth2 client


    1. Generated ClientId note down. This will be used with Service A to request access token for Service B


    1. Apply configuration


  1. Update IDP configuration


    1. Using Oauth2 Play ground or any other Oauth2 sample or script example to request Oauth2 access token to send it to first service.


  1. Using Oauth2 Access token obtained at previous step do send the similar sample request to service broker endpoint.
    POST /nidp/oauth/nam/tokenbroker HTTP/1.1
    Host: login.idp.com
    Content-Type: application/x-www-form-urlencoded
    Authorization: <>


Note: This solution doesn’t validate resource or any sort of additional authorization. This solution is very close to Microsoft on_behalf_of Oauth2 profile but doesn’t follow that specification, it needs little more modification to support that profile.

Please share your comments!!

Labels (2)


Some content on Community Tips & Information pages is not officially supported by Micro Focus. Please refer to our Terms of Use for more detail.
Top Contributors
Version history
Revision #:
2 of 2
Last update:
‎2020-01-31 11:13
Updated by:
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.