rs_0 Respected Contributor.
Respected Contributor.
1292 views

Identity Application Rest API Authentication

Hi, I am new to the Identity App and Rest APIs. I am attempting to access the /osp/a/idm/auth/oauth2/grant URL to obtain an access token. I am using the PowerShell Invoke-WebRequest command to make the call and I keep getting a 401 Unauthorized error. I am guessing I have the wrong credentials entered but I am not sure where to configure or find the credentials. Any advise would be appreciated.

Documentation I have been using:
https://www.netiq.com/documentation/identity-manager-developer/rest-api-documentation/idmappsdoc/#/Access
Labels (1)
Tags (1)
0 Likes
11 Replies
rs_0 Respected Contributor.
Respected Contributor.

Re: Identity Application Rest API Authentication

I managed to make some progress. I was not adding the Authorization header. Adding that header got me to a new error page "NetIQ Access Error". I imagine it is some kind of permissions configuration but I have not yet found the answer.
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Identity Application Rest API Authentication

Hi,

Usually I use "insomnia" third party to test IDM REST connection and request .

here is an extract of my request to get the token :

curl --request POST \
--url http://win-idm2.demo.com:8080/osp/a/idm/auth/oauth2/grant/ \
--header 'accept: application/json' \
--header 'accept-charset: UTF-8' \
--header 'authorization: Basic cmJwbTpub3ZlbGw=' \
--header 'content-type: application/x-www-form-urlencoded' \
--cookie netiq_idm_rbpm_acsrf=0dc0efbb-20b3-41ad-a4ab-d828fd3936db \
--data 'grant_type=password&username=uaadmin&password=novell'


The here the request to get resources :

curl --request GET \
--url 'http://win-idm2.demo.com:8080/IDMProv/rest/catalog/resources?q=*' \
--header 'authorization: Bearer eH8AIGgaLNxJ6ofJ/sxDPNv3PZrWsVrTp5xU@btuYbu54qYoI5mSBk4znR0cCwnHO2b9iamiNxUpxfvYKiYQu13DniTrbOur7N8o4Z8O5dIq2sDtw9wrOQUIba@rHKK54efOtkH25nEL5tuF8cezxNSurTkjv3KsBbUePJuezUQBnGVy@jrOeDJp1cWIxwKm2@Tw9bL6zIc0yqUctYbkJjs02IEVQLq6LGTO26vyujl6Lb/W' \
--header 'content-type: application/json' \
--cookie 'JSESSIONID=B0FDD959762A44E6FEFABE16EB417F35; netiq_idm_rbpm_acsrf=0dc0efbb-20b3-41ad-a4ab-d828fd3936db'

You also need to update the ism-configuration.properties, for exemple:

RoleService/Role/SOAP-End-Points-Authorization-Security-Enabled = false
RoleService/Role/soap = false
RoleService/Resource/SOAP-End-Points-Authorization-Security-Enabled = false
ResourceService/Resource/soap = false
VirtualDataService/soap = false
WorkflowService/SOAP-End-Points-Authorization-Security-Enabled = false


Hope this will help.

Sylvain
rs_0 Respected Contributor.
Respected Contributor.

Re: Identity Application Rest API Authentication

This information is very helpful, unfortunately I am still getting the NetIQ Access Error page in response. The osp logs are throwing an illegalArgumentException "Illegal base64" java error.
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Identity Application Rest API Authentication

Are you able to get the token from the first POST request ?
0 Likes
rs_0 Respected Contributor.
Respected Contributor.

Re: Identity Application Rest API Authentication

Yes, last night I finally figured out what was hanging things up. As expected it was bad credentials. Once I was able to get the correct password for rbpm, I was able to obtain a token using the curl command similar to yours above. Again I really appreciate you lining that out. Unfortunately now I am running into a 401 Access Denied error when trying to run the second curl command you sent. I used rbpm to get the token and included the uaadmin account in the body of the call. So I am trying to work through that issue now. Also a helpful tip to anyone troubleshooting this process. Check out the localhost_access_log file under the tomcat logs, it will actually show api call attempts. The curl command wasn't returning useful information but this log will give you the client IP, the call that was passed, the time, and the http code returned. In my case its a 401.
0 Likes
sma2006 Outstanding Contributor.
Outstanding Contributor.

Re: Identity Application Rest API Authentication

stampsr;2494686 wrote:
Yes, last night I finally figured out what was hanging things up. As expected it was bad credentials. Once I was able to get the correct password for rbpm, I was able to obtain a token using the curl command similar to yours above. Again I really appreciate you lining that out. Unfortunately now I am running into a 401 Access Denied error when trying to run the second curl command you sent. I used rbpm to get the token and included the uaadmin account in the body of the call. So I am trying to work through that issue now. Also a helpful tip to anyone troubleshooting this process. Check out the localhost_access_log file under the tomcat logs, it will actually show api call attempts. The curl command wasn't returning useful information but this log will give you the client IP, the call that was passed, the time, and the http code returned. In my case its a 401.


Once you have the token, you must send your request with an "Authorization header" with exact text : Bearer + token as per my example:

curl --request GET \
--url 'http://win-idm2.demo.com:8080/IDMProv/rest/catalog/resources?q=*' \
--header 'authorization: Bearer eH8AIGgaLNxJ6ofJ/sxDPNv3PZrWsVrTp5xU@btuYbu54qYoI5mSBk4znR0cCwnHO2b 9iamiNxUpxfvYKiYQu13DniTrbOur7N8o4Z8O5dIq2sDtw9wrO QUIba@rHKK54efOtkH25nEL5tuF8cezxNSurTkjv3KsBbUePJu ezUQBnGVy@jrOeDJp1cWIxwKm2@Tw9bL6zIc0yqUctYbkJjs02 IEVQLq6LGTO26vyujl6Lb/W' \
--header 'content-type: application/json' \
0 Likes
rs_0 Respected Contributor.
Respected Contributor.

Re: Identity Application Rest API Authentication

Yes I had included my token and the headers how you had mentioned. I am wondering if something is miss configured some where.
0 Likes
rs_0 Respected Contributor.
Respected Contributor.

Re: Identity Application Rest API Authentication

Opened a support ticket on this one. I will update if we are able to find a solution.
0 Likes
schwoerb Absent Member.
Absent Member.

Re: Identity Application Rest API Authentication

I am seemingly stuck as well. I am able to see the different errors in the body of the response. For a user that doesn't exist I get a 400 '{"error":"invalid_grant","error_description":"No principal found.","sub_error":"noprincipal"}'. For a good password or a bad password, I get a 401 '{"error":"invalid_client"}'.
0 Likes
Highlighted
schwoerb Absent Member.
Absent Member.

Re: Identity Application Rest API Authentication

I found my error for the Authentication. I was using the same credentials for both the Header and the Body. After looking closer, I needed to use the OSP credential for the Header, and the user credential for the Body. Read the Manual issue... doh!!!
Knowledge Partner
Knowledge Partner

Re: Identity Application Rest API Authentication

schwoerb;2495611 wrote:
I found my error for the Authentication. I was using the same credentials for both the Header and the Body. After looking closer, I needed to use the OSP credential for the Header, and the user credential for the Body. Read the Manual issue... doh!!!


Thanks for following up on what it was. I'm sure somebody else will trip over this in the future.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.