How To

How do I check that an OAuth 2.0 client can connect to AM/OpenAM (All versions)?

Last updated Mar 15, 2019

The purpose of this article is to provide information on checking that an OAuth 2.0 client or OIDC client can connect to AM/OpenAM. The results of the connectivity check serves various purposes, including: validating credentials are correct and verifying the client can authenticate to AM/OpenAM for determining access.

1 reader recommends this article

Checking that an OAuth 2.0 client can connect

Note

For the OAuth 2.0 client to be able to authenticate, agent must be listed as an Identity Type (Realms > [Realm Name] > Authentication > Settings > General > Identity Types). It is included by default, but if it missing, you will see the following response: { "code": 401, "reason": "Unauthorized", "message": "User Requires Profile to Login" } and should re-add it.

The following check validates the client credentials to prove that the client can connect to AM/OpenAM but does not create a session, this is done by simply validating the OAuth2 client and client secret. This method may be preferable to the alternative for testing, which involves generating an access token and then revoking it.

You can validate the client credentials using a REST call similar to this:

  • AM 5 and later: 
    $ curl -X POST -H "X-OpenAM-Username: myOAuth2Client" -H "X-OpenAM-Password: clientPassword" -H "Content-Type: application/json" -H "Accept-API-Version: resource=2.1" http://host1.example.com:8080/openam/json/realms/root/authenticate?realm=/&noSession=true&authIndexType=module&authIndexValue=Application
  • Pre-AM 5: 
    $ curl -X POST -H "X-OpenAM-Username: myOAuth2Client" -H "X-OpenAM-Password: clientPassword" -H "Content-Type: application/json" 
http://host1.example.com:8080/openam/json/authenticate?realm=/&noSession=true&authIndexType=module&authIndexValue=Application

A successful response will look similar to this, where a session token is not created because of the noSession parameter:

{"message":"Authentication Successful","successUrl":"/openam/console","realm":"/"

Whereas an unsuccessful response is similar to this:

{"code":401,"reason":"Unauthorized","message":"Authentication Failed"}

See Also

How do I check if AM/OpenAM (All versions) is up and running?

How do I check that a Policy Agent (All versions) can connect to AM/OpenAM?

OAuth 2.0 in AM/OpenAM

OAuth 2.0 Guide

Related Training

N/A

Related Issue Tracker IDs

N/A

Copyright and TrademarksCopyright © 2019 ForgeRock, all rights reserved.
Loading...