OAuth 2.0 in AM/OpenAM

This book provides information on OAuth 2.0 in AM/OpenAM including OIDC and UMA, administering access tokens via REST and and known issues (with solutions).

Printer friendly view

Table of Contents

  • 1 What federation standards does AM/OpenAM support?
  • 2 How does OAuth 2.0 Saved Consent work in AM/OpenAM (All versions)?
  • 3 How do I check that an OAuth 2.0 client can connect to AM/OpenAM (All versions)?
  • 4 How do I modify the OAuth2 Access Token Modification script in AM 6.5.2.x, 6.5.3 and 7.x?
  • 5 How do I migrate OAuth 2.0 CTS-based tokens to AM 6.5.x from an earlier version?
  • 6 How do I migrate OAuth 2.0 client-based tokens to AM 6.5.x from an earlier version?
  • 7 Access Tokens and REST
    • 7.1 How do I perform common OAuth 2.0 tasks using curl commands with the standard endpoints in AM/OpenAM (All versions)?
    • 7.2 How do I request further information (such as client_id or uid) for an OAuth 2.0 access token in OpenAM 13.x?
  • 8 OIDC
    • 8.1 How do I understand the JWTs used in OIDC that are generated or accepted by AM/OpenAM (All versions)?
    • 8.2 How do I add custom claims to the OIDC Claims Script in AM/OpenAM (All versions)?
    • 8.3 How do I add a roles claim to the OIDC Claims Script in AM/OpenAM (All versions)?
    • 8.4 How do I add a session property claim to the OIDC Claims Script in AM (All versions) and OpenAM 13.5.x?
    • 8.5 How do I modify the OIDC issuer ID or audience in a multi-server AM (All versions) environment?
    • 8.6 How do I transform an OIDC token to a SAML2 assertion in AM/OpenAM (All versions) using REST STS?
  • 9 Frequently Asked Questions
    • 9.1 FAQ: OAuth 2.0 in AM/OpenAM
    • 9.2 FAQ: UMA in AM/OpenAM
  • 10 Known Issues
    • 10.1 Issues with upgrades, Amster imports or exports, or registering clients (OAuth2, OIDC and RADIUS) or agents with reference to sunserviceID in AM (All versions)
    • 10.2 No system property value for SMS_TRANSPORT_ENCRYPTION so using AES error in AM (All versions)
    • 10.3 The authenticated client is not authorized to use this authorization grant type response to an OAuth 2.0 endpoint in AM 6.5.x and 7.x
    • 10.4 Shared secret cannot be null error when requesting OAuth2 access tokens in AM 5.x and 6.0.0.x
    • 10.5 FailedToLoadJWKException when retrieving OAuth2 access token in AM (All versions)
    • 10.6 URLDecoder: Illegal hex characters in escape (%) pattern or Client authentication failed error when requesting an OAuth2 access token in AM (All versions)
    • 10.7 redirect_uri_mismatch error occurs when using AM/OpenAM (All versions) as an OAuth 2.0 / OpenID client or provider
    • 10.8 Unable to retrieve certificate with alias 'test' from keystore after making changes to the keystore in AM (All versions)
    • 10.9 Unhandled exception: Internal Server Error (500) when running OIDC_CLAIMS scripts under load in AM (All versions)
    • 10.10 invalid_client error when requesting an OAuth 2.0 access token in AM/OpenAM (All versions)
    • 10.11 Access to Java class is prohibited error with scripts running in AM/OpenAM (All versions)
    • 10.12 Creating OAuth2 Provider in AM 5.5.x, 6.x and 7.x fails with a Could not initialise script configurations for realm error when using ssoadm
    • 10.13 Addition of the standard header "Pragma" is discouraged errors when AM 5, 5.1.x and OpenAM 13.5 is configured as an OAuth Provider