How to get the basic profile details of a user in external clients through OAuth - Adobe Experience Manager(AEM)
This post will explain the approach to get the basic profile details of a user through OAuth - AEM/Adobe CQ5Configure the OAuth client - Adobe Experience Manager(AEM):
Login to AEM through Admin credentialAccess - http://localhost:4502/libs/granite/oauth/content/clients.html and click on "Create a new app" or "Add New Client"
Enter Client ID and "Redirect URI" - The URL to which the user will be redirected after successful authorization(external client URL)
Redirect the user to below URL to authorize the user with AEM
http://localhost:4502/oauth/authorize?response_type=code&client_id=<Client Id from OAuth client>&scope=profile&redirect_uri=<The URL to which the user will be redirected after authorization>
User will be prompted to login if already not logged in and after successful login user will be redirect to a page to authorize the request.
After successful authorization the user will be redirected to the service URL configured in the OAuth client with the code.
http://localhost:4502/oauth/authorize?response_type=code&client_id=lkeadg8fol2h6or98sutint8l0-eucn-1ub&scope=profile&redirect_uri=http://localhost:8080/test
http://localhost:8080/test?code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsInN1YiI6ImFsYmluIiwiZXhwIjoxNDkzOTI2Mjc3LCJpYXQiOjE0OTM5MjU2NzcsInNjb3BlIjoicHJvZmlsZSJ9.cGGuC2UoSyR3vrl8abVZtgZt-3-6y-wuohEVJxitBJs&state=null
The state parameter sent in the request will be send back in the response by AEM - this can be used to verify the authenticity of the request and response(This will help to stop Cross Site Request Forgery (XRSF).)
http://localhost:4502/oauth/authorize?response_type=code&client_id=lkeadg8fol2h6or98sutint8l0-eucn-1ub&scope=profile&redirect_uri=http://localhost:8080/test&state=Albintest
http://localhost:8080/test?code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsInN1YiI6ImFsYmluIiwiZXhwIjoxNDkzOTI2Mjc3LCJpYXQiOjE0OTM5MjU2NzcsInNjb3BlIjoicHJvZmlsZSJ9.cGGuC2UoSyR3vrl8abVZtgZt-3-6y-wuohEVJxitBJs&state=Albintest
Receive the access token:
After authorization AEM will redirect the user to the URL specified as redirect URL in the OAuth client, connect to the token endpoint in the service with the code received in the URL to fetch the access token.http://localhost:4502/oauth/token
POST
Content-Type: application/x-www-form-urlencoded
Input Parameters:
code= The code received from the previous response
grant_type=authorization_code
redirect_uri=Redirect URI from OAuth client configuration
client_id= Client Id from OAuth client configuration
client_secret=Client Secret from OAuth client configuration
e.g. through CURL
curl -H "Content-Type: application/x-www-form-urlencoded" -d "code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsInN1YiI6ImFsYmluIiwiZXhwIjoxNDkzOTI2Mjc3LCJpYXQiOjE0OTM5MjU2NzcsInNjb3BlIjoicHJvZmlsZSJ9.cGGuC2UoSyR3vrl8abVZtgZt-3-6y-wuohEVJxitBJs&grant_type=authorization_code&redirect_uri=http://localhost:8080/test&client_id=lkeadg8fol2h6or98sutint8l0-eucn-1ub&client_secret=f4sv6cv4s91qqskbtconja37lc" http://localhost:4502/oauth/token
{"access_token":""eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsImlzcyI6IkFkb2JlIEdyYW5pdGUiLCJzdWIiOiJhbGJpbiIsImV4cCI6MTQ5MzkyOTgzNywiaWF0IjoxNDkzOTI2MjM3LCJzY29wZSI6InByb2ZpbGUifQ.jkmQzy7exD5ShcX-CneX-YYY0WzC7OHGN8WHLb_Zkqg","expires_in":3600}
Receive the profile data:
Connect to the profile endpoint with the access token received in the previous step to fetch the basic user profile data.http://localhost:4502/libs/oauth/profile
GET
Authorization: Bearer <access token>
e.g. through CURL
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsImlzcyI6IkFkb2JlIEdyYW5pdGUiLCJzdWIiOiJhbGJpbiIsImV4cCI6MTQ5MzkyOTgzNywiaWF0IjoxNDkzOTI2MjM3LCJzY29wZSI6InByb2ZpbGUifQ.jkmQzy7exD5ShcX-CneX-YYY0WzC7OHGN8WHLb_Zkqg" http://localhost:4502/libs/oauth/profile
{"path":"/home/users/a/nNZl6ouZfBrbxReawJfm/profile","user":{"authorizableId":"albin"},"gender_xss":"male","gender":"male","aboutMe_xss":"test","aboutMe":"test","email_xss":"[email protected]","email":"[email protected]","state_xss":"MN","state":"MN","familyName_xss":"Issac","familyName":"Issac","country_xss":"United States","country":"United States","givenName_xss":"Albin","givenName":"Albin"}
This post is written based on the AEM version AEM 6.1 SP1
The "Adobe Granite OAuth Server Authentication Handler" is not enabled by default, please refer the following post to enable "Adobe Granite OAuth Server Authentication Handler" - https://www.albinsblog.com/2017/07/exposing-resources-through-oauth-aem.html
Hi Albin.
ReplyDeleteThis is a very nice post. Good job!!
I have tried the same on a 6.2 AEM and I am getting a 401 on the very last request (/libs/oauth/profile). I know you ran this on 6.1, so I want to ask you if you had to do any specific configuration for your Client related to scopes, or maybe for your user like permissions?
Stelios
I am also getting 401 on last request (/libs/oauth/profile) as well. I am running on AEM 6.3.
ReplyDeleteI am also getting same error 401 on the very last request (/libs/oauth/profile). I am running on AEM 6.3.
ReplyDeletePlease verify "Adobe Granite OAuth Server Authentication Handler" is enabled - it looks to be it is not enabled by default. Refer https://www.albinsblog.com/2017/07/exposing-resources-through-oauth-aem.html#.WjHWwVWnHIU with details on enabling "Adobe Granite OAuth Server Authentication Handler"
ReplyDelete