Sunday, May 7, 2017

How to get the basic profile details of a user in external clients through OAuth - Adobe Experience Manager(AEM)

How to get the basic profile details of a user in external clients through OAuth - Adobe Experience Manager(AEM)

This post will explain the approach to get the basic profile details of a user through OAuth - AEM/Adobe CQ5

Configure the OAuth client - Adobe Experience Manager(AEM):

Login to AEM through Admin credential
Access - http://localhost:4502/libs/granite/oauth/content/clients.html and click on "Create a new app" or "Add New Client"


Enter Client ID and "Redirect URI" - The URL to which the user will be redirected after successful authorization(external client URL)





Redirect the user to below URL to authorize the user with AEM

http://localhost:4502/oauth/authorize?response_type=code&client_id=<Client Id from OAuth client>&scope=profile&redirect_uri=<The URL to which the user will be redirected after authorization>

User will be prompted to login if already not logged in and after successful login user will be redirect to a page to authorize the request.

After successful authorization the user will be redirected to the service URL configured in the OAuth client with the code.

http://localhost:4502/oauth/authorize?response_type=code&client_id=lkeadg8fol2h6or98sutint8l0-eucn-1ub&scope=profile&redirect_uri=http://localhost:8080/test

http://localhost:8080/test?code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsInN1YiI6ImFsYmluIiwiZXhwIjoxNDkzOTI2Mjc3LCJpYXQiOjE0OTM5MjU2NzcsInNjb3BlIjoicHJvZmlsZSJ9.cGGuC2UoSyR3vrl8abVZtgZt-3-6y-wuohEVJxitBJs&state=null

The state parameter sent in the request will be send back in the response by AEM - this can be used to verify the authenticity of the request and response(This will help to stop Cross Site Request Forgery (XRSF).)

http://localhost:4502/oauth/authorize?response_type=code&client_id=lkeadg8fol2h6or98sutint8l0-eucn-1ub&scope=profile&redirect_uri=http://localhost:8080/test&state=Albintest

http://localhost:8080/test?code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsInN1YiI6ImFsYmluIiwiZXhwIjoxNDkzOTI2Mjc3LCJpYXQiOjE0OTM5MjU2NzcsInNjb3BlIjoicHJvZmlsZSJ9.cGGuC2UoSyR3vrl8abVZtgZt-3-6y-wuohEVJxitBJs&state=Albintest


Receive the access token:

After authorization AEM will redirect the user to the URL specified as redirect URL in the OAuth client, connect to the token endpoint in the service with the code received in the URL to fetch the access token.

http://localhost:4502/oauth/token

POST

Content-Type: application/x-www-form-urlencoded

Input Parameters:
code= The code received from the previous response
grant_type=authorization_code
redirect_uri=Redirect URI from OAuth client configuration
client_id= Client Id from OAuth client configuration
client_secret=Client Secret from OAuth client configuration

e.g. through CURL
curl -H "Content-Type: application/x-www-form-urlencoded" -d "code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsInN1YiI6ImFsYmluIiwiZXhwIjoxNDkzOTI2Mjc3LCJpYXQiOjE0OTM5MjU2NzcsInNjb3BlIjoicHJvZmlsZSJ9.cGGuC2UoSyR3vrl8abVZtgZt-3-6y-wuohEVJxitBJs&grant_type=authorization_code&redirect_uri=http://localhost:8080/test&client_id=lkeadg8fol2h6or98sutint8l0-eucn-1ub&client_secret=f4sv6cv4s91qqskbtconja37lc" http://localhost:4502/oauth/token

{"access_token":""eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsImlzcyI6IkFkb2JlIEdyYW5pdGUiLCJzdWIiOiJhbGJpbiIsImV4cCI6MTQ5MzkyOTgzNywiaWF0IjoxNDkzOTI2MjM3LCJzY29wZSI6InByb2ZpbGUifQ.jkmQzy7exD5ShcX-CneX-YYY0WzC7OHGN8WHLb_Zkqg","expires_in":3600}

Receive the profile data:

Connect to the profile endpoint with the access token received in the previous step to fetch the basic user profile data.

http://localhost:4502/libs/oauth/profile

GET

Authorization: Bearer <access token>

e.g. through CURL
curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJiaGVhamE1bnEwMmcxa2xjZnVwYzcxYzlsMS1sd3I3d3ZobCIsImlzcyI6IkFkb2JlIEdyYW5pdGUiLCJzdWIiOiJhbGJpbiIsImV4cCI6MTQ5MzkyOTgzNywiaWF0IjoxNDkzOTI2MjM3LCJzY29wZSI6InByb2ZpbGUifQ.jkmQzy7exD5ShcX-CneX-YYY0WzC7OHGN8WHLb_Zkqg" http://localhost:4502/libs/oauth/profile

{"path":"/home/users/a/nNZl6ouZfBrbxReawJfm/profile","user":{"authorizableId":"albin"},"gender_xss":"male","gender":"male","aboutMe_xss":"test","aboutMe":"test","email_xss":"[email protected]","email":"[email protected]","state_xss":"MN","state":"MN","familyName_xss":"Issac","familyName":"Issac","country_xss":"United States","country":"United States","givenName_xss":"Albin","givenName":"Albin"}

This post is written based on the AEM version AEM 6.1 SP1

The "Adobe Granite OAuth Server Authentication Handler" is not enabled by default, please refer the following post to enable "Adobe Granite OAuth Server Authentication Handler" - https://www.albinsblog.com/2017/07/exposing-resources-through-oauth-aem.html

4 comments:

  1. Hi Albin.

    This is a very nice post. Good job!!
    I have tried the same on a 6.2 AEM and I am getting a 401 on the very last request (/libs/oauth/profile). I know you ran this on 6.1, so I want to ask you if you had to do any specific configuration for your Client related to scopes, or maybe for your user like permissions?

    Stelios

    ReplyDelete
  2. I am also getting 401 on last request (/libs/oauth/profile) as well. I am running on AEM 6.3.

    ReplyDelete
  3. I am also getting same error 401 on the very last request (/libs/oauth/profile). I am running on AEM 6.3.

    ReplyDelete
  4. Please verify "Adobe Granite OAuth Server Authentication Handler" is enabled - it looks to be it is not enabled by default. Refer https://www.albinsblog.com/2017/07/exposing-resources-through-oauth-aem.html#.WjHWwVWnHIU with details on enabling "Adobe Granite OAuth Server Authentication Handler"

    ReplyDelete