Wednesday, July 5, 2017

Exposing the AEM resources through OAuth - AEM

Exposing the AEM resources through OAuth - AEM

This post will explain the approach to expose the resources through OAuth in AEM.

Refer for the basic configurations to expose the the resources thorough OAuth.

Exposing /etc/designs/geometrixx/static.css through OAuth

Configure the "Allowed Scope" as "/etc/designs/geometrixx"(based on the resource that should be exposed) in "Adobe Granite OAuth Resource Server"

The OAuth Authentication handler is not enabled by default and it looks to be an product defect.

Save the configurations(without any change) of "Adobe Granite OAuth Server Authentication Handler" to enable the handler (Perform the same step for previous post also)

Authorize the user:


Receive the access token using the code received:

curl -H "Content-Type: application/x-www-form-urlencoded" -d "code=eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJmamdzbnNibmxxZ3A1bDNjazY3b3NlYjBmOS1ldWNuLTF1YiIsInN1YiI6ImFkbWluIiwiZXhwIjoxNDk5MjkyNzQ0LCJpYXQiOjE0OTkyOTIxNDQsInNjb3BlIjoiL2V0Yy9kZXNpZ25zL2dlb21ldHJpeHgifQ.5ex1DvYLhYdoKjUvpscbyUpL5CWc02gjcpyPMJAPpMs&grant_type=authorization_code&redirect_uri=http://localhost:8080/test&client_id=fjgsnsbnlqgp5l3ck67oseb0f9-eucn-1ub&client_secret=r83jf37qc2jj4ggo8hmhcoqcc8" http://localhost:4502/oauth/token

Receive the Resource using the access token received:

curl -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhdWQiOiJmamdzbnNibmxxZ3A1bDNjazY3b3NlYjBmOS1ldWNuLTF1YiIsImlzcyI6IkFkb2JlIEdyYW5pdGUiLCJzdWIiOiJhZG1pbiIsImV4cCI6MTQ5OTI5NTc4NywiaWF0IjoxNDk5MjkyMTg3LCJzY29wZSI6Ii9ldGMvZGVzaWducy9nZW9tZXRyaXh4In0.LfZxnZTL38bqHJaVJvcraLzaBu5axfdhuVQz7WFGLoE" http://localhost:4502/etc/designs/geometrixx/static.css

The below step should be followed for publisher(assuming anonymous access is enabled) - Enable the authentication for the resource /etc/designs/geometrixx



  1. Hi Albin,

    Can you explain a simple use-case where in you want to expose an AEM resource using oAuth?, because as per my understanding we get resource from REST/SOAP APIs protected by oAuth.


  2. What I am understanding is you are mimicing the job which is done by REST APIs/Services, through AEM SLING rest webservices instead, the resource you get from AEM is always static, wherein I don't understand the use of it.

    1. Resource can be anything static or dynamic including API'S.

      Albin I

    2. This comment has been removed by the author.

    3. Sunag.M.S (Sr.Infrastructure analyst)July 17, 2017 at 9:08 AM

      Good one... (y)