You can use the sample scripts to understand how the OAuth flow works with Access Manager.
Perform the following tasks to use the sample scripts:
Enable the OAuth protocol.
Enable NAM_OAUTH2_DEVELOPER and NAM_OAUTH2_ADMIN roles for developers.
Extend the user store schema and add LDAP attribute to store user's consent and refresh token information.
Access Manager Administrator Tasks
Log in to Access Manager Administration Console.
Navigate to OAuth & OpenID Connect > Global Settings.
Specify the following values:
Authorization Grant LDAP Attribute: The LDAP attribute that can be used for storing the token information and the user consent.
CORS Domain: Select Allow All.
Grant Type(s): Select all options.
Token Type(s): Select all options.
Require Logout Consent: Select this option when you have configured OIDC front-channel logout. This displays a consent message to users seeking their permission to log out from all logged-in applications.
Signing Certificate: Add the signing certificate.
Update Identity Server.
Client Developer Tasks
Download OAuth Samples from the Developer Documentation page.
From the OAuth Samples folder, go to try-now-scripts, then sampleScripts.
Open the config.txt file, then specify the values for the following parameters that are mentioned within the System Settings section:
username: OAuth developer username
password: OAuth developer password
user_email: OAuth developer email
userstore: Name of the user store that is configured for the IDP cluster (check with NAM administrator)
user_dn: Full domain name such as, cn=admin, o=novell.
Change the domain as per requirement.
idpurl: Identity server’s host and port
scope_username: Non-developer user name.
scope_password: Password for the user mentioned in scope_username.
scope_email: Email of the user mentioned in scope_username.
Run the required script to see it in action or run sample Scripts.sh to run all the scripts as a batch.
|
Sample |
Use Case |
|---|---|
|
Authorization Flow |
|
|
authorizationFlow-accessToken-using-defaultresourceServer.sh |
Retrieve access token by using the default resource server that is configured in Access Manager. |
|
authorizationFlow-accessToken-usingRefreshtoken.sh |
Retrieve access token by using refresh token. |
|
authorizationFlow-accessToken-using-resourceServerKey.sh |
Retrieve access token that is encrypted using resource server key. |
|
authorizationFlow-accessToken-with-pkcePlain.sh |
Retrieve access token using pkce with the code_challenge_method as plain. |
|
authorizationFlow-accessToken-with-pkceS256.sh |
Retrieve access token using pkce with the code_challenge_method as s256. |
|
authorizationFlow-revoke-refreshToken.sh |
Revoke the refresh token |
|
authorizationFlow-revoke-refreshToken-using-globalDeviceID.sh |
Revoke the refresh token issued to a mobile device. |
|
idtoken-using-authorizationFlow.sh |
Retrieve ID token |
|
IDP-initiated-FrontChannelLogout.sh |
Identity Provider initiates the front-channel logout of a logged-in user through the client application. |
|
RP-initiated-FrontChannelLogout.sh |
The client application initiates the front-channel logout of a logged-in user. |
|
Client Credentials Flow |
|
|
clientCredentialFlow-accessToken-using-defaultResourceServer.sh |
Retrieve access token by using the default resource server that is configured in Access Manager. |
|
clientCredentialFlow-accessToken-using-resourceServerKey.sh |
Retrieve access token encrypted using resource server key. |
|
Implicit Flow |
|
|
idtoken-using-implicitFlow.sh |
Retrieve ID token |
|
implicitFlow-accessToken-using-defaultResourceServer.sh |
Retrieve access token by using the default resource server that is configured in Access Manager. |
|
implicitFlow-accessToken-using-resourceServerKey.sh |
Retrieve access token encrypted using the resource server key. |
|
Resource Owner Flow |
|
|
resourceOwnerFlow-accessToken-using-defaultResourceServer.sh |
Retrieve access token by using the default resource server that is configured in Access Manager. |
|
resourceOwnerFlow-accessToken-using-resourceServerKey.sh |
Retrieve access token encrypted using resource server key. |
|
resourceOwnerFlow-revoke-refreshToken.sh |
Revoke refresh token. |
|
resourceOwnerFlow-revoke-refreshToken-using-globalDeviceID.sh |
Revoke refresh token using the device ID. |
|
Manage and Validate |
|
|
deleteOauthResourceServer.sh |
Delete the resource server configured in Access Manager |
|
manageOAuthScope.sh |
Manage the OAuth scopes |
|
manageResourceServer.sh |
Manage the resource server configured in Access manager. |
|
accessToken-verification.sh |
Verify access token |