This chapter describes the Oracle Access Management Mobile and Social REST API. This chapter includes the following topics:
Mobile and Social Services REST Reference: Authentication and Authorization
Mobile and Social Services REST Reference: Commands for Mobile Single Sign-on Tokens
Mobile and Social Services REST Reference: Commands for User Profile Services
This chapter uses cURL to demonstrate the REST calls that the Mobile and Social client sends to the Mobile and Social server. cURL is free software that you can download from the cURL website at http://curl.haxx.se/
Using cURL to send REST calls to the server can help you better understand how the Mobile and Social client interacts with the Mobile and Social server. It can also be a helpful troubleshooting tool.
Note:
cURL commands that contain single quotes ('
) will fail on Windows. When possible, use double quotes ( "
) in place of single quotes.
If a command requires both single quotes and double quotes, escape the double quotes with a backslash (for example: \"
) and replace the single quotes with double quotes.
Note:
In this guide, line breaks in cURL commands and server responses are for display purposes only.This section documents the request and response attribute names that are reserved for use with Mobile and Social REST Services. These attributes can be included in a query parameter, in an HTTP header, or in the JSON body portion of the header as noted.
Note:
All attribute names and values are case-sensitive.The following attribute names are documented in this section:
Use this attribute to specify the specific version of the SDK that the client application is compatible with. If you do not specify an SDK version, the Mobile and Social server defaults to using the latest SDK version.
-H "X-IDAAS-REST-VERSION:v1"
curl -i -H "Content-Type: application/json http://host.us.example.com:14100/oic_rest /rest/jwtauthentication/authenticate -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"profileid1", "X-Idaas-Rest-Subject-Password":"secret12", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTTOKEN"}' -H "X-IDAAS-REST-VERSION:v1"
HTTP/1.1 200 OK Date: Tue, 05 Jun 2012 11:23:19 GMT Transfer-Encoding: chunked Content-Type: application/json X-IDAAS-REST-VERSION: v1 Set-Cookie: JSESSIONID=5Z4sPNsHVmrplgs8HNDbQGxddC7TJQS7s4QspYvMpcMJJLC2nGx5!1574 236250; path=/; HttpOnly X-ORACLE-DMS-ECID:a393487d2600b00c:-7abb0b83:137b52ee014:-8000-00000000000026aa X-Powered-By: Servlet/2.5 JSP/2.1
Use to specify a Service Domain value. If a Service Domain value is not provided, the system will use the "Default" Service Domain.
-H "X-IDAAS-SERVICEDOMAIN: Default"
curl -i -H "Content-Type: application/json" --request POST http://host.us.example.com:14100/oic_rest/rest/jwtauthentication/authenticate -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"profileid1", "X-Idaas-Rest-Subject-Password":"secret12", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTTOKEN"}' -H "X-IDAAS-REST-VERSION:v1" -H "X-IDAAS-SERVICEDOMAIN: Default"
Use to specify an application credential in the HTTP request header.
Use the following format:
-H "X-IDAAS-REST-AUTHORIZATION:
<AuthenticationScheme-Name>
<Credential Value>
"
where AuthenticationScheme-Name
is one of the following:
HTTP Basic
UIDPassword
Token
-H "X-IDAAS-REST-AUTHORIZATION: Token eyJhbG56I4OTg5OTk3M...fW1VGmunfzqZ-bG4rM" -H "X-IDAAS-REST-AUTHORIZATION: Basic fn49xkOVXunF%2B5zMQUiGUlwTXPYiKw" -H "X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred=\"Tp8aUEeptClBz6h9cH8F%2Fwk976\""
curl -i -H "Content-Type: application/json" --request POST http://host.us.example.com:14100/oic_rest/rest/jwtauthentication/authenticate -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"sampleuser", "X-Idaas-Rest-Subject-Password":"password123", "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN"}' -H "X-IDAAS-REST-VERSION:v1" -H "X-IDAAS-SERVICEDOMAIN: Default" -H "X-IDAAS-REST-AUTHORIZATION: Token eyJhbGciOiJSUzUxMiIsInR5cSldUQXV0aGVudGljYXR CI6IkpXVCIsImtpZCI6Im9yYWtleSJ9.eyJleHAiOjEzMzg4OTg5OTk3MzIsIzZXJ2ZXIxIiwiaXNzIjoi joiY2I2MWU5YTQtZjJmYS00ZDQzLWFlOTYtZWQ5MjZlMGQ2NDZlIiwib3JhY2xlLm9pYy50b2tlbi50eXB lIjoiQ0xJRU5UVE9LRU4iLCJpYXQiOjEzMzg4OTUzOTk3MzIsIm9yYWNsZS5vaWMudG9rZW4udXNlcl9kb iI6InVpZD1wcm9maWxlaWQxLG91PXBlb3BsZSxvdT1teXJlYWxtLGRjPWJhc2VfZG9tYWsZSxvdT1teXJl YWxtLGRjPWJhc2VfZG9tYWluIn0.kN17W0N3GEmdccm7GoUOT4iP23yWb6LloleOJ0grZkeiijXE-t8Kfy N6Jq1m8EKzdYgiKFwdb-SO9MpOVMyPgxSRER9mn_3kkcKNagl7yIgu0EJUOS3Hudy2Suv0Th5b6fDgXLIY LkBA0cC1WlP5RgW1VGmuBX7RnfzqZ-bG4rMiLCJwcm4iOiJwcm9maWxlaWQxIiwianRpI"
The client application must send a security credential using the X-IDAAS-REST-AUTHORIZATION
header if you select the Secured Application option for either User Profile Services or Authorization Services on the Service Domain Configuration "Service Protection" tab. The server accepts credentials sent using any of the three valid security schemes (HTTP Basic, UIDPassword, or Token).
Use to specify a user credential in the HTTP request header. Use the AUTHORIZATION
header if a User Token is required and you are using either the JWTAuthentication or the OAMAuthentication token format. The User Token value has to be the User token issued by the authentication Service Provider.
Use the following format:
-H "AUTHORIZATION:
<User Token Value>"
-H "AUTHORIZATION:eyJhbGciOiJSUzUxMiIsInR5cmtpZCI6Im9g5OTk3M...sW1VGmunfzqZ-bG4rM"
curl -i --request GET "http://host.us.example.com:14100/oic_rest/rest/userprofile/people/weblogic/" -H "AUTHORIZATION:eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6Im9yYWtleSJ9.eyJleHi EzMzg4OTk3MTMxMzcsImF1ZCI6Im9hbV9zZXJ2ZXIxIiwiaXNzIjoiSldUQXV0aGVudGljYXRpb24iLCJw cm4iOiJ3ZWJsb2dpYyIsImp0aSI6IjNlMjdiZjc4LTg3NDQtNDFkMS05MzlmLTlkZGY0N2VkNGFlNyIsIm YWNsZS5vaWMudG9rZW4udHlwZSI6IlVTRVJUT0tFTiIsImlhdCI6MTMzODg5NjExMzEzNywib3JhY2xlLm 9pYy50b2tlbi51c2VyX2RuIjoidWlkPXdlYmxvZ2ljLG91PXBlb3BsZSxvdT1teXJlYWxtLGRjPWJhc2V6 ZG9tYWluIn0.hHmAa5Syw3AcqRPwIq_XLx6DcMzCBzvDXGFYvwAf9nqVgxgvLTJJfxZzofS5Ut272b0dFG sv3qakeDm2NTgg6fR2YKH5BxAHnEmq0IAmhLuyWdux_rMZNB-wP8h5JD26UQf_nnBBWApvgULeM2mWQEzY RVDMpN9K7pycNrsGKOj8U"
The type of the subject (either USERCREDENTIAL
, UID
, UIDASSERTION
, or TOKEN
).
-d '{"X-Idaas-Rest-Subject-Type":"USERCREDENTIAL"}' -d '{"X-Idaas-Rest-Subject-Type":"UID"}' -d '{"X-Idaas-Rest-Subject-Type":"UIDASSERTION"}'
curl -H "Content-Type: application/json" --request GET "http://host.us.example.com:14100/oic_rest/rest/jwtauthentication/validate? X-Idaas-Rest-Subject-Value=eyJhbGciOiJSUzU...I_A0PM& X-Idaas-Rest-Subject-Type=TOKEN"
curl -i -H "Content-Type: application/json" --request POST http://host.us.example.com:14100/oic_rest/rest/jwtauthentication/authenticate -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"profileid1", "X-Idaas-Rest-Subject-Password":"secret12345", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTTOKEN"}'
The string value of the subject. Include this attribute when the value of X-Idaas-Rest-Subject-Type
is either TOKEN
, UID
, or UIDASSERTION
.
curl -H "Content-Type: application/json" --request GET "http://host.example.com:14100/oic_rest/rest/jwtauthentication/validate? X-Idaas-Rest-Subject-Value~=eyJhbGciOiJSUzU...PM& X-Idaas-Rest-Subject-Type~=TOKEN"
curl -H "Content-Type: application/json" --request POST http://localhost:18001/oic_rest/rest/jwtauthentication/access -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"vTBI8jN...%3D", "X-Idaas-Rest-Application-Context":"75sSbBZZKJiUOAWikZxsKA==", "X-Idaas-Rest-Application-Resource":"http:/host.example.com:7779/index.html", "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN"}'
Use to supply both the subject type and string value in the header when the subject type is of type TOKEN
.
curl -H "Content-Type: application/json" --request GET http://host.example.com:14100/oic_rest/rest/jwtauthentication/validate -H "X-Idaas-Rest-Subject: TOKEN eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6Im9yYWtl eSJ9.eyJleHAiOjEzMzg5MDEzMzUyMjUsImF1ZCI6Im9hbV9zZXJ2ZXIxIiwiaXNzIjoiSldUQXV0aGVu dGljYXRpb24iLCJwcm4iOiJ3ZWJsb2dpYyIsImp0aSI6ImUzNDZiYjJiLTQyZmYtNGRjMC1hOTZkLWYyY 2U5MjM0NTM0YSIsIm9yYWNsZS5vaWMudG9rZW4udHlwZSI6IlVTRVJUT0tFTiIsImlhdCI6MTMzODg5Nz czNTIyNSwib3JhY2xlLm9pYy50b2tlbi51c2VyX2RuIjoidWlkPXdlYmxvZ2ljLG91PXBlb3BsZSxvdT1 teXJlYWxtLGRjPWJhc2VfZG9tYWluIn0.GZ3-X4NRGdQ99MB63B5MmPuyE5M2kFwqHMQ97AXwBjYElMep ZdziTEgDeYLKJuVB83plSGwpfQEDdzlxR3Sy7tRXbfV3EdK1lpbUyUyEEIwAfuu4xtbNERKrPw3pJoPtU q0TCd0BV2sRdyy1zuSBdU2J6zUjG8rW-PYDWI_A0PM"
Use to supply the extra credential required for token exchange. "X-Idaas-Rest-Subject-Type" has to be specified as TOKEN
in this case.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/oic_rest/rest/jwtauthentication/access -d '{"X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-CREDENTIAL":"12345",...}'
curl -H "Content-Type: application/json" --request POST http://host.example.com:14100/oic_rest/rest/jwtoamauthentication/authenticate -d '{"X-Idaas-Rest-New-Token-Type-To-Create":["USERTOKEN::OAMUT","USERTOKEN::OAMMT"], "X-Idaas-Rest-Subject-Value":"JWT-Token-Value", "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-CREDENTIAL":"12345"}'
Use to supply the user name as a string only if the X-Idaas-Rest-Subject-Type
value is USERCREDENTIAL
.
curl -i -H "Content-Type: application/json" --request POST http://host.example.com:14100/oic_rest/rest/jwtauthentication/authenticate -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"sampleuser", "X-Idaas-Rest-Subject-Password":"password123", "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN"}'
Use to supply the password as a string only if the X-Idaas-Rest-Subject-Type
value is USERCREDENTIAL
.
curl -i -H "Content-Type: application/json" --request POST http://host.example.com:14100/oic_rest/rest/jwtauthentication/authenticate -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"sampleuser", "X-Idaas-Rest-Subject-Password":"password123", "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN"}'
Use to provide the token types to be created. Multiple token types can be specified in a request.
curl -i -H "Content-Type: application/json" --request POST http://host.example.com:14100/oic_rest/rest/jwtauthentication/authenticate -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"sampleuser", "X-Idaas-Rest-Subject-Password":"password123", "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN"}'
Use to specify the application context for which an Access Token is needed. The supplied value must be a string.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/oic_rest/rest/jwtauthentication/access -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"vTBI8jN8eYIsfAp%2BZqe...Gk5A%3D%3D", "X-Idaas-Rest-Application-Context":"75sSbBZZKJiUOAWikZxsKA==", "X-Idaas-Rest-Application-Resource":"http://h5.example.com:7779/index.html", "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN"}'
Use to specify the target resource for which an Access Token is needed. The supplied value must be string.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/oic_rest/rest/jwtauthentication/access -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"vTBI8jN8eYIsfAp%2BZqe...5XFSQk5A%3D%3D", "X-Idaas-Rest-Application-Context":"75sSbBZZKJiUOAWikZxsKA==", "X-Idaas-Rest-Application-Resource":"http://h5.example.com:7779/index.html", "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN"}'
Used to return the principal User.
HTTP/1.1 200 OK Date: Tue, 05 Jun 2012 11:35:13 GMT Transfer-Encoding: Content-Type: application/json X-IDAAS-REST-VERSION: v1 Set-Cookie: JSESSIONID= TCjjPNnRvL6fvhJpMSjLhHYrFyMKqwcFxTNL1RQzyvkSJ7G2TLj4!1574236250; path=/; HttpOnly X-ORACLE-DMS-ECID: a393487d2600b00c:-7abb0b83:137b52ee014: -8000-00000000000026f5 X-Powered-By: Servlet/2.5 JSP/2.1 { "X-Idaas-Rest-Token-Value":"eyJhbGciOiJSUzUxMiIsInR5cCI6IkpXVCIsImtpZCI6Im9yYWtle SJ9.eyJleHAiOjEzMzg4OTk3MTMxMzcsImF1ZCI6Im9hbV9zZXJ2ZXIxIiwiaXNzIjoiSldUQXV0aGVud GljYXRpb24iLCJwcm4iOiJ3ZWJsb2dpYyIsImp0aSI6IjNlMjdiZjc4LTg3NDQtNDFkMS05MzlmLTlkZG d0N2VkNGFlNyIsIm9yYWNsZS5vaWMudG9rZW4udHlwZSI6IlVTRVJUT0tFTiIsImlhdCI6MTMzODg5NjE xMzEzNywib3JhY2xlLm9pYy50b2tlbi51c2VyX2RuIjoidWlkPXdlYmxvZ2ljLG91PXBlb3BsZSxvdT1t eXJlYWxtLGRjPWJhc2VfZG9tYWluIn0.hHmAa5Syw3AcqRPwIqXLx6DcMzCBzvDXGFYvwAf9nqVgxgvLT JfxZzofS5Ut272b0dFGsv3qakeDm2NTgg6fR2YKH5BxAHnEmq0IAmhLuyWdux_rMZNB-wP8h5JD26UQf nnBBWApvgULeM2mWQEzYRVDMpN9K7pycNrsGK8U", "X-Idaas-Rest-User-Principal":"jdoe", "X-Idaas-Rest-Provider-Type":"JWT", "X-Idaas-Rest-Token-Type":"USERTOKEN" }
Used to return the token provider type. Valid values include OAM_10G
, OAM_11G
, and JWT
.
HTTP/1.1 200 OK Date: Tue, 05 Jun 2012 11:35:13 GMT Transfer-Encoding: chunked Content-Type: application/json X-IDAAS-REST-VERSION: v1 Set-Cookie:JSESSIONID=TCjjPNnRvL6fvhJpMSjLhHYrFyMKqwcFxTNL1RQzyvkSJ7G2TLj4!157423; path=/; HttpOnly X-ORACLE-DMS-ECID: a393487d2600b00c:-7abb0b83:137b52ee014:-8000-00000000000026f5 X-Powered-By: Servlet/2.5 JSP/2.1 { "X-Idaas-Rest-Token-Value":"eyJhbGciOiJSUzUxMiIsInR 5cCI6IkpXVCIsImtpZCI6Im9yYWtleSJ9.eyJleHAiOjEzMzg4OTk3MTMxMzcsImF1ZCI6Im9hbV9 zZXJ2ZXIxIiwiaXNzIjoiSldUQXV0aGVudGljYXRpb24iLCJwcm4iOiJ3ZWJsb2dpYyIsImp0aSI6IjN lMjdiZjc4LTg3NDQtNDFkMS05MzlmLTlkZGY0N2VkNGFlNyIsIm9yYWNsZS5vaWMudG9rZW4 udHlwZSI6IlVTRVJUT0tFTiIsImlhdCI6MTMzODg5NjExMzEzNywib3JhY2xlLm9pYy50b2tlbi51c2 VyX2RuIjoidWlkPXdlYmxvZ2ljLG91PXBlb3BsZSxvdT1teXJlYWxtLGRjPWJhc2VfZG9tYWluIn0.h HmAa5Syw3AcqRPwIq_XLx6DcMzCBzvDXGFYvwAf9nqVgxgvLTJJfxZzofS5Ut272b0dFGsv3q akeDm2NTgg6fR2YKH5BxAHnEmq0IAmhLuyWdux_rMZNB-wP8h5JD26UQf_nnBBWApvgULeM 2mWQEzYRVDMpN9K7pycNrsGK8U", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Provider-Type":"JWT", "X-Idaas-Rest-Token-Type":"USERTOKEN" }
The authorization schemes in this section are used to protect the Mobile and Social REST Services.
The following calls are demonstrated:
Shows how to send the REST call required for UIDPASSWORD authentication.
curl --request GET "localhost:18001/idaas_rest/rest/authorizationservice3/authorization? resource=http://is-x86-05.us.example.com:7779/index.html& action=GET&X-Idaas-Rest-Subject-Value= ZNsJcMMM3ow83Zr5D8KqCPnhBGmui4RnBvUXJ5dqC7OfwZIv6FDcYWwfPuHupxN%2B fs5qN0I6AWIZBX%2F2KQNNQ5bPDN1XqeE8y7OPPoy4znteEfCaRHb7UA1ia1ox%2BW8 5LbknXCLaZ5q%2FN4I0IcXP%2B13FGX9r9LROQ3OZZVNMLhfx3KabZcIVmSHBkK%2F ARGYEJQv6RO%2FPCMN2YYTJgWxGr20rWeG8NLbzgN%2FPyADxxlPLvkxH2YCVHHH 7bLBfOp3p83IbJ%2FC%2Bm9sCd4YjlSlhsMUXKtvZ1LnJME4UymuR5tXuw2B0Yr25OHxU bMreIGgRYZXFonmjhAovKhXqIgzpIg%3D%3D& X-Idaas-Rest-Subject-Type=TOKEN" -H "X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred=\" Tp8aUEeptClBz6A6h9cH8F%2FwcZJvLok976\"" -H "Authorization: gdX4z0leySgt0DiPeItsQfBweYZIfZ2dm7fVypNz%2Bf6pbrzF7P4 AvUzPXIzLf2lL0zHuvNI%2B77OsUESM99U6zQjytC%2FgrAD6O2QdSe2VUNGjjw8Di5ev1 gSI0m5a5VQO9rmGNlB1xndnPYoaX0nDpi3eGAyQNw3PUAbEGYglsDMR1js2jsiXKyexryn 8k1coc3EHGqk%2ByqfEXzfzGjwEB4ipnSGg2c4a9BX2BKjKLoOD0PdNVc2nf6f%2F7T2Ck hA%2BSFowwE%2BEIzvQ7cVbeRYqco2eYCJhs8GS8Haq9T2dnhIAa4tux9MyxVLRNRtDd q39HDr5hvUI7OpHQHNUMeRcPQ%3D%3D"
In a request, use the X-IDAAS-SERVICEDOMAIN
header name to specify a Service Domain value. The X-IDAAS-SERVICEDOMAIN
name can be used as a query parameter or a header. If a Service Domain value is not provided, the system will use the "Default" Service Domain.
Shows how to send the REST call required for HTTP Basic authorization.
curl --request GET "localhost:18001/idaas_rest/rest/authorizationservice3/authorization? resource=http://is-x86-05.us.example.com:7779/index.html &action=GET& X-Idaas-Rest-Subject-Value= ZNsJcMMM3ow83Zr5D8KqCPnhBGmui4RnBvUXJ5dqC7OfwZIv6FDcYWwfPuHupxN%2Bfs5 qN0I6AWIZBX%2F2KQNNQ5bPDN1XqeE8y7OPPoy4znteEfCaRHb7UA1ia1ox%2BW85Lbkn XCLaZ5q%2FN4I0IcXP%2B13FGX9r9LROQ3OZZVNMLhfx3KabZcIVmSHBkK%2FARGYEJ Qv6RO%2FPCMN2YYTJgWxGr20rWeG8NLbzgN%2FPyADxxlPLvkxH2YCVHHH7bLBfOp3p 83IbJ%2FC%2Bm9sCd4YjlSlhsMUXKtvZ1LnJME4UymuR5tXuw2B0Yr25OHxUbMreIGgRYZ XFonmjhAovKhXqIgzpIg%3D%3D& X-Idaas-Rest-Subject-Type=TOKEN" -H "X-IDAAS-REST-AUTHORIZATION: Basic Tp8aUEeptClBz6A6h9cH8F%2FwcZJvLok976" -H "Authorization: TOKEN gdX4z0leySgt0DiPeItsQfBweYZIfZ2dm7fVypNz%2Bf6pbrzF7P4A vUzPXIzLf2lL0zHuvNI%2B77OsUESM99U6zQjytC%2FgrAD6O2QdSe2VUNGjjw8Di5ev1gS I0m5a5VQO9rmGNlB1xndnPYoaX0nDpi3eGAyQNw3PUAbEGYglsDMR1js2jsiXKyexryn8k1 coc3EHGqk%2ByqfEXzfzGjwEB4ipnSGg2c4a9BX2BKjKLoOD0PdNVc2nf6f%2F7T2CkhA%2B SFowwE%2BEIzvQ7cVbeRYqco2eYCJhs8GS8Haq9T2dnhIAa4tux9MyxVLRNRtDdq39HDr5hv UI7OpHQHNUMeRcPQ%3D%3D"
A Service Domain name can be specified as a query parameter or a header using X-IDAAS-SERVICEDOMAIN
. Otherwise, Mobile and Social assumes the default Service Domain.
HTTPBasic has to be configured for client with an encrypted password in the client definition as shown here:
<IdaasClient description="OIC Client 1" name="clientid1"> <authnService>sampletokenservice</authnService> <param> <name>userId4BasicAuth</name> <value>rest_client1</value> </param> <param> <name>sharedSecret4BasicAuth</name> <value>9Qo9olLIl5gDwESYR0hOgw==</value> </param> </IdaasClient>
Shows how to send the REST call required for Access Manager authorization.
curl --request GET "localhost:18001/idaas_rest/rest/authorizationservice3/authorization? resource=http://is-x86-05.us.example.com:7779/index.html &action=GET& X-Idaas-Rest-Subject-Value=ZNsJcMMM3ow83Zr5D8KqCPnhBGmui4RnBvUXJ5dqC7OfwZIv6 FDcYWwfPuHupxN%2Bfs5qN0I6AWIZBX%2F2KQNNQ5bPDN1XqeE8y7OPPoy4znteEfCaRHb 7UA1ia1ox%2BW85LbknXCLaZ5q%2FN4I0IcXP%2B13FGX9r9LROQ3OZZVNMLhfx3KabZcIV mSHBkK%2FARGYEJQv6RO%2FPCMN2YYTJgWxGr20rWeG8NLbzgN%2FPyADxxlPLvkxH2 YCVHHH7bLBfOp3p83IbJ%2FC%2Bm9sCd4YjlSlhsMUXKtvZ1LnJME4UymuR5tXuw2B0Yr25 OHxUbMreIGgRYZXFonmjhAovKhXqIgzpIg%3D%3D &X-Idaas-Rest-Subject-Type=TOKEN" -H "X-IDAAS-REST-AUTHORIZATION: TOKEN Tp8aUEeptClBz6A6h9cH8F%2FwcZJvLok976 c5q0SitrrgSCJ5FQk58KMtUg2FCPLbjZbP2%2B3P5zZPiSCeHwNua%2FBHdIDCOnUYOXNg 4uBKA7t7O4jGRfn49xkOVXunF%2B5zMQUiGUlwTXPYiKwooAknkeHs3HIq6s2if%2FHpuPH curRa%2BdyfjWfYWTpqPeo%2FzyHHzDH1wF8hM6k6YwJ%2FpxD8avuXogP%2Bp5j2tCZ0 aAhonseNMcKvGTRBoV1shGnotK9gt01nDgc2LWA5oidJgxlcaWDw3%2FXZhvgudkLwl0jxEw 0K%2BzffyeZs0gfUkZJBnsm8qh2KP%2BiCPzT7HPVPF%2FyYCg%3D%3D" -H "Authorization: TOKEN gdX4z0leySgt0DiPeItsQfBweYZIfZ2dm7fVypNz%2Bf6pbrzF7P4AvU zPXIzLf2lL0zHuvNI%2B77OsUESM99U6zQjytC%2FgrAD6O2QdSe2VUNGjjw8Di5ev1gSI0m5 a5VQO9rmGNlB1xndnPYoaX0nDpi3eGAyQNw3PUAbEGYglsDMR1js2jsiXKyexryn8k1coc3EH Gqk%2ByqfEXzfzGjwEB4ipnSGg2c4a9BX2BKjKLoOD0PdNVc2nf6f%2F7T2CkhA%2BSFowwE %2BEIzvQ7cVbeRYqco2eYCJhs8GS8Haq9T2dnhIAa4tux9MyxVLRNRtDdq39HDr5hvUI7OpHQ HNUMeRcPQ%3D%3D"
A Service Domain name can be specified as a query parameter or a header using X-IDAAS-SERVICEDOMAIN
. Otherwise, Mobile and Social assumes the default Service Domain.
Note that the token value in the query param is URL-encoded, but the same value in the header is not.
The Application Profile has to be defined with a unique name that cannot be applied to any other authentication service. For example:
<ApplicationProfile description="OIC Client 5" name="profileid3"> </ApplicationProfile>
The cURL commands in this section show the REST calls used to request security tokens from the Mobile and Social server. Some REST calls use the POST method, whereas others use GET.
The following calls are demonstrated:
The following calls are valid when used with the JWT-OAM Authentication Service Provider:
Create a JWT User Token, OAM User Token, and OAM Master Token
Testing the JWT-OAM + PIN Token Service Provider (Mobile Case)
Testing the JWT-OAM + PIN Token Service Provider (Desktop Case)
Shows how to send the REST call to request a client token.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/idaas_rest/rest/tokenservice1/tokens -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"client1", "X-Idaas-Rest-Subject-Password":"secret12", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTTOKEN"}'
{"X-Idaas-Rest-Token-Value":"kubExOtDjCtL5Q0R1QhAgL5zNVmDFYKG1Y0AUe+P9HKvnz4gIDVx YIMNxxyfJJpmkT5XtYKkDgW295juWEcK7c7LmPBkxE6MytcfvKh4HzWIUGEgS2uKej3PQJG49RpZ6UxAP ZbGYWj7fpjZoqBhtPiCtyacI0C22bl2/DbbRCVx4341z68j5YiTgOklGC6lIucSorlM7pBI54bxygFZsr F1DVKxL+RNhrobYsN6I7fFLR4fL+iO/BZcbwM/4SNDuCIC82eOxPI/mTcRraz0cLw9tcLbw7c11MjC2eu EBSGUjGcNmxpbhiJIt7SIBzJczzNsaBnH+2fKx/VTeVVvGQgGAf19e5b1Drj5QyNhj2I=", "X-Idaas-Rest-Token-Type":"CLIENTTOKEN", "X-Idaas-Rest-User-Principal":"client-1", "X-Idaas-Rest-Provider-Type":"OAM_11G"}
A Service Domain name can be specified as a query parameter or a header using X-IDAAS-SERVICEDOMAIN
. Otherwise, Mobile and Social assumes the default Service Domain.
Shows how to send a REST call requesting a User token.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/idaas_rest/rest/tokenservice1/tokens -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"tester1", "X-Idaas-Rest-Subject-Password":"secret12", "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN"}'
{"X-Idaas-Rest-Token-Value":"adc3bfbExOtDjCtL5Q0R1QhAgL5zNVmDFYKG1Y0AUe+P9HKvnz4g IDVxYIMNxxyfJJpmkT5XtYKkDgW295juWEcK7c7LmPBkxE6MytcfvKh4HzWIUGEgS2uKej3PQJG49RpZ6 UxAPZbGYWj7fpjZoqBhtPiCtyacI0C22bl2/DbbRCVx4341z68j5YiTgOklGC6lIucSorlM7pBI54bxyg FZsrF1DVKxL+RNhrobYsN6I7fFLR4fL+iO/BZcbwM/4SNDuCIC82eOxPI/mTcRraz0cLw9tcLbw7c11Mj C2euEBSGUjGcNmxpbhiJIt7SIBzJczzNsaBnH+2fKx/VTeVVvGQgGAf19e5b1Drj5QyNhj2I=", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-User-Principal":"user-1", "X-Idaas-Rest-Provider-Type":"OAM_11G"}
A Service Domain name can be specified as a query parameter or a header using X-IDAAS-SERVICEDOMAIN
. Otherwise, Mobile and Social assumes the default Service Domain.
Shows how to send a REST call requesting an access token.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/idaas_rest/rest/tokenservice1/tokens -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"vTBI8jN8eYsmHCU..5XFSQA%3D%3D", "X-Idaas-Rest-Application-Context":"75sSbBZZKJiUOAWikZxsKA==", "X-Idaas-Rest-Application-Resource":"http:/wgte2.example.com:779/index.html", "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN"}'
{"X-Idaas-Rest-Token-Value":"R1QhAgL5zNVmDFYKG1Y0AUe+P9HKvnz4gIDVxYIMNxxyfJJpmkT5 XtYKkDgW295juWEcK7c7LmPBkxE6MytcfvKh4HzWIUGEgS2uKej3PQJG49RpZ6UxAPZbGYWj7fpjZoqBh tPiCtyacI0C22bl2/DbbRCVx4341z68j5YiTgOklGC6lIucSorlM7pBI54bxygFZsrF1DVKxL+RNhrobY sN6I7fFLR4fL+iO/BZcbwM/4SNDuCIC82eOxPI/mTcRraz0cLw9tcLbw7c11MjC2euEBSGUjGcNmxpbhi JIt7SIBzJczzNsaBnH+2fKx/VTeVVvGQgGAf19e5b1Drj5QyNhj2I=", "X-Idaas-Rest-Token-Type":"ACCESSTOKEN", "X-Idaas-Rest-User-Principal":"user-1", "X-Idaas-Rest-Provider-Type":"OAM_11G"}
A Service Domain name can be specified as a query parameter or a header using X-IDAAS-SERVICEDOMAIN
. Otherwise, Mobile and Social assumes the default Service Domain.
Shows how to send a REST call requesting multiple tokens, for example a User Token and a Master Token.
curl -i -H "Content-Type: application/json" --request POST http://host12.example.com:1801/idaas_rest/rest/jwtauthentication/authenticate -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"testuser", "X-Idaas-Rest-Subject-Password":"userpassword", "X-Idaas-Rest-New-Token-Type-To-Create":["USERTOKEN","USERTOKEN::OAMMT"]}'
{"TokensList": [ { "X-Idaas-Rest-Token-Value":"eyJhbGciOiJSUzx...GbC7cswpZN1ep8up3E34", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-User-Principal":"testuser", "X-Idaas-Rest-Provider-Type":"JWT", "handles": {"DebugDummyHandleName1": {"expirationTSInSec":1332192041,"value":"DebugDummyHandleValue1"} } }, {"X-Idaas-Rest-Token-Type":"USERTOKEN::OAMMT"} ] }
You can specify the Mobile and Social Token Type by using the X-Idaas-Rest-New-Token-Type-To-Create
parameter. Must be one of the following:
CLIENTTOKEN
USERTOKEN
ACCESSTOKEN
USERTOKEN::OAMMT
If the authentication service provider can issue a Master Token, the client will get two tokens: a User Token and the Master Token.
Shows how to send the REST call required to request (get) a client token.
curl
--request GET http://localhost:18001/idaas_rest/rest/mobilesecret1/tokens/info
-H "X-Idaas-Rest-Subject: TOKEN someTokenValue"
{"X-Idaas-Rest-Token-Value":"QA8wjxWGSf3VMggfxFFYW4Yrre0DuG7hOagET4yfF3PX bbUUsgh7uJUOEX5aZAQPsrV90J20gtALfhiUI32gbxooeqppGnQSLnk0ehpN4%2B6%2BCgR2nOMrYzoLi U7%2FvrnoG7894eUfxHwmvZESQw4w4ez6L%2BOcaHF2tc05F4zkqi6%2BveSL4uFdiaMh9pJ2k%2BXF%2 FWn2Q8IfOWBdk2IzWeFhwi35CzMLJrNiAST%2BdMWhteIKcNEFbvS1WFaYR8Fjzx%2FpuU3%2FdTaG2gX xDJxE%2BpI2bpanks4fdZwaFmkLCraUfJFdtiGgOk2SIVIwi4UYCBAbM9XZJ5nyjtmxpqEESKJSGQ%3D% 3D", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-User-Principal":"testuser", "X-Idaas-Rest-Provider-Type":"JWT" }
A Service Domain name can be specified as a query parameter or a header using X-IDAAS-SERVICEDOMAIN
. Otherwise, Mobile and Social assumes the default Service Domain.
Note that the token value in the query param is URL-encoded, but the same value in the header is not.
Shows how to send the REST call required to delete a token.
curl -H "Content-Type:application/json" --request DELETE http://localhost:18001/oic_rest/rest/jwtauthentication/tokens/info -d '{ "X-Idaas-Rest-Subject-Value":"YHEGjRP5eewNeXeK9v%2F3YBX...tvMJW9p%3D", "X-Idaas-Rest-Subject-Type":"TOKEN"}'
curl -H "Content-Type: application/json" --request DELETE http://localhost:14100/oic_rest/rest/oamauthentication/tokens -d '{ "X-Idaas-Rest-Subject-Value":"jdoe", "X-Idaas-Rest-Subject-Type":"UID"}' -H "Authorization: 01wIWzki0cF0Z...6hwVYV4fZ2CAMSXZHKPKD8="
You can use X-Idaas-Rest-Subject-Type
to specify either TOKEN
or UID
. Use X-Idaas-Rest-Subject-Value
to specify either the token or UID value.
To delete a single token when the subject type is TOKEN, use either the service endpoint ~/tokens/info
or ~/delete
.
To delete all the tokens belonging to the token owner when the subject type is TOKEN, use the service endpoint ~/tokens
. Use the -H "AUTHORIZATION
User Token Value
"
header to validate the request.
If the subject type is UID, use the service endpoint ~/tokens
to delete all the tokens belong to theUID. Use the -H "AUTHORIZATION
User Token Value
"
header to validate the request.
A Service Domain name can be specified as a query parameter or a header using X-IDAAS-SERVICEDOMAIN
. Otherwise, Mobile and Social assumes the default Service Domain.
Note that the token value in the query param is URL-encoded, but the same value in the header is not.
Shows how to send the REST call required to request a client token.
curl --request GET "localhost:18001/idaas_rest/ rest/authorizationservice1/authorization? resource=http://webgate123.us.example.com:7779/index.html& action=GET&X-Idaas-Rest-Subject-Value= ZNsJcMMM3ow83Zr5D8KqCPnhBGmui4RnBvUXJ5dqC7OfwZIv6FDcYWwf PuHupxN%2Bfs5qN0I6AWIZBX%2F2KQNNQ5bPDN1XqeE8y7OPPoy4znte EfCaRHb7UA1ia1ox%2BW85LbknXCLaZ5q%2FN4I0IcXP%2B13FGX9r9LR OQ3OZZVNMLhfx3KabZcIVmSHBkK%2FARGYEJQv6RO%2FPCMN2YYTJ gWxGr20rWeG8NLbzgN%2FPyADxxlPLvkxH2YCVHHH7bLBfOp3p83IbJ%2 FC%2Bm9sCd4YjlSlhsMUXKtvZ1LnJME4UymuR5tXuw2B0Yr25OHxUbMreI GgRYZXFonmjhAovKhXqIgzpIg%3D%3D& X-Idaas-Rest-Subject-Type=TOKEN"
A Service Domain name can be specified as a query parameter or a header using X-IDAAS-SERVICEDOMAIN
. Otherwise, Mobile and Social assumes the default Service Domain.
Note that the token value in the query param is URL-encoded, but the same value in the header is not.
The following call is valid when used with the JWT-OAM Authentication Service Provider.
curl -H "Content-Type: application/json" --request POST http://host:port/oic_rest/rest/jwtoamauthentication/authenticate -d '{ "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN", "X-Idaas-Rest-Subject-Password":"password555", "X-Idaas-Rest-Subject-Username":"webuser1234", "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL"}'
The following calls are valid when used with the JWT-OAM Authentication Service Provider.
JWT-OAM Authentication Service Provider
curl -H "Content-Type: application/json" --request POST http://host:port/oic_rest/rest/jwtoamauthentication/authenticate -d '{ "X-Idaas-Rest-New-Token-Type-To-Create":["USERTOKEN","USERTOKEN::OAMMT", "USERTOKEN::OAMUT"], "X-Idaas-Rest-Subject-Password":"password555", "X-Idaas-Rest-Subject-Username":"webuser1234", "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL"}'
Mobile JWT-OAM Authentication Service Provider
curl -H "Content-Type: application/json" --request POST http://host:port/oic_rest/rest/mobilejwtoamauthentication/authenticate -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-Idaas-Rest-Authorization: UIDPASSWORD cred="T0lDU1NPQ...WZHQ0RnPQ=="' -d '{ "X-Idaas-Rest-New-Token-Type-To-Create":["USERTOKEN","USERTOKEN::OAMUT", "USERTOKEN::OAMMT"], "X-Idaas-Rest-Subject-Password":"password555", "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" }, "X-Idaas-Rest-Subject-Username":"weblogic", "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL"}'
JWT-OAM Authentication Service Provider
{ "TokensList":[ { "X-Idaas-Rest-Token-Value":"eyJhbGciOiJSUz...FfxrkN9xM", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-Provider-Type":"JWT" }, { "X-Idaas-Rest-Token-Value":"cL9fR2ASSB...iTaNs8c=", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN::OAMMT", "X-Idaas-Rest-Provider-Type":"OAM_11G" }, { "X-Idaas-Rest-Token-Value":"VERSION_4%7EAn29pwsWv...ZMwLw%3D%3D", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN::OAMUT", "X-Idaas-Rest-Provider-Type":"OAM_11G" }] }
Mobile JWT OAM Authentication Service Provider
{ "TokensList":[ { "X-Idaas-Rest-Token-Value":"eyJhbGciOiJ...lxizU", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-Provider-Type":"JWT" }, { "X-Idaas-Rest-Token-Value":"0fY4apw0Cfw...+edij0M=", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN::OAMUT", "X-Idaas-Rest-Provider-Type":"OAM_11G" }, { "X-Idaas-Rest-Token-Value":"VERSION_4%7EBSTnEU5eDhsK%2FS%...mt5j4w%3D%3D", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN::OAMMT", "X-Idaas-Rest-Provider-Type":"OAM_11G" }] }
The following calls are valid when used with the JWT-OAM Authentication Service Provider.
The token exchange input here is a JWT User Token and the token exchange output is an OAM User Token and an OAM Master Token.
JWT-OAM Authentication Service Provider
curl -H "Content-Type: application/json" --request POST http://host:port/oic_rest/rest/jwtoamauthentication/authenticate -d '{ "X-Idaas-Rest-New-Token-Type-To-Create":["USERTOKEN","USERTOKEN::OAMUT"], "X-Idaas-Rest-Subject-Value":"<JWT USER TOKEN>", "X-Idaas-Rest-Subject-Type":"TOKEN"}'
Note - You can also use the following for X-Idaas-Rest-New-Token-Type-To-Create:
"X-Idaas-Rest-New-Token-Type-To-Create":["USERTOKEN::JWTUT","USERTOKEN::OAMUT"]
Mobile JWT-OAM Authentication Service Provider
curl -H "Content-Type: application/json" --request POST http://host:port/oic_rest/rest/mobilejwtoamauthentication/authenticate -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-Idaas-Rest-Authorization: UIDPASSWORD cred="<BASE 64 Encoding Client ID : CRH>"' -d '{ "X-Idaas-Rest-New-Token-Type-To-Create":["USERTOKEN","USERTOKEN::OAMUT", "USERTOKEN::OAMMT"], "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" }, "X-Idaas-Rest-Subject-Value":"<JWT USERTOKEN>", "X-Idaas-Rest-Subject-Type":"TOKEN"}'
JWT-OAM Authentication Service Provider
{ "TokensList":[ { "X-Idaas-Rest-Token-Value":"eyJhbGciOiJSU...o6JOao3s", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-Provider-Type":"JWT" }, { "X-Idaas-Rest-Token-Value":"ipZ45ey55BAkb...G0tuDGyfdY=", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN::OAMUT", "X-Idaas-Rest-Provider-Type":"OAM_11G" }, { "X-Idaas-Rest-Token-Value":"VERSION_4%7ESTFLB3gGSZrdy6...2SbdLQ%3D%3D", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN::OAMMT", "X-Idaas-Rest-Provider-Type":"OAM_11G" }] }
Mobile JWT OAM Authentication Service Provider
{ "TokensList":[ { "X-Idaas-Rest-Token-Value":"eyJhbGciOiJ...-mVLKLtpONChYs", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-Provider-Type":"JWT" }, { "X-Idaas-Rest-Token-Value":"BsL1V2s...nbGXUF4nPfHFPqs=", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN::OAMUT", "X-Idaas-Rest-Provider-Type":"OAM_11G" }, { "X-Idaas-Rest-Token-Value":"VERSION_4%7E3Bbc0YHd4upKZfjt3...M6ZORc3Q%3D%3D", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN::OAMMT", "X-Idaas-Rest-Provider-Type":"OAM_11G" }] }
For more information, see "Configuring OAM to use the JWT-OAM + PIN Token Service Provider" in the Administrator's Guide for Oracle Access Management.
Get AppProfile Data from OAMMS
The following sample command tests accessing the Mobile and Social server and getting the AppProfile for mobileapp1. This step is only required for mobile use cases. The URL follows this format:
http://oamms-host:port/oic_rest/rest/AppProfiles/mobileapp1?serviceDomain= MobileServiceDomain&osType=iPhone%20OS&osVer=4.0&clientSDKVersion=11.1.2.0.0
The following sample response contains the AppProfile data:
{ { "CRHDelivery": "HTTP", "SSOConfig": [ { "mobileapp1": { "AndroidAppSignature": null, "AndroidPackage": null, "IOSBundleID": null, "SSOInclusion": false, "SSOPriority": -1, "URLScheme": null } }], "accessService": "/oic_rest/rest/mobilejwtoamauthentication/access", "clientId": "mobileapp1", "deleteService": "/oic_rest/rest/mobilejwtoamauthentication/delete", "jailBreakingDetectionPolicy": { "autoCheckPeriodInMin": 60, "clientSDKVersion": "11.1.2.0.0", "detectionLocation": [ { "action": "exists", "filePath": "/bin/bash", "success": true }, { "action": "exists", "filePath": "/Applications/Cydia.app", "success": true }, { "action": "exists", "filePath": "/Applications/limera1n.app", "success": true }, { "action": "exists", "filePath": "/Applications/greenpois0n.app", "success": true }, { "action": "exists", "filePath": "/Applications/blackra1n.app", "success": true }, { "action": "exists", "filePath": "/Applications/blacksn0w.app", "success": true }, { "action": "exists", "filePath": "/Applications/redsn0w.app", "success": true }, { "action": "exists", "filePath": "/Applications/sn0wbreeze.app", "success": true }], "osType": "iPhone OS", "osVer": "4.0", "policyExpirationInSec": 3600 }, "mobileAppConfig": { "AllowOfflineAuthentication": "false", "AndroidPackage": null, "AuthenticationRetryCount": "3", "ClaimAttributes": null, "IOSBundleID": null, "ProfileCacheDuration": "60", "RPWebView": "Embedded" }, "mobileAuthStyle": "MOBILESERVICEAUTH", "mobileCredLevelForRegApp": "USERTOKEN", "registerService": "/oic_rest/rest/mobilejwtoamauthentication/register", "rpLoginPage": "/oic_rp/login.jsp", "serviceDomain": "MobileServiceDomain", "userAuthnConfig": "JWT_UT+PIN", "UserAuthenticationOutput": "USERTOKEN::JWTUT", "TokenExchangeOutput": "USERTOKEN::OAMUT,USERTOKEN::OAMMT" }, "userAuthnService": "/oic_rest/rest/mobilejwtoamauthentication/authenticate", "userProfileService": "/oic_rest/rest/userprofile", "validateService": "/oic_rest/rest/mobilejwtoamauthentication/validate" }
Generating the CRED Value for the Authorization Header
The following format should be used to generate the CRED value for the authorization header:
CRED = base64{
appprofile-name
:
clientRegHandle
}
For example:
base64{mobileapp1:eyJvcmFjbGU6aWRtOmNsYWltczpjbGllbnQ6c2Rr...}
Authenticate the User and get the JWT User Token
The following sample mobile command tests getting a JWT user token upon authenticating the user.
curl -H "Content-Type: application/json" --request POST http://oamms-host:portnumber/oic_rest/rest/mobilejwtoamauthentication/authenticate -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-Idaas-Rest-Authorization: UIDPASSWORD cred="bW9iaWxlYXBwMTpleUp2Y21GamJHVTZhV1....x2UT0="' -d '{ "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN::JWTUT", "X-Idaas-Rest-Subject-Password":"password123", "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" }, "X-Idaas-Rest-Subject-Username":"weblogic", "handles":{}, "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL" }'
The response should be similar to the following:
{ "X-Idaas-Rest-Token-Value": "eyJhbGciOiJSUzUnR.....JeaVZGIP_YjMuPrgt82XXk0E", "X-Idaas-Rest-User-Principal": "weblogic", "X-Idaas-Rest-Provider-Type": "JWT", "X-Idaas-Rest-Token-Type": "USERTOKEN" }
The following sample command (for mobile) tests getting an OAM user token and OAM master token by exchanging a JWT user token and including the cred (or PIN) value.
curl - H "Content-Type: application/json" --request POST http: //oamms-host:portnumber/oic_rest/rest/mobilejwtoamauthentication/authenticate -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-Idaas-Rest-Authorization: UIDPASSWORD cred="bW9iaWxlYXBwMTpleU...hEdWtySHVGRnBkdkFORXZxMmx2UT0="' - d '{ "X-Idaas-Rest-New-Token-Type-To-Create": ["USERTOKEN::OAMUT", "USERTOKEN::OAMMT"], "deviceProfile": { "oracle:idm:claims:client:sdkversion": "11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid": "0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber": "1-650-555-1234", "oracle:idm:claims:client:macaddress": "00-16-41-34-2C-A6", "oracle:idm:claims:client:imei": "010113006310121" }, "oracle:idm:claims:client:jailbroken": false, "oracle:idm:claims:client:geolocation": "+40.689060,-74.044636", "oracle:idm:claims:client:networktype": "PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled": false, "oracle:idm:claims:client:ostype": "iPhone OS", "oracle:idm:claims:client:phonecarriername": "AT&T", "oracle:idm:claims:client:locale": "EN-US", "oracle:idm:claims:client:osversion": "4.0" }, "X-Idaas-Rest-Subject-Value": "eyJhbGciOiJSUzUxMp0aSI6...ZGIP_YjMuPrgt82XXk0E", "X-Idaas-Rest-Subject-Type": "TOKEN", "X-Idaas-Rest-Subject-Credential": "12345" } '
The response should be similar to the following:
{ "TokensList": [ { "X-Idaas-Rest-Token-Value": "NIpXEwPuE0TLy2tM2WkKb/ZAg9k/uwgPx...kMsM4F+Vhv", "X-Idaas-Rest-User-Principal": "weblogic", "X-Idaas-Rest-Provider-Type": "OAM_11G", "X-Idaas-Rest-Token-Type": "USERTOKEN::OAMUT" }, { "X-Idaas-Rest-Token-Value": "VERSION_4%7EctnTQTYMFtnxPhei8IJu...h1Pg1lh6bFw", "X-Idaas-Rest-User-Principal": "weblogic", "X-Idaas-Rest-Provider-Type": "OAM_11G", "X-Idaas-Rest-Token-Type": "USERTOKEN::OAMMT" }] }
For more information, see "Configuring OAM to use the JWT-OAM + PIN Token Service Provider" in the Administrator's Guide for Oracle Access Management.
Authenticate the User and get a JWT User Token
The following sample desktop command tests getting a JWT user token upon authenticating the user.
curl -H "Content-Type: application/json" --request POST http://oamms-host:portnumber/oic_rest/rest/jwtoamauthentication/authenticate -d ' { "X-Idaas-Rest-New-Token-Type-To-Create": "USERTOKEN::JWTUT", "X-Idaas-Rest-Subject-Password": "password123", "X-Idaas-Rest-Subject-Username": "weblogic", "X-Idaas-Rest-Subject-Type": "USERCREDENTIAL" } '
The response should look like the following:
{ "X-Idaas-Rest-Token-Value": "eyJhbGciOiJSUz...m-5_-tPpDeINkYlhfTkkrfnarUhp2R0", "X-Idaas-Rest-User-Principal": "weblogic", "X-Idaas-Rest-Provider-Type": "JWT", "X-Idaas-Rest-Token-Type": "USERTOKEN" }
The following sample desktop command tests getting an OAM user token and OAM master token by exchanging a JWT user token and including the cred (or PIN) value.
curl -H "Content-Type: application/json" --request POST http://oamms-host:portnumber/oic_rest/rest/jwtoamauthentication/authenticate -d ' { "X-Idaas-Rest-New-Token-Type-To-Create": "USERTOKEN::OAMUT", "X-Idaas-Rest-Subject-Value": "eyJhbGciOiJSUz...m-5_-tPpDeINkYlhfTkkrfnarUhp2R0"", "X-Idaas-Rest-Subject-Type": "TOKEN", "X-Idaas-Rest-Subject-Credential": "12345" } '
The response should look like the following:
{ "X-Idaas-Rest-Token-Value": "KkraNeuiD6N+Jas2...WzaJSR/wzPy41Ekq/+NpGd/asagLl", "X-Idaas-Rest-User-Principal": "weblogic", "X-Idaas-Rest-Provider-Type": "OAM_11G", "X-Idaas-Rest-Token-Type": "USERTOKEN" }
The following calls are valid when used with the JWT-OAM Authentication Service Provider.
JWT-OAM Authentication Service Provider
curl -H "Content-Type: application/json" --request POST http://host:port/oic_rest/rest/jwtoamauthentication/access -d '{ "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN", "X-Idaas-Rest-Application-Resource":"http:\/\/a6.example.com:7777\/idx.html", "X-Idaas-Rest-Subject-Value":"<OAM USER TOKEN>", "X-Idaas-Rest-Application-Context":"encquery%3DA1%2BnxGqYJxtmcteKYUux%2F7%2FV aRBrBVRByRl81YM89Rv1940CTWlcddShowo2r516MLCa%2BHcPjgGNDeGVSagzGmV84GKybdiFtzrwd8ms i9nRr4ijlW7%2BznCmb6C5xYiEXg6RBpI1Eud9Ce2VjNyrYY%2F3Ig7ntdhbF1NbznmV%2BwGf9S6ogxKR abbKl2yOD5NO%2FC7NkmJOoDSisQb9IR9DnUxm1uBfHkKpE34RAyvpqg4xeGx2r%2Fuo0F0upeZ8KbsT%2 FugszrOdPR0S5O9%2BbPzV%2BNfzuFH25M0qriKbVj9EixNb0gzSEf2bCBmP9tXbWXDdG%20agentid%3D adc2171186_11gwebgateprofile%20ver%3D1", "X-Idaas-Rest-Subject-Type":"TOKEN"}'
Mobile JWT-OAM Authentication Service Provider
curl -H "Content-Type: application/json" --request POST http://host:port/oic_rest/rest/mobilejwtoamauthentication/access -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-Idaas-Rest-Authorization: UIDPASSWORD cred="BASE 64 Encoding (ClientID:CRH)"' -d '{ "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN", "X-Idaas-Rest-Application-Resource":"http:\/\/6.example.com:7777\/idx.html", "X-Idaas-Rest-Subject-Value":"<OAM USER TOKEN>", "X-Idaas-Rest-Application-Context":"encquery%3DNgSQHsqHQeDgTwiOnZCqB3io74D2c VJjuw0lf1LhvS%2F1L29aOBFehYXHFB%2Bhfd4XNHt21pqFLC5HdA%2Fi0ScENG3Tq7YK3Uv2yde1tCec ojHmryb8zpTriUex3kYg83VRzg1gBmIJnTVpiCVgaVlBhe3mKE7liqYcJXmsXFudsjUn%2FcUuXuWdWXP Qzi1d3WJ3lwdq0DPRnXUFGg%2BzsO%2BarKcreIg3BmGsmxZE7lLL6b9Wf9jbhOwlk1wsq2nqdFPDDS3O Yz3T9o9ZtsO1xnKuHsLwoMaNtM%2FSIjxpcmrntyQw2w7i8NWxnVP7w1RJDvu7%20agentid%3Dadc217 1186_11gwebgateprofile%20ver%3D1", "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" }, "X-Idaas-Rest-Subject-Type":"TOKEN"}'
JWT-OAM Authentication Service Provider
{ "X-Idaas-Rest-Token-Value":"lroMQ%2Bwj7Ji4daRdXfGb8%2FG...AzWPTM%3D", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"ACCESSTOKEN", "X-Idaas-Rest-Provider-Type":"OAM_11G" }
Mobile JWT OAM Authentication Service Provider
{ "X-Idaas-Rest-Token-Value":"xGhOiD%2FLVrnyU...nYgo%3D", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"ACCESSTOKEN", "X-Idaas-Rest-Provider-Type":"OAM_11G" }
The following calls are valid when used with the JWT-OAM Authentication Service Provider.
JWT-OAM Authentication Service Provider
curl -i --request GET "http://host:port/oic_rest/rest/jwtoamauthentication/tokens/info?X-Idaas-Rest- Subject-Value=<JWT USER TOKEN>&X-Idaas-Rest-Subject-Type=TOKEN"
Mobile JWT-OAM Authentication Service Provider
curl -i --request GET "http://host:port/oic_rest/rest/mobilejwtoamauthentication/tokens/info?X-Idaas-Rest-Subject-Value=<JWT USER TOKEN>&X-Idaas-Rest-Subject-Type=TOKEN" -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-Idaas-Rest-Authorization: UIDPASSWORD cred=" BASE 64 Encoding(CLIENTID:CRH) "'
JWT-OAM Authentication Service Provider
{ "X-Idaas-Rest-Token-Value":"eyJhbGciO...fsOn3BIo6JOao3s", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-Provider-Type":"JWT"}
Mobile JWT OAM Authentication Service Provider
{ "X-Idaas-Rest-Token-Value":"eyJhbGci....mVLKLtpONChYs", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-Provider-Type":"JWT"}
The following calls are valid when used with the JWT-OAM Authentication Service Provider.
JWT-OAM Authentication Service Provider
curl -i --request GET "http://host:port/oic_rest/rest/jwtoamauthentication/tokens/info?X-Idaas-Rest- Subject-Value=<OAM USER TOKEN>&X-Idaas-Rest-Subject-Type=TOKEN"
Mobile JWT-OAM Authentication Service Provider
curl -i --request GET "http://host:port/oic_rest/rest/mobilejwtoamauthentication/tokens/info?X-Idaas-Rest- Subject-Value=<OAM** USER TOKEN>&X-Idaas-Rest-Subject-Type=TOKEN" -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-Idaas-Rest-Authorization: UIDPASSWORD cred=" BASE 64 Encoding(CLIENTID:CRH) "'
JWT-OAM Authentication Service Provider
{ "X-Idaas-Rest-Token-Value":"ipZ45ey55BAk...NqM3YsycmdG0tuDGyfdY=", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-Provider-Type":"OAM_11G"}
Mobile JWT OAM Authentication Service Provider
{ "X-Idaas-Rest-Token-Value":"8C2wieU9h7VfQM...UmubmxvJ+SpL5fLZYpbU=", "X-Idaas-Rest-User-Principal":"weblogic", "X-Idaas-Rest-Token-Type":"USERTOKEN", "X-Idaas-Rest-Provider-Type":"OAM_11G"}
The following calls are valid when used with the JWT-OAM Authentication Service Provider.
The cURL commands in this section show the REST calls that the mobile single sign-on agent sends to the Mobile and Social server to request client, user, and access tokens, and to create client registration handles.
The following calls are demonstrated:
Create a Client Registration Handle for a Mobile Single Sign-on Client App (User Name Scenario)
Create a Client Registration Handle for a Mobile Single Sign-on Client App (User Token Scenario)
The Single Sign-on Agent Request to Create an Access Token for its own use
Shows how to create a client registration handle for a mobile single sign-on (SSO) agent app based on a user name and password. In this example, the mobile single sign-on agent app is named MobileAgent1.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/idaas_rest/rest/mobilejwtauthentication/register -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"theUserName", "X-Idaas-Rest-Subject-Password":"thePassword", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTREGHANDLE", "deviceProfile" : { ... }, "clientId": "MobileAgent1" }'
This example shows how the mobile single sign-on agent creates a client registration handle for a mobile business app (the client app) utilizing a user name and password. In this example, the request originated with the mobile business app, which is named MobileExpenseReport1.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/idaas_rest/rest/mobilejwtauthentication/register -H "X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD ..." -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"theUserName", "X-Idaas-Rest-Subject-Password":"thePassword", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTREGHANDLE", "deviceProfile" : { ... }, handles : { "oaam.session" : "...", "oaam.device" : "..." }, "clientId": "MobileExpenseReport1" } '
{ "X-Idaas-Rest-Token-Value":"ey...", "X-Idaas-Rest-Token-Type":"CLIENTREGHANDLE", handles : { "oaam.session" : { ... } , "oaam.device" : { ... } } }
The value of CLIENTREGHANDLE
and other tokens is shortened for display purposes.
If the clientId
is not a mobile SSO agent (for example, MobileExpenseReport1
), then the caller needs to add a header to the HTTP request that contains the client reg handle obtained previously for a Mobile Agent, for example -H "X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD
...."
This example is similar to the previous example. Instead of a user name and password, however, a user token is submitted. The user token is a security credential that signifies that an authenticated user authorized the device. As with the previous example, the request originated with the mobile business app, which is named MobileExpenseReport1.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/idaas_rest/rest/mobilejwtauthentication/register -H "X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD ..." -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"ey...", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTREGHANDLE", "deviceProfile" : { ... }, handles : { "oaam.session" : "...", "oaam.device" : "..." }, "clientId": "MobileExpenseReport1" } '
{ "X-Idaas-Rest-Token-Value":"ey...", "X-Idaas-Rest-Token-Type":"CLIENTREGHANDLE", handles : { "oaam.session" : { ... } , "oaam.device" : { ... } } }
The value of CLIENTREGHANDLE
and other tokens is shortened for display purposes.
When registering the client application, the user token can only represent a user registration if the Mobile.reauthnForRegNewClientApp
configuration value is set to false
in the corresponding mobile agent client application profile.
The HTTP header X-IDAAS-REST-AUTHORIZATION
has a UIDPASSWORD
scheme value that contains the client reg handle of the mobile agent app (for example, MobileAgent1).
This example shows the REST call that the mobile single sign-on agent sends to the Mobile and Social server to request that a user token be created.
curl -H "Content-Type: application/json" --request POST http://localhost:18001/idaas_rest/rest/mobilejwtauthentication/authenticate -H 'X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred="..." ' -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"theUserName", "X-Idaas-Rest-Subject-Password":"thePassword", "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN", "handles" : { ... }, "deviceProfile" : { ... } }'
{ "X-Idaas-Rest-Token-Value":"ey...", "X-Idaas-Rest-Token-Type":"USERTOKEN", handles : { "oaam.session" : { ... } , "oaam.device" : { ... } } }
Token values are shortened for display purposes.
An SSO agent app (MobileAgent1, for example) requests a User token with a user name and password.
The HTTP header X-IDAAS-REST-AUTHORIZATION
has a UIDPASSWORD
scheme value that contains the client reg handle of the SSO agent app (MobileAgent1).
This example shows a mobile SSO agent request for an access token on behalf of a mobile business app. The mobile SSO agent is named MobileAgent1, and the business app is named MobileExpenseReport1.
Mobile OAMAuthentication Example
curl -H "Content-Type: application/json" -H 'X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred="..." ' -H 'X-IDAAS-REST-AGENT-AUTHORIZATION: UIDPASSWORD cred="..." ' --request POST http://localhost:18001/idaas_rest/rest/mobileoamauthentication/access -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"... USER TOKEN VALUE...", "X-Idaas-Rest-Application-Context":"75sSbBZZKJiUOAWikZxsKA==", "X-Idaas-Rest-Application-Resource": "http:/wengate123.us.example.com:7779/index.html", "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN", "handles" : { ... }, "deviceProfile" : { ... } }'
Mobile JWTAuthentication Example
curl -H "Content-Type: application/json" -H 'X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred="..." ' -H 'X-IDAAS-REST-AGENT-AUTHORIZATION: UIDPASSWORD cred="..." ' --request POST http://localhost:18001/idaas_rest/rest/mobilejwtauthentication/access -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"... USER TOKEN VALUE ...", "X-Idaas-Rest-Application-Resource":"...", "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN", "handles" : { ... }, "deviceProfile" : { ... } }'
{ "X-Idaas-Rest-Token-Value":"...", "X-Idaas-Rest-Token-Type":"ACCESSTOKEN", handles : { "oaam.session" : { ... } , "oaam.device" : { ... } } }
This HTTP request carries two headers: The first contains the client registration handle of the SSO Agent app, and the second contains the client registration handle of the Business app.
The header X-IDAAS-REST-AGENT-AUTHORIZATION
contains the client reg handle of the SSO agent app (MobileAgent1).
The header X-IDAAS-REST-AUTHORIZATION
contains the client reg handle of the Business app (MobileExpenseReport1).
The Mobile and Social server component (specifically, the Mobile and Social Services component) will verify the validity of both handles. It will ensure both apps are listed in the target service domain. The underlying Token / Authentication Service will vend out an Access Token upon verifying the validity of the User Token Value.In the case of Access Manager, the X-Idaas-Rest-Application-Resource
field refers to a resource protected by a particular WebGate. It also has an X-Idaas-RESt-Application-Context
field that corresponds to the Access Manager Application Context.
Token values are shortened for display purposes.
This example shows a mobile SSO agent request for an access token for its own use. The mobile SSO agent requires an access token before it can request tokens on behalf of client apps.
Mobile OAMAuthentication Example
curl -H "Content-Type: application/json" -H 'X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred="..." ' --request POST http://localhost:18001/idaas_ rest/rest/mobileoamauthentication/access -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"... USER TOKEN VALUE...", "X-Idaas-Rest-Application-Context":"75sSbBZZKJiUOAWikZxsKA==", "X-Idaas-Rest-Application-Resource":"http:/wg12.example.com:7779/index.html", "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN", "handles" : { ... }, "deviceProfile" : { ... } }'
Mobile JWTAuthentication Example
curl -H "Content-Type: application/json" -H 'X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred="..." ' --request POST http://localhost:18001/idaas_ rest/rest/mobilejwtauthentication/access -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"... USER TOKEN VALUE ...", "X-Idaas-Rest-Application-Resource":"...", "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN", "handles" : { ... }, "deviceProfile" : { ... } }'
{ "X-Idaas-Rest-Token-Value":"...", "X-Idaas-Rest-Token-Type":"ACCESSTOKEN", handles : { "oaam.session" : { ... } , "oaam.device" : { ... } } }
This HTTP request carries ONE header, X-IDAAS-REST-AUTHORIZATION
, that contains the client reg handle of the SSO agent app (MobileAgent1).
There is no X-IDAAS-REST-AGENT-AUTHORIZATION
header in this request.
The Mobile and Social server component (specifically, the Mobile and Social Services component) will verify the validity of both handles. It will ensure that the MobileAgent1 app is listed in the target service domain and that it is marked as an SSO-capable app (that is, the app is listed with an SSO Priority).
Token values are shortened for display purposes.
This example shows a client reg handle verification request. The Mobile and Social server has token and handle verification logic, so the mobile client does not need to make this verification call.
When the request is sent to the Mobile and Social server to create a User Token or an Access Token, the service verifies the one or two HTTP headers that contain the client reg handles: X-IDAAS-REST-AUTHORIZATION
and X-IDAAS-REST-AGENT-AUTHORIZATION
.
curl --request GET http://localhost:18001/idaas_rest/rest/mobileservice1/tokens/info -H "X-Idaas-Rest-Subject: TOKEN ey..." -H "X-IDAAS-REST-AUTHORIZATION: TOKEN ey..."
{ "X-Idaas-Rest-Token-Value":"eyJl...", "X-Idaas-Rest-Token-Type":"CLIENTREGHANDLE" }
The CLIENTREGHANDLE
values are repeated under two different HTTP headers. If an administrator uses an explicit service binding not requiring a Client Token to perform a verify token operation, the second HTTP header can be dropped.
The CLIENTREGHANDLE
value is shortened for display purposes.
Token values are shortened for display purposes.
The cURL commands in this section show the REST calls that are sent from a client application to the Mobile and Social server to perform User Profile Services transactions with a connected Directory server.
User Profile cURL commands are grouped into the following sections:
Basic user operations commands include the following:
Shows how to create a user profile in a remote directory.
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{"uid":"John","description":"test user","lastname":"Anderson", "commonname":"John Anderson","firstname":"John"}'
{"uid":"John","guid":"FE1D7BD0590111E1BFDCF77FB8E715D5"," description":"test user","name":"John","lastname":"Anderson", "commonname":"John Anderson","loginid":"John","firstname":"John", "uniquename":"FE1D7BD0590111E1BFDCF7FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/John"}
Shows how to retrieve a user profile in a remote directory.
{"uid":"John","guid":"FE1D7BD0590111E1BFDCF77FB8E715D5","description":"test user", "name":"John","lastname":"Anderson","commonname":"John Anderson","loginid":"John", "firstname":"John","uniquename":"FE1D7BD0590111E1BFDCF77FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/John"}
Shows how to update a user profile record in a remote directory.
curl -H "Content-Type: application/json" --request PUT http://localhost:14100/idaas_rest/rest/userprofile/people/John/ -d '{"description":"test user1"}'
{"uid":"John","guid":"FE1D7BD0590111E1BFDCF77FB8E715D5", "description":"test user1","name":"John","lastname":"Anderson", "commonname":"John Anderson","loginid":"John","firstname":"John", "uniquename":"FE1D7BD0590111E1BFDCF77FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/John"}
Basic group operations commands include the following:
Shows how to create a group profile in a remote directory.
Shows how to retrieve a group profile in a remote directory.
Shows how to update a group profile in a remote directory.
The "members" and "memberOf" logical entity relationships both point to the same "member" attribute in the LDAP "group" entity. Both logical entity relationships can be used to add, delete, read, and search a user with respect to a group.
This section includes the following operations:
Shows how to make a user a member of a group.
Create User "John"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{"uid":"John"Anderson","commonname":"John Anderson","firstname":"John"}'
Create Group "Group1"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"group1 testing","commonname":"group1"}'
Create a MemberOf Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/John/memberOf/ -d '{"group-uri":"\/idaas_rest\/rest\/userprofile\/group\/group1", "person-uri":"\/idaas_rest\/rest\/userprofile\/people\/John"}'
Shows how to retrieve a "memberOf" relationship profile for the specified user.
Shows how to delete a "memberOf" relationship.
Delete the MemberOf Relationship
curl -i --request DELETE "http://localhost:14100/idaas_rest/ rest/userprofile/people/John/memberOf/group1/"
Delete User "John"
curl -i --request DELETE http://localhost:14100/idaas_rest/ rest/userprofile/people/John/
Delete the Group "group1"
curl -i --request DELETE "http://localhost:14100/idaas_rest/ rest/userprofile/groups/group1"
The "members" and "memberOf" logical entity relationships both point to the same "member" attribute in the LDAP "group" entity. Both logical entity relationships can be used to add, delete, read, and search a user with respect to a group.
This section includes the following operations:
Shows how to assign a user to a group.
Create User "John"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{"uid":"John"Anderson","commonname":"John Anderson","firstname":"John"}'
Create Group "Group1"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"group1 testuing","commonname":"group1"}'
Create a Members Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/group1/members -d '{"group-uri":"\/idaas_rest\/rest\/userprofile\/group\/group1", "person-uri":"\/idaas_rest\/rest\/userprofile\/people\/John"}'
Shows how to read a "members" relationship.
Shows how to delete a "members" relationship profile.
Delete the Members Relationship
curl -i --request DELETE "http://localhost:14100/idaas_rest/ rest/userprofile/people/group1/members/John/"
Delete User "John"
curl -i --request DELETE http://localhost:14100/idaas_rest/ rest/userprofile/people/John/
Delete Group "Group1"
curl -i --request DELETE "http://localhost:14100/idaas_rest/ rest/userprofile/groups/group1/"
This section includes the following operations:
Shows how to assign a manager to a user.
Create User "John"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{"uid":"John"Anderson","commonname":"John Anderson","firstname":"John"}'
Create User "Alan"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{"uid":"Alan","description":"Manager User","lastname":"Doe", "commonname":"Alan Doe","firstname":"Alan"}'
Create a Manager Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/John/manager/ -d '{"report-uri":"\/idaas_rest\/rest\/userprofile\/people\/John", "manager-uri":"\/idaas_rest\/rest\/userprofile\/people\/Alan"}'
Shows how to read a manager relationship profile.
Shows how to delete the manager relationship.
Delete the Manager Relationship
curl -i --request DELETE "http://localhost:14100/ idaas_rest/rest/userprofile/people/John/manager/Alan"
Delete User "John"
curl -i --request DELETE http://localhost:14100/ idaas_rest/rest/userprofile/people/John/
Delete User "Alan"
curl -i --request DELETE "http://localhost:14100/ idaas_rest/rest/userprofile/people/Alan/"
This section includes the following operations:
Shows how to create a reports-to relationship.
Create User "John"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{"uid":"John"Anderson","commonname":"John Anderson","firstname":"John"}'
Create User "Alan"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{"uid":"Alan","description":"Manager User","lastname":"Doe", "commonname":"Alan Doe","firstname":"Alan"}'
Create a Reports Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/Alan/reports/ -d '{"report-uri":"\/idaas_rest\/rest\/userprofile\/people\/John", "manager-uri":"\/idaas_rest\/rest\/userprofile\/people\/Alan"}'
Shows how to read a reports-to relationship.
Shows how to delete a reports-to relationship.
Delete the Reports Relationship
curl -i --request DELETE "http://localhost:14100/idaas_rest/ rest/userprofile/people/Alan/reports/John"
Delete User "John"
curl -i --request DELETE http://localhost:14100/idaas_rest/ rest/userprofile/people/John/
Delete User "Alan"
curl -i --request DELETE "http://localhost:14100/idaas_rest/ rest/userprofile/people/Alan/"
This section includes the following operations:
Shows how to create an ownerOf relationship.
Create User "John"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{"uid":"John"Anderson","commonname":"John Anderson","firstname":"John"}'
Create Group "group1"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"group1 testuing","commonname":"group1"}'
Create an "ownerOf" Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/John/ownerOf/ -d '{"group-uri":"\/idaas_rest\/rest\/userprofile\/group\/group1", "owner-uri":"\/idaas_rest\/rest\/userprofile\/people\/John"}'
Shows how to read an ownerOf relationship.
Shows how to delete an ownerOf relationship.
Delete the "ownerOf" Relationship
curl -i --request DELETE "http://localhost:14100/idaas_rest/ rest/userprofile/people/John/ownerOf/group1"
Delete User "John"
curl -i --request DELETE http://localhost:14100/idaas_rest/ rest/userprofile/people/John/
Delete Group "group1"
curl -i --request DELETE "http://localhost:14100/idaas_rest/ rest/userprofile/groups/group1"
This section includes the following operations:
Shows how to create a personOwner relationship.
Create User "John"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{"uid":"John"Anderson","commonname":"John Anderson","firstname":"John"}'
Create Group "group1"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"group1 testing","commonname":"group1"}'
Create a "personOwner" Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/group1/personOwner -d '{"group-uri":"\/idaas_rest\/rest\/userprofile\/group\/group1", "owner-uri":"\/idaas_rest\/rest\/userprofile\/people\/John"}'
Shows how to read a personOwner relationship.
Shows how to delete a personOwner relationship.
Delete the "personOwner" Relationship
curl -i --request DELETE "http://localhost:18001/idaas_rest/ rest/userprofile/groups/group1/personOwner/John"
Delete User "John"
curl -i --request DELETE http://localhost:14100/idaas_rest/ rest/userprofile/people/John/
Delete Group "group1"
curl -i --request DELETE "http://localhost:14100/idaas_rest/ rest/userprofile/groups/group1/"
This section includes the following operations:
Shows how to create a groupOwner relationship.
Create Group "XYZ"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"XYZ Group","commonname":"XYZ"}'
Create Group "ABC"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"ABC Group","commonname":"ABC"}'
Create a "groupOwner" Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/XYZ/groupOwner -d '{"group-uri":"\/idaas_rest\/rest\/userprofile\/group\/XYZ", "owner-uri":"\/idaas_rest\/rest\/userprofile\/group\/ABC"}'
Shows how to read a groupOwner relationship.
Shows how to delete a groupOwner relationship.
Delete the "groupOwner" Relationship
curl -i --request DELETE "http://localhost:14100/ idaas_rest/rest/userprofile/groups/XYZ/groupOwner/ABC"
Delete Group "XYZ"
curl -i --request DELETE http://localhost:14100/ idaas_rest/rest/userprofile/groups/XYZ/
Delete Group "ABC"
curl -i --request DELETE "http://localhost:14100/ idaas_rest/rest/userprofile/groups/ABC/"
This section includes the following operations:
Shows how to create a groupOwnerOf relationship.
Create Group "XYZ"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"XYZ Group","commonname":"XYZ"}'
Create Group "ABC"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"ABC Group","commonname":"ABC"}'
Create a "groupOwnerOf" Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ABC/groupOwnerOf -d '{"group-uri":"\/idaas_rest\/rest\/userprofile\/group\/XYZ", "owner-uri":"\/idaas_rest\/rest\/userprofile\/group\/ABC"}'
Shows how to read a groupOwnerOf relationship.
Shows how to delete a groupOwnerOf relationship.
Delete the "groupOwnerOf" Relationship
curl -i --request DELETE "http://localhost:14100/ idaas_rest/rest/userprofile/groups/ABC/groupOwnerOf/XYZ"
Delete Group "XYZ"
curl -i --request DELETE http://localhost:14100/ idaas_rest/rest/userprofile/groups/XYZ/
Delete Group "ABC"
curl -i --request DELETE "http://localhost:14100/ idaas_rest/rest/userprofile/groups/ABC/"
This section includes the following operations:
Shows how to create a groupMemberOf relationship.
Create Group "XYZ"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"XYZ Group","commonname":"XYZ"}'
Create Group "iCloud"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"iCloud Group","commonname":"iCLOUD"}'
Create a "groupMemberOf" Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/XYZ/groupMemberOf -d '{"group-uri":"\/idaas_rest\/rest\/userprofile\/groups\/iCLOUD", "member-uri":"\/idaas_rest\/rest\/userprofile\/groups\/XYZ"}'
Shows how to read a groupMemberOf relationship.
Shows how to delete a groupMemberOf relationship.
Delete the "groupMemberOf" Relationship
curl -i --request DELETE "http://localhost:14100/ idaas_rest/rest/userprofile/groups/XYZ/groupMemberOf/iCLOUD"
Delete Group "XYZ"
curl -i --request DELETE http://localhost:14100/ idaas_rest/rest/userprofile/groups/XYZ/
Delete Group "iCLOUD"
curl -i --request DELETE "http://localhost:14100/ idaas_rest/rest/userprofile/groups/iCLOUD/"
This section includes the following operations:
Shows how to create a groupMembers relationship.
Create Group "XYZ"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"XYZ Group","commonname":"XYZ"}'
Create Group "iCloud"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/ -d '{"description":"iCloud Group","commonname":"iCLOUD"}'
Create a "groupMembers" Relationship
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/groups/iCLOUD/groupMembers -d '{"group-uri":"\/idaas_rest\/rest\/userprofile\/groups\/iCLOUD", "member-uri":"\/idaas_rest\/rest\/userprofile\/groups\/XYZ"}'
Shows how to read a groupMembers relationship.
Shows how to delete a groupMembers relationship.
Delete the "groupMembers" Relationship
curl -i --request DELETE "http://localhost:14100/idaas_rest/rest/ userprofile/groups/iCLOUD/groupMembers"
Delete Group "XYZ"
curl -i --request DELETE http://localhost:14100/ idaas_rest/rest/userprofile/groups/XYZ/
Delete Group "iCLOUD"
curl -i --request DELETE "http://localhost:14100/ idaas_rest/rest/userprofile/groups/iCLOUD/"
This section includes the following operations:
Shows how to get a list of all users.
{"next":"\/idaas_rest\/rest\/userprofile\/people?pageSize=10&pagePos=1", "elements":[{"uid":"OracleSystemUser","guid":"E9A3B390581611E19F08FB1E3902A71C", "description":"Oracle]]]] application software system user.", "name":"OracleSystemUser","lastname":"OracleSystemUser", "commonname":"OracleSystemUser","loginid":"OracleSystemUser", "uniquename":"E9A3B390581611E19F08FB1E3902A71C", "uri":"\/idaas_rest\/rest\/userprofile\/people\/OracleSystemUser"}, {"uid":"weblogic","guid":"E9A4C500581611E19F08FB1E3902A71C", "description":"This user is the default administrator.","name":"weblogic", "lastname":"weblogic","commonname":"weblogic","loginid":"weblogic", "uniquename":"E9A4C500581611E19F08FB1E3902A71C", "uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic"}, {"uid":"alice","guid":"D8D1907158F511E1BFDCF77FB8E715D5", "description":"This test user is alice.","name":"alice","lastname":"alice", "commonname":"alice","loginid":"alice", "uniquename":"D8D1907158F511E1BFDCF77FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/alice"}, {"uid":"sean","guid":"D8D5AF2058F511E1BFDCF77FB8E715D5", "description":"This test user is sean.","name":"sean","lastname":"sean", "commonname":"sean","loginid":"sean", "uniquename":"D8D5AF2058F511E1BFDCF77FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/sean"}, {"uid":"wei","guid":"D8D6245058F511E1BFDCF77FB8E715D5", "description":"This test user is wei.","name":"wei","lastname":"wei", "commonname":"wei","loginid":"wei", "uniquename":"D8D6245058F511E1BFDCF77FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/wei"}, {"uid":"malla","guid":"D8D64B6058F511E1BFDCF77FB8E715D5", "description":"This test user is malla.","name":"malla","lastname":"malla", "commonname":"malla","loginid":"malla", "uniquename":"D8D64B6058F511E1BFDCF77FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/malla"}, {"uid":"alan","guid":"D8D6998058F511E1BFDCF77FB8E715D5", "description":"This test user is alan.","name":"alan","lastname":"alan", "commonname":"alan","loginid":"alan", "uniquename":"D8D6998058F511E1BFDCF77FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/alan"}, "uri":"\/idaas_rest\/rest\/userprofile\/people?pageSize=10&pagePos=0"}
Shows how to get a list of users while specifying a page size and the page position.
curl -i --request GET "http://localhost:14100/ idaas_rest/rest/userprofile/people?pagePos=0&pageSize=1"
{"next":"\/idaas_rest\/rest\/userprofile\/people?pageSize=1&pagePos=1", "elements":[{"uid":"OracleSystemUser","guid":"E9A3B390581611E19F08FB1E3902A71C", "description":"Oracle]] application software system user.", "name":"OracleSystemUser","lastname":"OracleSystemUser", "commonname":"OracleSystemUser","loginid":"OracleSystemUser", "uniquename":"E9A3B390581611E19F08FB1E3902A71C", "uri":"\/idaas_rest\/rest\/userprofile\/people\/OracleSystemUser"}], "uri":"\/idaas_rest\/rest\/userprofile\/people?pageSize=1&pagePos=0"}
Shows how to get a list of users while specifying a search parameter but not a search filter.
curl -i --request GET "http:/localhost:14100/idaas_rest/rest/userprofile/people/ ?pagePos=0&pageSize=10&searchparam.name=John*"
{"elements":[{"uid":"John","guid":"E932E4F0590911E1BFDCF77FB8E715D5", "description":"test user","name":"John","lastname":"Anderson", "commonname":"John Anderson","loginid":"John","firstname":"John", "uniquename":"E932E4F0590911E1BFDCF77FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/John"}], "uri":"\/idaas_rest\/rest\/userprofile\/people?pageSize=10 &searchparam.name=John+Anderson&pagePos=0"}
Shows how to get a list of users while specifying the default "out-of-the-box" simple AND search filter.
curl -i --request GET "http:/localhost:14100/idaas_rest/rest/userprofile/ people?searchFilter=SimpleOR&searchparam.uid=John&searchparam.lastname=TEST"
{"elements":[{ "uid":"John", "guid":"E932E4F0590911E1BFDCF77FB8E715D5", "description":"test user", "name":"John", "lastname":"Anderson", "commonname":"John Anderson", "loginid":"John", "firstname":"John", "uniquename":"E932E4F0590911E1BFDCF77FB8E715D5", "uri":"\/idaas_rest\/rest\/userprofile\/people\/John"}], "uri":"\/idaas_rest\/rest\/userprofile\/people?pageSize=10 &searchFilter=SimpleOR&searchparam.lastname=TEST&searchparam.uid=John&pagePos=0"}
Shows how to get Group information.
curl -i --request GET "http:/localhost:14100/idaas_rest/rest/userprofile/ groups/?pagePos=0&pageSize=2"
{"next":"\/idaas_rest\/rest\/userprofile\/groups?pageSize=2&pagePos=1", "elements":[{ "guid":"7CF7EC60724811E1BFB5AB6A1E4E415B", "description":"AdminChannelUsers]] can access the admin channel.", "name":"AdminChannelUsers", "commonname":"AdminChannelUsers", "uniquename":"7CF7EC60724811E1BFB5AB6A1E4E415B", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/AdminChannelUsers"}, {"guid":"7CF7EC61724811E1BFB5AB6A1E4E415B", "description":"Administrators can view and modify all resource attributes and start and stop servers.", "name":"Administrators", "commonname":"Administrators", "uniquename":"7CF7EC61724811E1BFB5AB6A1E4E415B", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/Administrators"}], "uri":"\/idaas_rest\/rest\/userprofile\/groups?pageSize=2&pagePos=0"}
Given the name of a person in an organization, allows you to search for the person's manager.
curl -i --request GET "http:/localhost:14100/idaas_rest/rest/userprofile/ people/JohnD/manager/?pagePos=0&pageSize=2"
{"elements":[{ "report-uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD", "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager\/SusanS", "manager-uri":{ "uid":"SusanS", "manager":"\/idaas_rest\/rest\/userprofile\/people\/SusanS\/manager", "state":"CA", "lastname":"Smith", "firstname":"Susan", "loginid":"SusanS", "uniquename":"5B543C30790511E1AF41BD17BAB1A1C1", "uri":"\/idaas_rest\/rest\/userprofile\/people\/SusanS", "country":"USA", "guid":"5B543C30790511E1AF41BD17BAB1A1C1", "title":"Sr]]. Director, Development ", "name":"SusanS", "commonname":"Susan Smith"} }], "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager?pageSize=2 &pagePos=0"}
Use the attrsToFetch
query parameter to retrieve a specific set of attributes instead of the full set of attributes that the system returns otherwise. To specify multiple attributes use a comma-separated list of attribute names.
For example:
.../people/alice?attrsToFetch=uid,email
The attrsToFetch
query parameter can be used with any Search, Read, User, Group, or Relationship operation.
This section includes the following examples:
This example shows how to retrieve the User's common name only. Without the attrsToFetch
parameter, the system would retrieve the full set of User attributes.
curl -i --request GET "http://host:10/idaas_rest/rest/userprofile/people/Alice/?attrsToFetch=commonname"
{ "commonname":"Alice Mac", "uri":"\/idaas_rest\/rest\/userprofile\/people\/Alice"}
{ "uid":"Alice", "guid":"C04020C078FE11E1AF41BD17BAB1A1C1", "description":"Alice User", "name":"Alice", "lastname":"Mac", "commonname":"Alice Mac", "loginid":"Alice", "firstname":"Alice", "uniquename":"C04020C078FE11E1AF41BD17BAB1A1C1", "uri":"\/idaas_rest\/rest\/userprofile\/people\/Alice"}
This example shows how to search Groups and retrieve only the name of each Group. Without the attrsToFetch
parameter, the system would retrieve every attribute of each Group.
curl -i --request GET "http:/host:10/idaas_rest/rest/userprofile/groups?pagePos=0&pageSize=2 &attrsToFetch=name"
{"next": "\/idaas_rest\/rest\/userprofile\/groups?pageSize=2&attrsToFetch=name&pagePos=1", "elements":[{ "name":"AdminChannelUsers", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/AdminChannelUsers"}, { "name":"Administrators", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/Administrators" }], "uri":"\/idaas_rest\/rest\/userprofile\/groups?pageSize=2&attrsToFetch=name &pagePos=0"}
{"next": "\/idaas_rest\/rest\/userprofile\/groups?pageSize=2&pagePos=1", "elements":[{ "guid":"7CF7EC60724811E1BFB5AB6A1E4E415B", "description":"AdminChannelUsers can access the admin channel.", "name":"AdminChannelUsers", "commonname":"AdminChannelUsers", "uniquename":"7CF7EC60724811E1BFB5AB6A1E4E415B", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/AdminChannelUsers"}, { "guid":"7CF7EC61724811E1BFB5AB6A1E4E415B", "description":"Administrators can view and modify all resource attributes and start and stop servers.", "name":"Administrators", "commonname":"Administrators", "uniquename":"7CF7EC61724811E1BFB5AB6A1E4E415B", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/Administrators" }], "uri":"\/idaas_rest\/rest\/userprofile\/groups?pageSize=2&pagePos=0"}
This example shows how to retrieve the name of the Groups that a User is a member of. Without the attrsToFetch
parameter, the system would retrieve the full set of Group attributes for each Group.
curl -i --request GET "http://host:10/idaas_rest/rest/userprofile/people/weblogic/memberOf? pagePos=0&pageSize=2&attrsToFetch=name"
{"next": "\/idaas_rest\/rest\/userprofile\/people\/weblogic\/memberOf? pageSize=2&attrsToFetch=name&pagePos=1", "elements":[ { "group-uri": { "name":"Administrators", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/Administrators" }, "person-uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic", "uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic\/memberOf\/ Administrators" }, { "group-uri": { "name":"OAAMEnvAdminGroup", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/OAAMEnvAdminGroup" }, "person-uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic", "uri":"\/idaas_ rest\/rest\/userprofile\/people\/weblogic\/memberOf\/ OAAMEnvAdminGroup" }], "uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic\/memberOf? pageSize=2&attrsToFetch=name&pagePos=0"}
{"next": "\/idaas_rest\/rest\/userprofile\/people\/weblogic\/memberOf? pageSize=2&pagePos=1", "elements":[ { "group-uri": { "guid":"7CF7EC61724811E1BFB5AB6A1E4E415B", "description":"Administrators can view and modify all resource attributes and start and stop servers.", "name":"Administrators", "commonname":"Administrators", "uniquename":"7CF7EC61724811E1BFB5AB6A1E4E415B", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/Administrators" }, "person-uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic", "uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic\/memberOf\/ Administrators" }, { "group-uri": { "guid":"7CF83A81724811E1BFB5AB6A1E4E415B", "description":"EnvAdminGroup", "name":"OAAMEnvAdminGroup", "commonname":"OAAMEnvAdminGroup", "uniquename":"7CF83A81724811E1BFB5AB6A1E4E415B", "uri":"\/idaas_rest\/rest\/userprofile\/groups\/OAAMEnvAdminGroup" }, "person-uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic", "uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic\/memberOf\/ OAAMEnvAdminGroup" }], "uri":"\/idaas_rest\/rest\/userprofile\/people\/weblogic\/memberOf? pageSize=2&pagePos=0"}
Use the prefetch
query parameter to expand a query to retrieve a collection of attributes linked to the User or Group or Relationship that is the subject of the query. To specify multiple attributes use a comma-separated list of attribute names.
For example:
.../people/alice?prefetch=attr1,attr2(b1,b2),attr3(b1,b2,b3)
If you do not specify the prefetch query parameter, the system returns the requested URI only.
You can use the prefetch
query parameter with any User, Group, or Relationship profile operation, but not a Search operation.
So for example, you can use prefetch
with instance resources such as the following:
.../people/alice
.../groups/Admin
.../people/alice/memberOf/Admin
But you cannot use prefetch
with collection resources, such as the following:
.../people
.../groups
.../people/alice/memberOf
This section includes one example:
This example shows how to retrieve the collection of "manager" attributes for the specified user in addition to the full set of User attributes that is returned by default.
curl -i --request GET "http://localhost:16191/idaas_rest/rest/userprofile/people/JohnD/ ?prefetch=manager"
{ "uid":"JohnD", "manager": {"elements": [{ "report-uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD", "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager\/SusanS", "manager-uri": { "uid":"SusanS", "manager":"\/idaas_rest\/rest\/userprofile\/people\/SusanS\/manager", "state":"CA", "lastname":"Smith", "firstname":"Susan", "loginid":"SusanS", "uniquename":"5B543C30790511E1AF41BD17BAB1A1C1", "uri":"\/idaas_rest\/rest\/userprofile\/people\/SusanS", "country":"USA", "guid":"5B543C30790511E1AF41BD17BAB1A1C1", "title":"Sr]]. Director, Development ", "name":"SusanS", "commonname":"Susan Smith" } }], "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager ?pageSize=0&pagePos=-1" }, "state":"CA", "lastname":"Doe", "firstname":"John", "loginid":"JohnD", "uniquename":"2F23AC90790511E1AF41BD17BAB1A1C1", "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD", "country":"USA", "guid":"2F23AC90790511E1AF41BD17BAB1A1C1", "title":"Director, Development ", "name":"JohnD", "commonname":"John Doe"}
{ "uid":"JohnD", "manager":"\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager", "state":"CA", "lastname":"Doe", "firstname":"John", "loginid":"JohnD", "uniquename":"2F23AC90790511E1AF41BD17BAB1A1C1", "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD", "country":"USA", "guid":"2F23AC90790511E1AF41BD17BAB1A1C1", "title":"Director, Development ", "name":"JohnD", "commonname":"John Doe"}
Use the scope
query parameter to retrieve a nested level of attributes in a relationship search.
For example:
.../people/JohnD/manager?scope=toTop
Use scope if a search is between two entities that have a direct hierarchical relationship, for example a manager relationship between one user and another user, or a memberOf relationship between a user and a group.
The scope query parameter can be used with the following User Profile Services standard entities: manager, reports, groupMemberOf, groupMembers, groupOwner, and groupOwnerOf.
Note:
Configure thetoTop
scope attribute value by editing the User Profile Service Provider in the Oracle Access Management system administration console. In the Relationship Configuration section of the page, edit the values in the Scope for Requesting Recursion column. See "Editing or Creating a User Profile Service Provider" in the Administrator's Guide for Oracle Access Management for more information.This section includes one example:
This example shows how to do a Manager relationship Search with scope
set toTop
.
Create User "JohnD"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{ "uid":"JohnD", "title":"Director, Development ", "state":"CA", "lastname":"Doe", "commonname":"John Doe ", "firstname":"John", "password":"secret12345", "country":"USA"}'
Create User "SusanS"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{ "uid":"SusanS", "title":"Sr. Director, Development ", "state":"CA", "lastname":"Smith", "commonname":"Susan Smith", "firstname":"Susan", "password":"12345secret", "country":"USA"}'
Create User "AlanC"
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/ -d '{ "uid":"AlanC", "title":"VP, Identity Management Development ", "state":"CA", "lastname":"Cooper", "commonname":"Alan Cooper", "firstname":"Alan", "password":"welcome321", "country":"USA"}'
Create a "manger" relationship between JohnD and SusanS
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/JohnD/manager -d '{ "report-uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD", "manager-uri":"\/idaas_rest\/rest\/userprofile\/people\/SusanS"}'
Create a "manager" relationship between SusanS and AlanC
curl -H "Content-Type: application/json" --request POST http://localhost:14100/idaas_rest/rest/userprofile/people/SusanS/manager -d '{ "report-uri":"\/idaas_rest\/rest\/userprofile\/people\/SusanS", "manager-uri":"\/idaas_rest\/rest\/userprofile\/people\/AlanC"}'
Perform a "manager" relationship Search with scope = toTop
curl -i --request GET "http://localhost:14100/idaas_rest/rest/userprofile/people/ JohnD/manager/?scope=toTop&pagePos=0&pageSize=2"
{"next": "\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager ?pageSize=2&scope=toTop&pagePos=1", "elements": [{ "report-uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD", "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager\/SusanS", "manager-uri": { "uid":"SusanS", "manager":"\/idaas_rest\/rest\/userprofile\/people\/SusanS\/manager", "state":"CA", "lastname":"Smith", "firstname":"Susan", "loginid":"SusanS", "uniquename":"5B543C30790511E1AF41BD17BAB1A1C1", "uri":"\/idaas_rest\/rest\/userprofile\/people\/SusanS", "country":"USA", "guid":"5B543C30790511E1AF41BD17BAB1A1C1", "title":"Sr. Director, Development ", "name":"SusanS", "commonname":"Susan Smith" } }, { "report-uri":"\/idaas_rest\/rest\/userprofile\/people\/SusanS", "uri":"\/idaas_rest\/rest\/userprofile\/people\/SusanS\/manager\/AlanC", "manager-uri": { "uid":"AlanC", "guid":"31486BE0790611E1AF41BD17BAB1A1C1", "title":"VP, Identity Management Development ", "name":"AlanC", "state":"CA", "lastname":"Cooper", "commonname":"Alan Cooper", "loginid":"AlanC", "firstname":"Alan", "uniquename":"31486BE0790611E1AF41BD17BAB1A1C1", "uri":"\/idaas_rest\/rest\/userprofile\/people\/AlanC", "country":"USA" } }], "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager ?pageSize=2&scope=toTop&pagePos=0"}
{"elements": [{ "report-uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD", "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager\/SusanS", "manager-uri": { "uid":"SusanS", "manager":"\/idaas_rest\/rest\/userprofile\/people\/SusanS\/manager", "state":"CA", "lastname":"Smith", "firstname":"Susan", "loginid":"SusanS", "uniquename":"5B543C30790511E1AF41BD17BAB1A1C1", "uri":"\/idaas_rest\/rest\/userprofile\/people\/SusanS", "country":"USA", "guid":"5B543C30790511E1AF41BD17BAB1A1C1", "title":"Sr. Director, Development ", "name":"SusanS", "commonname":"Susan Smith" } }], "uri":"\/idaas_rest\/rest\/userprofile\/people\/JohnD\/manager ?pageSize=2&pagePos=0"}
The examples in this section present a progression of REST calls. First a device registration handle is acquired and then used in subsequent calls to the Mobile and Social server in order to authenticate a user, obtain access to a protected resource, and interact with User Profile Services. The basic sequence is (1) obtain a device registration handle, (2) obtain a user token, and (3) obtain an access token.
Note:
The REST examples presented in this section include line breaks and indented code blocks to help make them easy to read.Mobile SSO Agent Requests Client Registration Handle (Client Token)
Mobile SSO Agent Requests Client Registration Handle on Behalf of Business App
This example shows the client registration request call that the mobile SSO agent app on an iOS device sends to the Mobile and Social Server.
curl -H "Content-Type: application/json" --request POST http://hostname.example.com:18001/idaas_rest/rest/mobilejwtauthentication/register -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"jdoe", "X-Idaas-Rest-Subject-Password":"password123", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTREGHANDLE", "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" } "clientId":"OICSecurityApp" }'
{"X-Idaas-Rest-Token-Value":"eyJ0b2tlblR...l9M=", "X-Idaas-Rest-Token-Type":"CLIENTREGHANDLE", "handles": {"oaam.device": { "expirationTSInSec":1334423076, "value":"20_7fe4bde3d448598c4cb8211d214b5eaded0620428c06061b1261644603717cd3" }, "oaam.session": { "expirationTSInSec":1332955447, "value":"18_2743f64c111cb6691ea18689317958192d748b191a4955851e43f40910079e9a" } } }
curl -H "Content-Type: application/json" --request POST http://hostname.example.com:18001/idaas_rest/rest/mobilejwtauthentication/register -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred="T0lDU2VjdXJ...Gw5TT0="' -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"jdoe", "X-Idaas-Rest-Subject-Password":"password123", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTREGHANDLE", "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" } "handles": {"oaam.session":"18_2743f64c111cb6691ea18689317958192d748b191a4955851e43f40910079e9a", "oaam.device":"20_7fe4bde3d448598c4cb8211d214b5eaded0620428c06061b1261644603717cd3" }, "clientId":"WhitePageApp" }'
{"X-Idaas-Rest-Token-Value":"eyJ0b2tlblR...Lyhko=", "X-Idaas-Rest-Token-Type":"CLIENTREGHANDLE", "handles": {"oaam.device": { "expirationTSInSec":1334423298, "value":"20_7fe4bde3d448598c4cb8211d214b5eaded0620428c06061b1261644603717cd3" }, "oaam.session": { "expirationTSInSec":1332955669, "value":"18_2743f64c111cb6691ea18689317958192d748b191a4955851e43f40910079e9a" } } }
curl -H "Content-Type: application/json" --request POST http://hostname.example.com:18001/idaas_rest/rest/mobilejwtauthentication/authenticate -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred="T0lDU2VjdXJpdHlBc...Fa00vOD0="' -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"jdoe", "X-Idaas-Rest-Subject-Password":"password123", "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN", "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" } "handles": {"oaam.session":"21_9e2e728b3180a7a3c9b80cef542c58339c2c7ed0e1a3ba66db4807ef1cf1523d", "oaam.device":"23_3a958d144b04f91c53b4236ed9f880357122df946f14ba21d957be5b49ef529b" } }'
{"X-Idaas-Rest-Token-Value":"eyJhbGciOiJSUzUx...1OC6qw", "X-Idaas-Rest-Token-Type":"USERTOKEN", "handles": {"oaam.device": { "expirationTSInSec":1334424634, "value":"23_3a958d144b04f91c53b4236ed9f880357122df946f14ba21d957be5b49ef529b" }, "oaam.session": { "expirationTSInSec":1332957005, "value":"21_9e2e728b3180a7a3c9b80cef542c58339c2c7ed0e1a3ba66db4807ef1cf1523d" } } }
curl -H "Content-Type: application/json" --request POST http://hostname.example.com:18001/idaas_rest/rest/mobilejwtauthentication/access -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred="T0lDU2VjdXJpdHlBc...TFPQzZxdw=="' -d '{ "X-Idaas-Rest-Subject-Type":"TOKEN", "X-Idaas-Rest-Subject-Value":"eyJhbGciOiJSUzUxM...411OC6qw", "X-Idaas-Rest-Application-Context":"<webgate context>", "X-Idaas-Rest-Application-Resource":"http:\/\/am-v40z-04.us.example.com:7777\/index.html", "X-Idaas-Rest-New-Token-Type-To-Create":"ACCESSTOKEN", "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" } "handles": {"oaam.session":"21_9e2e728b3180a7a3c9b80cef542c58339c2c7ed0e1a3ba66db4807ef1cf1523d", "oaam.device":"23_3a958d144b04f91c53b4236ed9f880357122df946f14ba21d957be5b49ef529b" } }'
curl -H "Content-Type: application/json" --request POST http://hostname.example.com:18001/idaas_rest/rest/mobilejwtauthentication/authenticate -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -H 'X-IDAAS-REST-AUTHORIZATION: UIDPASSWORD cred="T0lDU2VjdXJpdHlBc...TFPQzZxdw=="' -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL" "X-Idaas-Rest-Subject-Username":"jdoe", "X-Idaas-Rest-Subject-Password":"password123", "X-Idaas-Rest-New-Token-Type-To-Create":"USERTOKEN", "OAM-Token-Type-To-Create":"USERTOKEN::OAMMT", "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0", "hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" } "handles": {"oaam.session":"21_9e2e728b3180a7a3c9b80cef542c58339c2c7ed0e1a3ba66db4807ef1cf1523d", "oaam.device":"23_3a958d144b04f91c53b4236ed9f880357122df946f14ba21d957be5b49ef529b" } }'
Knowledge-based authentication (KBA) is an authentication scheme in which the user is asked to answer at least one question.
The Request to Register a Device
curl -H "Content-Type: application/json" --request POST http://server1.example.com:14100/ oic_rest/rest/mobileoamauthentication/register -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -d '{ "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTREGHANDLE", "X-Idaas-Rest-Subject-Password":"password555", "deviceProfile": { "oracle:idm:claims:client:sdkversion":"11.1.2.0.0","hardwareIds": { "oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121" }, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0" }, "X-Idaas-Rest-Subject-Username":"JohnS", "clientId":"OICSSOApp", "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL"}'
The Response Containing the KBA Question
{ "handles": { "oaam.device": { "expirationTSInSec":1352076952, "value":"563_23552f26e974030dc160...c363d47a01918caf2f97"}, "oaam.session": { "expirationTSInSec":1350609323, "value":"561_419dc5ee6b325535dd0...b73c74573a49dec233a" }, "oic.multiStepAuthnSessionHandle": { "expirationTSInSec":1350606623, "value":"eyJvcmlnU2VjdXJpdHlFdlsiU..1hclb2FtYXdGljYXRpb24ifQ==" } }, "message":"The Challenge Action is triggered", "multi-step-challenge-question": { "challengeType":"KBA", "locale":"en", "questionRefId":"112", "questionStr":"What was the year of your favorite sports moment?" }, "oicErrorCode":"IDAAS-61010","status":"REQUIRE_MULTI_STEP_AUTHN"}
The Request to Register the Device Containing the KBA Answer
curl -H "Content-Type: application/json" --request POST http://server1.example.com:14100/oic_rest/rest/mobileoamauthentication/register -H 'X-IDAAS-SERVICEDOMAIN:MobileServiceDomain' -d '{"X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTREGHANDLE", "X-Idaas-Rest-Subject-Password":"password555","deviceProfile": {"oracle:idm:claims:client:sdkversion":"11.1.2.0.0","hardwareIds": {"oracle:idm:claims:client:udid":"0e83ff56a12a9cf0c7", "oracle:idm:claims:client:phonenumber":"1-650-555-1234", "oracle:idm:claims:client:macaddress":"00-16-41-34-2C-A6", "oracle:idm:claims:client:imei":"010113006310121"}, "oracle:idm:claims:client:jailbroken":false, "oracle:idm:claims:client:geolocation":"+40.689060,-74.044636", "oracle:idm:claims:client:networktype":"PHONE_CARRIER", "oracle:idm:claims:client:vpnenabled":false, "oracle:idm:claims:client:ostype":"iPhone OS", "oracle:idm:claims:client:phonecarriername":"AT&T", "oracle:idm:claims:client:locale":"EN-US", "oracle:idm:claims:client:osversion":"4.0"}, "X-Idaas-Rest-Subject-Username":"JohnS","multi-step-challenge-answer": {"challengeType":"KBA","locale":"EN-US","answerStr": "moment","questionRefId":"112"}, "handles":{"oaam.session":"561_419dc5ee6b325535dd026c882ac67cabc271dd7e0297ab73c74573a49dec233a", "oaam.device":"563_23552f26e974030dc16018cc6b76237432c363d47a019cec8c73aa318caf2f97", "oic.multiStepAuthnSessionHandle": "eyJvcmlnU2VjdXJpdHlFdmVudHMiOlsiUkVHX1NFQ1VSSVRZX0NMSUVOVF9BUFAiXSwib3JpZ1JlcU1hc CI6eyJjbGllbnRJUEFkZHJlc3MiOiIxMC4xMzMuMTM5LjE0MyIsIlgtSWRhYXMtUmVzdC1TdWJqZWN0LVB hc3N3b3JkIjoid2VsY29tZTEiLCJYLUlkYWFzLVJlc3QtTmV3LVRva2VuLVR5cGUtVG8tQ3JlYXRlIjoiQ 0xJRU5UUkVHSEFORExFIiwiWC1JZGFhcy1SZXN0LVN1YmplY3QtVXNlcm5hbWUiOiJKb2huUyIsImNsaWV udElkIjoiT0lDU1NPQXBwIiwiWC1JZGFhcy1SZXN0LVN1YmplY3QtVHlwZSI6IlVTRVJDUkVERU5USUFMI n0sImNvbnRyYWN0TmFtZSI6Ik1vYmlsZVNlcnZpY2VEb21haW4iLCJzZXJ2aWNlSWRFUCI6IlwvbW9iaWx lb2FtYXV0aGVudGljYXRpb24ifQ=="},"X-Idaas-Rest-Subject-Type":"USERCREDENTIAL"}'
The Response with a Client Registration Handle
{"X-Idaas-Rest-Token-Value":"eyJvcmFjbGU6aWRtOmNsYWltczpjbGllbnQ6c2RrdmVyc2lvbiI6I jExLjEuMi4wLjAiLCJ0b2tlblR5cGUiOiJDTElFTlRSRUdIQU5ETEUiLCJvcmFjbGU6aWRtOmNsYWltczp jbGllbnQ6bWFjYWRkcmVzcyI6IjAwLTE2LTQxLTM0LTJDLUE2IiwicmVnVXNlciI6IkpvaG5TIiwiaXNzI joiTW9iaWxlT0FNQXV0aGVudGljYXRpb24iLCJvcmFjbGU6aWRtOmNsYWltczpjbGllbnQ6b3N0eXBlIjo iaVBob25lIE9TIiwib3JhY2xlOmlkbTpjbGFpbXM6Y2xpZW50OmltZWkiOiIwMTAxMTMwMDYzMTAxMjEiL CJyZWdUUyI6MTM1MDYwNTc4MCwianRpIjoiYTNlMWM1MjYtYjBjMS00ZDg0LThjYzAtZjYyMDNmYjM4NWV lIiwib3JhY2xlOmlkbTpjbGFpbXM6Y2xpZW50Om9zdmVyc2lvbiI6IjQuMCIsImNsaWVudElkIjoiT0lDU 1NPQXBwIn0=.qA6Ez+gXNdLbk/hD5LRVDaBRK3t6b6IOOk7Z8iwW03s=", "X-Idaas-Rest-Token-Type":"CLIENTREGHANDLE", "handles":{"oaam.device":{"expirationTSInSec":1352077009,"value":"563_ 23552f26e974030dc16018cc6b76237432c363d47a019cec8c73aa318caf2f97"}, "oaam.session":{"expirationTSInSec":1350609380,"value":"561_ 419dc5ee6b325535dd026c882ac67cabc271dd7e0297ab73c74573a49dec233a"}}}
The client can specify the tenant name as shown in the following example:
curl -H "Content-Type: application/json" ****-H "MY-MT-NAME: sales"**** --request POST http://localhost:18001/oic_rest/rest/jwtauthentication/authenticate -d '{ "X-Idaas-Rest-Subject-Type":"USERCREDENTIAL", "X-Idaas-Rest-Subject-Username":"profileid3", "X-Idaas-Rest-Subject-Password":"clientpassword", "X-Idaas-Rest-New-Token-Type-To-Create":"CLIENTTOKEN"}'
Also see "Enabling the REST Client to Specfy the Tenant Name" in the Administrator's Guide for Oracle Access Management.
Mobile and Social REST API error messages are documented in the Oracle Fusion Middleware Error Message Reference. The "IDAAS" prefix designates Mobile and Social messages.