API Documentation

[RemitAlert]

Hi ,

Is there any API documentation available? We are trying to use the server as AS ( Authorization Server) in OAuth2. All our use cases are for grant type client_credential. We need to add the clients dynamically and the client gets the token from token API and passes it in API call to us. I see there is some documentation here ( https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/API) but it doesn't have details on what parameters are required.

-N

[col-panic]

Same problem here!

Can you access the API using non-browser tools? I always get results like

{"error":"unauthorized","error_description":"Full authentication is required to access this resource"}

[col-panic]

Does this server support features like https://connect2id.com/products/server/docs/api/client-registration - Open Registration / Managed Registration. I am currently trying to solve a dynamic registration for a introspection client without the user needing to intervene.

At the moment I don't seem to find a way to realize such a scenario.

[col-panic]

See https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1220

[jricher]

You should be able to access the client API using an access token from the server owned by any of the admin users (or really, with "admin" rights to it). We don't have a separate scope for this API access at this time because it needs to be an admin user anyway.

Note that there's also dynamic registration for both clients and protected resources, available without an access token. This is separate from the API.

[col-panic]

Thanks! Does this work without the web-browser being involved?! I can't figure out how to this this e.g. using cUrl (where no JSESSIONID whatsoever is created!)

[jricher]

Yes, you need to get and then pass an OAuth token to the API and then you can call it using that token without a browser. That's if you're using the API. If you're using dynamic registration, you can just call it directly without a token.

[col-panic]

I am still confused on this, lets please fix an example.

GOAL I want to automagically (That is, no web-browser involved - everything just happens by the code) register a protected resource.

PRE-CONDITION

• No existing OAUTH clients.
• I have access to an administrators username and password

METHOD

• Dynamically register a client
• Use this dynamic registered client and my admin user/password to get a token.
• Use this token to https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/wiki/API#post-apiclients POST a new client with introspection right.
• Store the clientId and clientSecret from last step to use with the protected resource.

MY PROBLEM/QUESTIONS

• This approach seems to generally work, but for full automation it would require to register a dynamic client with grant_type password, which is not allowed. (see https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1364)
• Even manually adding the grant_type password to the dynamically registered client via browser interface, does not allow for the resp. usage -> openid will return Unsupported grant type: password -> could be https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1213 (proposal to present state in web ui https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/issues/1363)

To me this seems like a chicken and egg problem - is it correct, that in any case there has to be an initial configured client available (even if I have username, password of an admin) in order to perform serious administration tasks?

[jricher]

There's no standard way to do it but this project has a feature that does exactly what you want: You can use the protected resource registration endpoint for this.

https://github.com/mitreid-connect/OpenID-Connect-Java-Spring-Server/blob/master/openid-connect-server/src/main/java/org/mitre/openid/connect/web/ProtectedResourceRegistrationEndpoint.java

No tokens or logins needed, since it's not part of the site API. See the user-interactive page that calls this at https://mitreid.org/manage/dev/resource

[antonionehme]

I think I have the same question: is there any documentation/examples on how to use the authorization server endpoints. Probably similar to that can be found here: https://backstage.forgerock.com/docs/am/5.5/uma-guide/#chap-uma-implementation

[yoursuche]

You should be able to access the client API using an access token from the server owned by any of the admin users (or really, with "admin" rights to it). We don't have a separate scope for this API access at this time because it needs to be an admin user anyway.

Note that there's also dynamic registration for both clients and protected resources, available without an access token. This is separate from the API.

How do I get an access token from the server owned by an admin users?

[jricher]

The admin user can authorize a client just like any other user of the server, using the standard OAuth protocols.

[yoursuche]

The admin user can authorize a client just like any other user of the server, using the standard OAuth protocols.

Thanks a lot @jricher I was able to get it to work.