You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: openam-documentation/openam-doc-source/src/main/asciidoc/admin-guide/chap-authz-policy.adoc
+2-4
Original file line number
Diff line number
Diff line change
@@ -12,7 +12,7 @@
12
12
information: "Portions copyright [year] [name of copyright owner]".
13
13
14
14
Copyright 2017 ForgeRock AS.
15
-
Portions Copyright 2024 3A Systems LLC.
15
+
Portions Copyright 2024-2025 3A Systems LLC.
16
16
////
17
17
18
18
:figure-caption!:
@@ -65,7 +65,6 @@ To help with the creation of policies, OpenAM uses __resource types__ and __poli
65
65
66
66
Resource types::
67
67
Resource types define a template for the resources that policies apply to, and the actions that could be performed on those resources.
68
-
69
68
+
70
69
For example, the `URL` resource type that is included by default in OpenAM acts as a template for protecting web pages or applications. It contains resource patterns, such as `*://*:*/*?*`, which can be made more specific when used in the policy. The actions that the resource supports are also defined, as follows:
71
70
+
@@ -86,7 +85,6 @@ For example, the `URL` resource type that is included by default in OpenAM acts
86
85
87
86
+
88
87
OpenAM also includes a resource type to protect REST endpoints, with patterns including `https://*:*/*?*` and the CRUDPAQ actions:
Copy file name to clipboardExpand all lines: openam-documentation/openam-doc-source/src/main/asciidoc/admin-guide/chap-oauth2.adoc
+22-46
Original file line number
Diff line number
Diff line change
@@ -194,34 +194,27 @@ If OpenAM is already a SAML v2.0 service provider, you can configure OpenAM as O
194
194
[#oauth2-endpoints]
195
195
===== OpenAM OAuth 2.0 Endpoints
196
196
197
-
--
198
197
In addition to the standard authorization and token endpoints described in RFC 6749, OpenAM also exposes a token information endpoint for resource servers to get information about access tokens so they can determine how to respond to requests for protected resources, and an introspection endpoint to retrieve metadata about a token, such as approved scopes and the context in which the token was issued. OpenAM as authorization server exposes the following endpoints for clients and resource servers.
199
198
200
199
`/oauth2/authorize`::
201
200
Authorization endpoint defined in RFC 6749, used to obtain an authorization grant from the resource owner.
202
-
203
201
+
202
+
--
204
203
The `/oauth2/authorize` endpoint is protected by the policy you created after OAuth 2.0 authorization server configuration, which grants all authenticated users access.
205
204
206
-
+
207
205
The following is an example URL for obtaining consent:
After logging in, the URL above presents the OAuth 2.0 consent screen, similar to the following:
214
-
+
215
210
216
211
[#figure-oauth2-consent-screen-xui]
217
212
image::images/oauth2-authz-page-xui.png[]
218
-
+
219
-
+
213
+
220
214
If creating your own consent page, you can create a POST request to the endpoint with the following additional parameters:
221
-
+
215
+
222
216
[open]
223
217
====
224
-
225
218
`decision`::
226
219
Whether the resource owner consents to the requested access, or denies consent.
227
220
@@ -231,13 +224,10 @@ Valid values are `allow` or `deny`.
231
224
`save_consent`::
232
225
Updates the resource owner's profile to avoid having to prompt the resource owner to grant authorization when the client issues subsequent authorization requests.
233
226
234
-
+
235
227
To save consent, set the `save_consent` property to `on`.
236
228
237
-
+
238
229
You must provide the __Saved Consent Attribute Name__ property with a profile attribute in which to store the resource owner's consent decision.
239
230
240
-
+
241
231
For more information on setting this property in the OAuth2 Provider service, see xref:../reference/chap-config-ref.adoc#oauth2-provider-configuration["OAuth2 Provider"] in the __Reference__.
242
232
243
233
`csrf`::
@@ -247,9 +237,8 @@ Duplicates the contents of the `iPlanetDirectoryPro` cookie, which contains the
247
237
Duplicating the cookie value helps prevent against Cross-Site Request Forgery (CSRF) attacks.
You must specify the realm if the OpenAM OAuth 2.0 provider is configured for a subrealm rather than the top-level realm. For example, if the OAuth 2.0 provider is configured for the `/customers` realm, then use `/oauth2/customers/authorize`.
272
261
273
-
+
262
+
274
263
The `/oauth2/authorize` endpoint can take additional parameters, such as:
275
-
+
276
264
277
265
* `module` and `service`. Use either as described in xref:../admin-guide/chap-auth-services.adoc#authn-from-browser["Authenticating To OpenAM"], where `module` specifies the authentication module instance to use or `service` specifies the authentication chain to use when authenticating the resource owner.
278
266
279
267
* `response_mode=form_post`. Use this parameter to return a self-submitting form that contains the code instead of redirecting to the redirect URL with the code as a string parameter. For more information, see the link:https://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html[OAuth 2.0 Form Post Response Mode, window=\_blank] spec.
280
268
281
269
* `code_challenge`. Use this parameter when __Proof Key for Code Exchange__ (PKCE) support is enabled in the OAuth2 Provider service. To configure it, navigate to Realms > __Realm Name__ > Services > OAuth2 Provider > Advanced and enable the Code Verifier Parameter Required property. For more information about the PKCE support, see link:https://tools.ietf.org/html/rfc7636[Proof Key for Code Exchange by OAuth Public Clients, window=\_top] - __RFC 7636__.
282
-
270
+
--
283
271
284
272
`/oauth2/access_token`::
285
273
Token endpoint defined in RFC 6749, used to obtain an access token from the authorization server.
The `/oauth2/access_token` endpoint can take an additional parameter, `auth_chain=authentication-chain`, which allows client to specify the authentication chain to use for Password Grant Type.
292
279
293
-
+
294
280
The following example shows how a client can specify the authentication chain, `myAuthChain`:
The `/oauth2/access_token` endpoint can take additional parameters. In particular, you must specify the realm if the OpenAM OAuth 2.0 provider is configured for a subrealm rather than the top-level realm.
307
292
308
-
+
309
293
For example, if the OAuth 2.0 provider is configured for the `/customers` realm, then use `/oauth2/customers/access_token`.
294
+
--
310
295
311
296
`/oauth2/device`::
312
297
Device flow endpoint as defined by the link:https://datatracker.ietf.org/doc/draft-denniss-oauth-device-flow/[Internet-Draft OAuth 2.0 Device Flow, window=\_top], used by a client device to obtain a device code or an access token.
For more information, see xref:../dev-guide/chap-client-dev.adoc#rest-api-oauth2-device-flow["Using Endpoints for OAuth 2.0 Device Flow"] in the __Developer's Guide__.
303
+
--
319
304
320
305
`/oauth2/token/revoke`::
321
306
When a user logs out of an application, the application revokes any OAuth 2.0 tokens (access and refresh tokens) that are associated with the user. The client can also revoke a token without the need of an `SSOToken` by sending a request to the `/oauth2/token/revoke` endpoint as follows:
If you are revoking an access token, then that token will be revoked. If you are revoking a refresh token, then both the refresh token and any other associated access tokens will also be revoked. __Associated access tokens__ means that any other tokens that have come out of the same authorization grant will also be revoked. For cases where a client has multiple access tokens for a single user that were obtained via different authorization grants, then the client will have to make multiple calls to the `/oauth2/token/revoke` endpoint to invalidate each token.
321
+
--
336
322
337
323
`/oauth2/tokeninfo`::
338
324
Endpoint __not__ defined in RFC 6749, used to validate tokens, and to retrieve information, such as scopes.
339
-
340
325
+
326
+
--
341
327
The `/oauth2/tokeninfo` endpoint takes an HTTP GET on `/oauth2/tokeninfo?access_token=token-id`, and returns information about the token.
342
328
343
-
+
344
329
Resource servers — or any party having the token ID — can get token information through this endpoint without authenticating. This means any application or user can validate the token without having to be registered with OpenAM.
345
330
346
-
+
347
331
Given an access token, a resource server can perform an HTTP GET on `/oauth2/tokeninfo?access_token=token-id` to retrieve a JSON object indicating `token_type`, `expires_in`, `scope`, and the `access_token` ID.
The resource server making decisions about whether the token is valid can thus use the `/oauth2/tokeninfo` endpoint to retrieve expiration information about the token. Depending on the scopes implementation, the JSON response about the token can also contain scope information. As described in xref:../admin-guide/chap-oauth2.adoc#oauth2-byo-client["Using Your Own Client and Resource Server"], the default scopes implementation in OpenAM considers scopes to be names of attributes in the resource owner's user profile. Notice that the JSON response contains the values for those attributes from the user's profile, as in the preceding example, with scopes set to `mail` and `cn`.
393
+
--
413
394
414
395
`/oauth2/introspect`::
415
396
Endpoint defined in link:http://tools.ietf.org/html/draft-ietf-oauth-introspection-04[draft-ietf-oauth-introspection-04, window=\_top], used to retrieve metadata about a token, such as approved scopes and the context in which the token was issued.
416
-
417
397
+
398
+
--
418
399
Given an access token, a client can perform an HTTP POST on `/oauth2/introspect?token=access_token` to retrieve a JSON object indicating the following:
419
-
+
400
+
420
401
[open]
421
402
====
422
403
@@ -445,12 +426,10 @@ Subject of the token.
445
426
Issuer of the token.
446
427
447
428
====
448
-
+
429
+
449
430
The `/oauth2/introspect` endpoint requires authentication, and supports basic authorization (a base64-encoded string of `client_id:client_secret`), `client_id` and `client_secret` passed as header values, or a JWT bearer token.
450
431
451
-
+
452
432
The following example demonstrates the `/oauth2/introspect` endpoint with basic authorization:
For examples, and information about OAuth 2.0 token administration and client administration endpoints that are specific to OpenAM, see xref:../dev-guide/chap-client-dev.adoc#rest-api-oauth2["OAuth 2.0"] in the __Developer's Guide__.
491
-
492
467
468
+
For examples, and information about OAuth 2.0 token administration and client administration endpoints that are specific to OpenAM, see xref:../dev-guide/chap-client-dev.adoc#rest-api-oauth2["OAuth 2.0"] in the __Developer's Guide__.
493
469
494
470
[#openam-oauth2-client]
495
471
==== OpenAM as OAuth 2.0 Client and Resource Server Solution
Copy file name to clipboardExpand all lines: openam-documentation/openam-doc-source/src/main/asciidoc/admin-guide/chap-radius.adoc
+6-17
Original file line number
Diff line number
Diff line change
@@ -170,7 +170,7 @@ For more information on the RADIUS Server service configuration properties, see
170
170
171
171
. Create a file named `radius.properties` in the current working directory. The file consists of the following key-value pairs:
172
172
+
173
-
173
+
--
174
174
* `secret` - Mandatory property specifying the RADIUS client's shared secret. This property's value must be identical to the value of the Client Secret property for the RADIUS client in the OpenAM RADIUS Server service configuration.
175
175
176
176
* `host` - Mandatory property specifying the host name or IP address of the OpenAM server.
@@ -179,9 +179,7 @@ For more information on the RADIUS Server service configuration properties, see
179
179
180
180
* `show-traffic` - Optional property specifying whether to show traffic packet during client operation. Valid values are `true` and `false`. Packet traffic is not shown if this property is not specified.
181
181
182
-
+
183
182
The following is an example `radius.properties` file:
184
-
+
185
183
186
184
[source, console]
187
185
----
@@ -190,10 +188,9 @@ host=openam.example.com
190
188
port=1812
191
189
show-traffic=true
192
190
----
193
-
191
+
--
194
192
. Make sure that your current working directory is the directory in which you created the `radius.properties` file, then execute the sample client. Messages from the sample client indicate success or failure authenticating. If you specify `show-traffic=true` in the `radius.properties` file, the packets to and from the OpenAM RADIUS server appear in standard output:
@@ -219,7 +216,6 @@ Packet From openam.example.com:1812
219
216
==== Solutions to Common RADIUS Server Service Issues
220
217
221
218
This section offers solutions to issues that you might encounter when configuring communication between RADIUS clients and the RADIUS Server service. The solutions assume that you have enabled message-level debugging for the RADIUS Server service in OpenAM and have access to the debug logs.
222
-
--
223
219
224
220
Client Cannot Connect::
225
221
When a RADIUS client connects to OpenAM's RADIUS server and hangs without receiving a response, the problem could be one of four possible issues:
@@ -358,14 +354,12 @@ To fix this problem, correct the client configuration in the RADIUS Server servi
358
354
Configuration Is Correct but Authentication Fails::
359
355
In this case, you might have a client-specific problem. OpenAM provides a tool that you can use to eliminate OpenAM and its configuration as the cause of the problem. You can declare an alternate handler class implementation in the RADIUS Server service configuration. Two test handlers are available for troubleshooting purposes:
360
356
+
361
-
357
+
--
362
358
* The `org.forgerock.openam.radius.server.spi.handlers.AcceptAllHandler` handler always returns an `Access-Accept` packet, indicating successful authentication for all requests.
363
359
364
360
* The `org.forgerock.openam.radius.server.spi.handlers.RejectAllHandler` handler always returns an `Access-Reject` packet, indicating failed authentication for all requests.
365
361
366
-
+
367
362
In a case where you believe that configuration is correct but authentication always fails, you could specify the `org.forgerock.openam.radius.server.spi.handlers.AcceptAllHandler` handler class in the RADIUS Server service configuration for your client. With packet logging enabled, all requests received from the client should log packet contents traffic similar to the following even if the password is incorrect:
368
-
+
369
363
370
364
[source, console]
371
365
----
@@ -377,30 +371,25 @@ Packet from TestClient:
377
371
- NAS_IP_ADDRESS : /127.0.0.1
378
372
- NAS_PORT : 0
379
373
----
380
-
+
381
-
+
374
+
382
375
This is followed by:
383
-
+
384
376
385
377
[source, console]
386
378
----
387
379
WARNING:
388
380
Packet to TestClient:
389
381
ACCESS_ACCEPT [1]
390
382
----
391
-
+
392
-
+
383
+
393
384
If the client still indicates that authentication has failed, refer to the documentation for the client to determine why the `Access-Accept` response is rejected. Most likely, the client expects specific fields in the `Access-Accept` response that are not provided by OpenAM. There is currently no facility in OpenAM to return fields in `Access-Accept` responses.
385
+
--
394
386
395
387
Authentication Always Succeeds, Even With a Bad Password::
396
388
This would be a very unusual situation, probably due to the `org.forgerock.openam.radius.server.spi.handlers.AcceptAllHandler` handler being left in place after troubleshooting an error scenario in which authentication always suceeds.
397
389
398
390
+
399
391
To resolve the problem, verify that the correct handler class is specified in the RADIUS Server service configuration for the client. If it is not specified, review the authentication modules in the chain that authenticates users and determine whether one of the modules might be accepting all authentication requests. This situation could also occur because of incorrectly-specified module criteria in the chain's definition.
0 commit comments