• 1 reply
  • Latest Post - ‏2019-05-08T13:41:35Z by Qamar Z.
1 Post

Pinned topic How to obtain an access_token into JSON [SOLVED]

‏2017-06-19T13:57:22Z | /authorize; /token; access_token; isam9.0.2.1; isam9; isam; oauth; token;

Hi guys,

I was trying to protect an angular application (single page application) with ISAM and I've discovered an undesired issue during its implementation. In this post I want to share with you the problem and I propose a possible workaround!


AAC module of ISAM gives the possibility to register an application under a specific API definition and to obtain a client_id and a client_secret. If the user wants to access to a resource that has been protected with oAuth2.0 it needs an access token. 

The access token can be obtained as follow:

  1. curl -v -k -i -b "C:\...\cookieJar.txt" -c "C:\...\cookieJar.txt" -d "username=testuser&password=Passw0rd&login-form-type=pwd" "https://isam_domain/pkmslogin.form"
  2. curl -i -v -k -b "C:\...\cookieJar.txt" -c "C:\...\cookieJar.txt" -H Content-Type:application/x-www-form-urlencoded "https://isam_domain/mga/sps/oauth/oauth20/authorize?response_type=code&client_id=app&client_secret=app"
  3. curl -v -k -i -b "C:\...\cookieJar.txt" -c "C:\...\cookieJar.txt" -d "grant_type=authorization_code&code=RN5CiOkhJOKgj2TuuMD3xVpnKpkZeVrjOg86FdwdWs2j0WwZcdydWuMnhnQk&client_id=app&client_secret=app" "https://isam_domain/mga/sps/oauth/oauth20/token"

This is the message you will read if you use the same cookieJar (in order to simulate a single page application):

{"error":"invalid_client","error_description":"FBTOAU220E The           
authenticated client id: [testuser] does not match the client id in the 
request body: [app]."}

"app" is the name of the client that is associated with the API definition and "testuser" is the username of the authenticated user!


Angular applications run in browser and, as usual for browsers, each HTTP request is equipped with all the cookies that belongs to the same domain. Unfortunately /token endpoint doesn't work if we invoke it with a webseal session cookie PD-H-SESSION-ID (or PD-S-SESSION-ID) because it is expecting that the request comes from a mobile application (that natively doesn't support cookies). And at this point?! How to obtain an access_token into a JSON if I am using an application that runs into a browser??


At the moment I am using an HTTP transformation rule that removes the PD-H-SESSION-ID every time webseal receives a POST request from /mga/oauth/oauth20/token


<?xml version="1.0" encoding="UTF-8"?>
<xsl:stylesheet xmlns:xsl=""
    <xsl:strip-space elements="*" />

    <xsl:template match="/">
            <xsl:apply-templates />

    <xsl:template match="//HTTPRequest/RequestLine/Method">

    <xsl:template match="//HTTPRequest/RequestLine/URI">

    <xsl:template match="//HTTPRequest/RequestLine/Version">

    <xsl:template match="//HTTPRequest/Headers">

    <xsl:template match="//HTTPRequest/Cookies">
        <Cookie name="PD-H-SESSION-ID" action="remove" />

    <xsl:template match="//HTTPRequest/Scheme">


At the moment everything is working well... but of course I think this is an ISSUE that IBM needs to face with as soon as possible because angular application are spreading rapidly!

What do you think about it? Do you have other ideas?


Thank you



  • Qamar Z.
    Qamar Z.
    1 Post

    Re: How to obtain an access_token into JSON [SOLVED]


    Hi Santoro,


    Thanks a lot for sharing this information and it helped me find the issue caused by the PD-S-SESSION-ID cookie. Are you aware of any fix from IBM or still the H-transformation is the only solution for this bug? 



    Qamar Zahid