How a command line application obtains an access token from UMS

Because a command line application cannot redirect a user to a browser UI for authentication, such applications can use the Resource Owner Password Credentials flow to obtain an access token from the User Management Service (UMS) that can be used to invoke an OAuth 2.0 protected REST API.

Understanding the Resource Owner Password Credential flow

In the Resource Owner Password Credentials flow, resource owner credentials, such as username and password, are used directly to obtain an access_token. The custom application therefore initially needs to obtain credentials from the resource owner. Upon the access token request, UMS authenticates the client and validates the resource owner credentials before issuing an access token.

Design considerations for the custom app

  1. The custom application must register with UMS as an OIDC Relying Party, for example:
    curl -v -k -s -X POST -H "Content-Type:application/json" -u "umsadmin:passw0rd" -d @- "https://<ums-host>/oidc/endpoint/ums/registration" <<+++ 
{
  "scope": "openid",
  "preauthorized_scope": "openid",
  "introspect_tokens": true,
  "client_id": "customApp",
  "client_secret": "passw0rd",
  "client_name": "customApp",
  "grant_types": ["password"],
  "response_types": [ "token"]
}
    Where
    • grant_types must be set to “password
    • response_types must be set to “token
  2. Then the app can obtain an access token. For example:
    curl -k -X POST -u "customApp:passw0rd" -d "grant_type=password&scope=openid&username=<username>&password=<password>" "https://<ums-host>/oidc/endpoint/ums/token"
    Where
    • option -u "customApp:passw0rd" is used by the client to authenticate with UMS
    • grant_type must be set to "password"
    • username is the resource owner user name for whom the access token is being requested
    • password is the resource owner password for whom the access token is being requested
    The response contains the access token, access_token, for example:
    {
  "access_token": "uEsdnucnBtjt8llTYQDqKHxcPF7a06YLX1IbzQH8",
  "token_type": "Bearer",
  "expires_in": 7199,
  "scope": "openid"
}
  3. The custom application uses the access_token in the authorization header of the request to invoke the OAuth 2.0 protected REST API. For example:
    curl -k -s -H "Authorization: Bearer $access_token" https://my.server:9443/rest/bpm/wle/v1/user/current