How a command line application obtains an access token from UMS
Because a command line application cannot redirect a user to a browser UI for authentication, such applications can use the Resource Owner Password Credentials flow to obtain an access token from the User Management Service (UMS) that can be used to invoke an OAuth 2.0 protected REST API.
Understanding the Resource Owner Password Credential flow
In the Resource Owner Password Credentials flow, resource owner credentials, such as username and
password, are used directly to obtain an access_token
. The custom application
therefore initially needs to obtain credentials from the resource owner. Upon the access token
request, UMS authenticates the client and validates the resource owner credentials before issuing an
access token.
Design considerations for the custom app
- The custom application must register with UMS as an OIDC Relying Party, for example:
Wherecurl -v -k -s -X POST -H "Content-Type:application/json" -u "umsadmin:passw0rd" -d @- "https://<ums-host>/oidc/endpoint/ums/registration" <<+++ { "scope": "openid", "preauthorized_scope": "openid", "introspect_tokens": true, "client_id": "customApp", "client_secret": "passw0rd", "client_name": "customApp", "grant_types": ["password"], "response_types": [ "token"] }
grant_types
must be set to “password
”response_types
must be set to “token
”
- Then the app can obtain an access token. For
example:
Wherecurl -k -X POST -u "customApp:passw0rd" -d "grant_type=password&scope=openid&username=<username>&password=<password>" "https://<ums-host>/oidc/endpoint/ums/token"
- option
-u "customApp:passw0rd"
is used by the client to authenticate with UMS grant_type
must be set to "password
"username
is the resource owner user name for whom the access token is being requestedpassword
is the resource owner password for whom the access token is being requested
access_token
, for example:{ "access_token": "uEsdnucnBtjt8llTYQDqKHxcPF7a06YLX1IbzQH8", "token_type": "Bearer", "expires_in": 7199, "scope": "openid" }
- option
- The custom application uses the
access_token
in the authorization header of the request to invoke the OAuth 2.0 protected REST API. For example:curl -k -s -H "Authorization: Bearer $access_token" https://my.server:9443/rest/bpm/wle/v1/user/current