Wednesday, March 12, 2014

Open AM: Authenticate Rest API

Looking into Open AM from ForgeRock this morning. Their Restful APIs are pretty impressive. They include policy management but also authentication and policy evaluation. For example, I can authenticate with a simple http post to their authentication endpoint like so of course with identifying information removed:

curl --request POST --header "X-OpenAM-Username: boydkr" --header "X-OpenAM-Password: <your-password>" --header "Content-Type: application/json" --data "{}" https://<your-server>/openam/json/authenticatee

This call returns the JSON object shown next that includes a tokenId that can be used with subsequent calls to the service:

{ "tokenId": "AQIC5wM2LY4SfcxYDQOWOowJjHU-DWfz6JtPEfDzbfFC-A8.*AAJTSQACMDEAAlNLABMxNDcyODc5MTQ2MTE3ODk4NDUw*", "successUrl": "/openam/console" }

If I were to specify the wrong password I get the following JSON response with suitable delay to discourage use of this endpoint for brute force attacks:

{ "errorMessage": "Invalid Password!!" }

If you use an incorrect username you get this JSON response:

{ "errorMessage": "Authentication Failed!!" }

For the successful authentication, I can see that a valid session has been created by looking in Open AM's Session console available in each realm. There is also an endpoint that verifies if a given token is still valid meaning the user's session is still active. You can hit that with the following request substituting in your token of course:

curl --request POST --data "tokenid=AQIC5wM2LY4SfcxYDQOWOowJjHU-DWfz6JtPEfDzbfFC-A8.*AAJTSQACMDEAAlNLABMxNDcyODc5MTQ2MTE3ODk4NDUw*" https://<your-server>/openam/identity/isTokenValid

That returns a text/plain response containing the answer:

boolean=true

If I return to the open AM Session console and terminate the boydkr session and then hit that endpoint again with that token I now see that the token is no longer valid:

boolean=false

And that check for token validity does not impact the session. In other words, the server does not treat that request as an indication of user activity and hence does not update the Time Idle shown in Open AM's Session console. As such, I envision this could be useful as a means for a client side javascript app to know if the session has timed out and take steps to prevent the user from losing data they may be engaged in creating like a blog post entry they are editing but haven't yet posted. 

That is all that I have time for today. Enjoy.


No comments:

Post a Comment