How to use OAuth 2.0 with Application Server via RESTful API

Question

Hi, 
 Currently we have an application that communicates with the 1IM system via the RESTful API provided by the application server. This communication is currently done via the RoleBasedEmployee Authentication Module. 
 We are looking into changing this so the application uses the OAuth2.0Rolebased Authentication Module. 
 I have managed to enable the OAuth2.0 authentication module itself, this was easy enough. However the next step seems to be rather unclear in the current documentation. Within designer > configuration parameters > Person there is a parameter called OAuthAuthenticator, followed by many OAuth specific parameters. I know I have to enable this to allow a user to login via the RESTful API using OAuth2.0. Where I am getting stuck / failing to understand is what I need to get OAuth2.0 working with those configuration parameters. 
 Does 1IM come with an identity provider / service internally for OAuth2.0? Or do we need to implement one / use an external provider such as google etc...? 
 Any insight or help is greatly appreciated. 
 Thank you. 
 Ash

Markus Weiss-Ehlers · Accepted Answer

The OAuth / OpenID Connect authenticator acts as client so you still need an identity provider. 
 One Identity Manager comes with a leight-weight identity provider that connects to an AD domain out-of-the box. You will find that STS in the Autorun of the OneIM delivery underneath other products.

In addition, you find more information about the configuration parameters for the OAuth / OpenID Connect authenticator in the documentation. 
 https://support.quest.com/technical-documents/identity-manager/7.1.1/identity-management-base-module-administration-guide/22#TOPIC-666174

Markus Weiss-Ehlers · Answer

Hi Ash, it would be helpful if you would take a look at the log-file at the application server to get the error details. For security reason the Application Server does not present you detailed error messages. Or you can put the Application Server into debug mode, which enables the returning of the complete error message. Ensure that this is turned off at any time in a production or public environment. You will find the switch in the web.config of the Application Server in the section. And as you have already figured out, the authentifier needs some additional parameters that need to be set accordingly. Code : Set this to the Authorization Code you got from the STS. AppUrl : URL of the application found in the table QBMWebApplication to use the correct configuration settings for a specific web application or leave out if settings from global Config Parms should be used ClientId : ClientId as defined in the STS Nonce : If you have used a Nonce to get the auth. code use the same here RedirectUri : the same as you have used in your test to connect to STS directly. I think in your case urn:InstalledApplication But i would check the error message first. Maybe your client is unable to check the signature of the token due to certificate issues. HtH

Endpoint Privilege Management

How to use OAuth 2.0 with Application Server via RESTful API