• State Verified Answer
  • +1 person also asked this people also asked this
  • Replies 3 replies
  • Subscribers 94 subscribers
  • Views 176 views
  • Users 0 members are here
Options
Related

Not able to Authenticate using Access token(in authentication header) for authentication to API server

iam oneidentity devops
1 month ago

With the implementation of the API server, we want to expose our One Identity Manager capabilities via API's within our organization. In our test setup we successfully managed to authenticate to the authentication API using the oauthrolebased api, and with the session token retrieved from this call we were able to do additional api calls. However this is not the required setup, because the systems we integrate with dont have an authorization code, but have already an Oauth access token. We red in the documentation this should also be possible by providing the access token as a bearer token in the authentication header of every api call(which makes the authentication api not needed anymore). However every time we send an api call with this bearer token, we get an error 401 token has expired(which is clearly not the case, because we just retrieved it with an api call to the authorization server). We wonder what is causing the issue, or whether this is not possible within OI.

Addition: 

We also tried what is described here, but this also gave an 500 internal server error:

 Identity Manager 9.0 LTS - Authorization and Authentication Guide (oneidentity.com)

  • +1 1 month ago

    Having talked with this specific customer (recognizing the name) this has been resolved (I'll give some more details for anyone else running into this problem).

    The bearer token in this case is being supplied by the UserInfo Endpoint of Microsoft (Detailed here: Microsoft identity platform UserInfo endpoint - Microsoft identity platform | Microsoft Learn ), which shows what fields / claims are present in the token.
    The One Identity system uses the configured OAuth 2.0/OpenID Connect configuration to try and match this bearer token to a user in One Identity.

    In the OAuth2.0 configuration (On the One Identity side) you define;

    -A search value

    -The Column to search

    -The user name value

    The search value is the field from the token that is retrieved and that it tries to match to a column. It was set to 'upn' (as this is most commonly used for the authentication on the web-frontend) but that doesn't work in this case. As can be seen in the Microsoft endpoint documentation UPN is not part of the UserInfo token (which is the normal bearer token if someone already has one).

    By changing the search value and user name values to Email and updating the Column to search from AADUser - UserPrincipalName to AADUser - Email this was resolved.

    So, yes you can authenticate against the APIServer by providing a bearer token as part of your request. But be sure that the search values and columns to search are part of the bearer token supplied, and be aware that the standard user info from Microsoft does not include the UPN. 

    Hopefully this'll help someone in the future :).

  • 0 1 month ago in reply to Jos Groenewegen

    Awesome post. Thanks Jos, really appreciate your work here.

  • 0 1 month ago in reply to Jos Groenewegen

    Great explanation indeed. One addition for others who face the same issue: Make sure to validate whether the right user info endpoint is configured in One Identity. Our issue was partly caused by the search value & user name value, but also by the fact that the wizard for creating an Oauth/OIDC within One Identity filled in the User info endpoint of version 1.0(which is the older version of endpoint within Azure). After changing this as well it worked like a charm.