This guide explains how to configure the Intropsect APIs client and users in the IAM. Once these are configured, the user will be able to invoke the Authenticate Intropsect APIs.
Prerequisites
Content
- Create a user in Haventec IAM
- Create an IAM client
- The user sends a HTTP request to the IAM to log in and get a JWT
- Send a call to the IAM introspect URI using the JWT
1. Create a user in Haventec IAM
Log in to Haventec IAM, select the Realm (e.g: CRM)
Click on ' Add User ', type its username and click on ' Save '
Click the tab ' Credentials ' and type a password, toggle ' Temporary ' as ' OFF ' and click on ' Set Password ' to set the credentials for ' crm-user '.
2. Create an IAM client
Select ' Clients ' on the left menu tab and click on the ' Create ' button on the right side to create a client.
Add the ' Client ID ' as the name of the client e.g. crm-client and click on the ' Save ' button to save the client.
Select ' Access Type ' = Confidential
Set valid ' Valid Redirect URIs '
Click on the ' Save ' button to save the changes at the bottom of the page.
Now you will get a new tab called ' Credentials '. Click on it and copy-paste the secret, you will need to use it as client_secret in the curl command below.
3. The user sends a HTTP request to the IAM to log in and get a JWT
From your external system, the user will log into the IAM. A HTTP request is sent to do this.
In order to test this, we can send HTTP requests with the following curl command. Fill in the values with the proper variables: client_id, client_secret, username, and password:
curl \
-d 'client_id=crm-client' \
-d 'client_secret=*************************************' \
-d 'username=crm-user' \
-d 'password=***********' \
-d 'grant_type=password' \
'https://iam.demo.haventec.com/auth/realms/crm/protocol/openid-connect/token' \
| python -m json.tool
Note: The fields highlighted in blue above will need to be changed according to your IAM configuration.
This is an example of the response:
{
"access_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJQakx1SUFMWVhSWVJCMDFRMm5xX2JnSzNLa29nN2d2UlNuZEZzVjlTRFdJIn0.eyJqdGkiOiJjOThkNTliOS1jNmM1LTQ1NWItYTBkNi1iN2JjY2E1MGI1OWMiLCJleHAiOjE1NDU4ODY5MjksIm5iZiI6MCwiaWF0IjoxNTQ1ODg2NjI5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImNybi11c2VyLWxkYXAiLCJzdWIiOiI5YTRjZTU2Yi0wMjhhLTRmYjgtOGY0Yy1kYjFlZjVjODAwYjkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjcm4tdXNlci1sZGFwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZDMzNmNhY2QtMmJhNi00OWU0LWJkODktODM2ZGU0M2IyMjc1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJkZW1vIHVzZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vdXNlcjEiLCJnaXZlbl9uYW1lIjoiZGVtbyIsImZhbWlseV9uYW1lIjoidXNlciIsImVtYWlsIjoiZGVtb3VzZXJAaGF2ZW50ZWMuY29tIn0.WJA5AgcQV0VEzAehCH7jt2ekRvWgKDymP9UZDGwvtE6d08TElfih8wdPv63cVSsxB_SwGR76-tTNV19hGqpx0OUfPIFG35sMgQOaUK0RbIKhcE7b-Ejdj493uuCpp_G3YSiVUqHd9ngXYG1LBF7fQsK_NAOkxWQoPBDA-hfU9oS88dyjeisX-7ng4Cd-R24t7Ik-xCxgH4u-I3ZsaeT-3DusZSRSOCb5I0dUirq_IMjLjaOiUFdOFak9k9cKF_6eBOUYCyWgklW8CxH_SdlGyk9O_iXTGejr_hfbppb40Sv3Z1vTaiF8YPe1KNCVM6b-sAllehGPGrKsniJf6DWBxw",
"expires_in": 300,
"not-before-policy": 0,
"refresh_expires_in": 1800,
"refresh_token": "eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJQakx1SUFMWVhSWVJCMDFRMm5xX2JnSzNLa29nN2d2UlNuZEZzVjlTRFdJIn0.eyJqdGkiOiIzZDNjMjA2Ny0wOThiLTQ5YzYtYTY5NC1mZjk3ZDQwMDBlZDgiLCJleHAiOjE1NDU4ODg0MjksIm5iZiI6MCwiaWF0IjoxNTQ1ODg2NjI5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImNybi11c2VyLWxkYXAiLCJzdWIiOiI5YTRjZTU2Yi0wMjhhLTRmYjgtOGY0Yy1kYjFlZjVjODAwYjkiLCJ0eXAiOiJSZWZyZXNoIiwiYXpwIjoiY3JuLXVzZXItbGRhcCIsImF1dGhfdGltZSI6MCwic2Vzc2lvbl9zdGF0ZSI6ImQzMzZjYWNkLTJiYTYtNDllNC1iZDg5LTgzNmRlNDNiMjI3NSIsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX19.TOyS1Q6HSdvdpi2sCqrhf5rWmgPwTqVZJefbpwikEsYiocje-EHtyowF_TEfmePQuDEVHtupYDwRAm53qfuHHLWG2WSpf20IrQdWGdSgG6J0ZWtMmVBldP_RtvF4HGM_bzIBNLIThWXZlulojSCmjs7xlOhlKFe4El3NPu7AJ9VBh7OLxu3qLKiq37TYTiGhX-k1AE6UfeTzsnFq6Z79Zo2kmwtSFg1viQa8Xzs4Vx1IduBv0R-axLTU_dOf0HkZu3IdOlj0eN2H6z8GOPRoQuOH3xLTGW7a0NIb6D6qT_YM0VQV5brvk40xqZ8kM4tWx7n1qjqiVhEcUXAZOjxf8w",
"session_state": "d336cacd-2ba6-49e4-bd89-836de43b2275",
"token_type": "bearer"
}
4. Send a call to the IAM introspect URI using the JWT
In order to test if the user is active and has the role to use the Authenticate Introspect APIs, we can send HTTP requests with the following curl command using the JWT received in the above step.
Request:
curl -v \
https://iam.demo.haventec.com/auth/realms/crm/protocol/openid-connect/token/introspect \
-H 'cache-control: no-cache' \
-H 'content-type: application/x-www-form-urlencoded' \
-d 'client_id=crm-client&client_secret=******************&token=eyJhbGciOiJSUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICJQakx1SUFMWVhSWVJCMDFRMm5xX2JnSzNLa29nN2d2UlNuZEZzVjlTRFdJIn0.eyJqdGkiOiJjOThkNTliOS1jNmM1LTQ1NWItYTBkNi1iN2JjY2E1MGI1OWMiLCJleHAiOjE1NDU4ODY5MjksIm5iZiI6MCwiaWF0IjoxNTQ1ODg2NjI5LCJpc3MiOiJodHRwOi8vbG9jYWxob3N0OjgxODAvYXV0aC9yZWFsbXMvZGVtbyIsImF1ZCI6ImNybi11c2VyLWxkYXAiLCJzdWIiOiI5YTRjZTU2Yi0wMjhhLTRmYjgtOGY0Yy1kYjFlZjVjODAwYjkiLCJ0eXAiOiJCZWFyZXIiLCJhenAiOiJjcm4tdXNlci1sZGFwIiwiYXV0aF90aW1lIjowLCJzZXNzaW9uX3N0YXRlIjoiZDMzNmNhY2QtMmJhNi00OWU0LWJkODktODM2ZGU0M2IyMjc1IiwiYWNyIjoiMSIsImFsbG93ZWQtb3JpZ2lucyI6W10sInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJ1bWFfYXV0aG9yaXphdGlvbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfX0sIm5hbWUiOiJkZW1vIHVzZXIiLCJwcmVmZXJyZWRfdXNlcm5hbWUiOiJkZW1vdXNlcjEiLCJnaXZlbl9uYW1lIjoiZGVtbyIsImZhbWlseV9uYW1lIjoidXNlciIsImVtYWlsIjoiZGVtb3VzZXJAaGF2ZW50ZWMuY29tIn0.WJA5AgcQV0VEzAehCH7jt2ekRvWgKDymP9UZDGwvtE6d08TElfih8wdPv63cVSsxB_SwGR76-tTNV19hGqpx0OUfPIFG35sMgQOaUK0RbIKhcE7b-Ejdj493uuCpp_G3YSiVUqHd9ngXYG1LBF7fQsK_NAOkxWQoPBDA-hfU9oS88dyjeisX-7ng4Cd-R24t7Ik-xCxgH4u-I3ZsaeT-3DusZSRSOCb5I0dUirq_IMjLjaOiUFdOFak9k9cKF_6eBOUYCyWgklW8CxH_SdlGyk9O_iXTGejr_hfbppb40Sv3Z1vTaiF8YPe1KNCVM6b-sAllehGPGrKsniJf6DWBxw'
Note: The fields highlighted in blue above will need to be changed according to your IAM configuration
' token ' here has to be ' access_token ' received in the response of the previous step.
Response:
{"jti":"c98d59b9-c6c5-455b-a0d6-b7bcca50b59c","exp":1545886929,"nbf":0,"iat":1545886629,"iss":"https://iam.demo.haventec.com/auth/realms/crm","aud":"crm-client","sub":"9a4ce56b-028a-4fb8-8f4c-db1ef5c800b9","typ":"Bearer","azp":"crm-client","auth_time":0,"session_state":"d336cacd-2ba6-49e4-bd89-836de43b2275","name":"crm-user","given_name":"crm","family_name":"user","preferred_username":"crm-user","email":"crmuser@haventec.com","acr":"1","allowed-origins":[],"realm_access":{"roles":["uma_authorization"]},"resource_access":{"account":{"roles":["manage-account","manage-account-links","view-profile"]}},"client_id":"crm-client","username":"crmuser","active":true}%
You can see the roles of the user and the status active: true
Comments
0 comments
Please sign in to leave a comment.