本当にメモ。ただのメモ。
ちゃんとしたリファレンスはあるが、認証とトークンだけならこっちが早く思い出せる。
対象バージョンは12.0/13.0だが他のバージョンでも新しめであれば動くと思われる。
見やすくするために一部意図的に改行を入れている。
前提条件
| Item | This Sample Value |
|---|---|
| site | www.openamtest.com |
| port | 18080 |
| client_id | testApp1 |
| client_secret | secret_pass |
| user | foo@test.co.jp |
| password | password |
1.ユーザIDとパスワードで認証する
POST
curl -X POST
-H "X-OpenAM-Username: foo@test.co.jp"
-H "X-OpenAM-Password: password"
-H "Content-Type: application/json"
-d ''
-k -v http://www.openamtest.com:18080/openam/json/authenticate?realm=/
RESPONSE
{"tokenId":"AQIC5wM2LY4Sfczs5OLZQZ2lRqhvuAR7KXGFDaSNOJKZNLI.*AAJTSQACMDIAAlNLABQtNjU2NDkxMjEyOTI1OTU4ODY3NAACUzEAAA..*"
,"successUrl":"/openam/console"}
2.tokenId で code を取得
POST
curl -X POST
-H "Cookie:iPlanetDirectoryPro=AQIC5wM2LY4Sfczs5OLZQZ2lRqhvuAR7KXGFDaSNOJKZNLI.*AAJTSQACMDIAAlNLABQtNjU2NDkxMjEyOTI1OTU4ODY3NAACUzEAAA..*"
-H "Content-Type: application/x-www-form-urlencoded"
-H "Cache-Control: no-cache"
-d 'response_type=code&scope=openid%20profile%20qualified%20email&client_id=testApp1&redirect_uri=http://www.openamtest.com:18080&save_consent=1&decision=Allow'
-k -v http://www.openamtest.com:18080/openam/oauth2/authorize?realm=/
RESPONSE
Location: http://www.openamtest.com:18080
?scope=email%20openid%20qualified%20profile&code=5f4574a6-f004-41d7-bd1a-ac7f271d06eb
3.code で access_token を取得
curl -X POST
-H "Cache-Control: no-cache"
-d 'client_id=testApp1&client_secret=secret_pass&grant_type=authorization_code&realm=/&code=5f4574a6-f004-41d7-bd1a-ac7f271d06eb&redirect_uri=http://www.openamtest.com:18080'
-k -v http://www.openamtest.com:18080/openam/oauth2/access_token
RESPONSE
{
"scope":"email openid profile qualified",
"expires_in":3599,"token_type":"Bearer",
"refresh_token":"771a40c4-ba85-4257-902c-2155e18390b2",
"id_token":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogIlN5bExDNk5qdDFLR1FrdEQ5TXQrMHpjZVF
TVT0iIH0.eyAiZXhwIjogMTQ2NDY4NDcxOCwgInN1YiI6ICJ0ZXN0QGluZm9tYXJ0LmNvLmpwIiwgImF6cCI6ICJ0ZXN0QXBwMSI
sICJpc3MiOiAiaHR0cDovL3d3dzEuc2dpbmZvbWFydC5jby5qcDoxODA4MC9vcGVuYW0vb2F1dGgyIiwgImlhdCI6IDE0NjQ2ODE
xMTgsICJjX2hhc2giOiAiaEFRb1h2U3FlVG5nc08wVVYyNFEwdyIgfQ.K5t9lz_GgE5wP7TRQVVPJyJqz5x2z161CjuItUkLRPBt
YX8wl8z-R2J3iQUEyajgxCrJWFe2pThLeoULumzhj4oM9v1CHJb0bLTs7pWKeUZ5mFIHvkrDPDIU7kUXAXLt-dtDzmKADGVt3JoM
b8B9B9hp5c5csjkmkCcbSMPRzFc",
"access_token":"07c20200-0ac4-483a-bc16-4ba8cf1ebf11"
}
4.access_token で userinfo を取得
url -X POST
-H "Authorization: Bearer 07c20200-0ac4-483a-bc16-4ba8cf1ebf11"
-d ''
-k -v http://www.openamtest.com:18080/openam/oauth2/userinfo
RESPONSE<subは対象の認証システム依存、ここではメアドをそのまま利用>
{
"sub":"foo@test.co.jp",
"phone_number":"090-0000-0000",
"address":{"formatted":"東京都足立区・・・"},
"email":"foo@test.co.jp",
"name":"テスト タロウ",
"family_name":"テスト",
"given_name":"タロウ",
"qualified":"anyQualifiedNamedValue"
}
5.refresh_token で access_tokenを再取得
curl -X POST
-H "Cache-Control: no-cache"
-d 'client_id=testApp1&client_secret=secret_pass&grant_type=refresh_token&refresh_token=771a40c4-ba85-4257-902c-2155e18390b2'
-k -v http://www.openamtest.com:18080/openam/oauth2/access_token
RESPONSE
{
"scope":"email openid profile qualified",
"expires_in":3599,
"token_type":"Bearer",
"refresh_token":"1fbcc0b3-f524-4cfa-9dd5-39e5226b9843",
"id_token":"eyAidHlwIjogIkpXVCIsICJhbGciOiAiUlMyNTYiLCAia2lkIjogIlN5bE
xDNk5qdDFLR1FrdEQ5TXQrMHpjZVFTVT0iIH0.eyAiZXhwIjogMTQ2NDY4NjQ4NCwgInN1
YiI6ICJ0ZXN0QGluZm9tYXJ0LmNvLmpwIiwgImF6cCI6ICJ0ZXN0QXBwMSIsICJpc3MiOi
AiaHR0cDovL3d3dzEuc2dpbmZvbWFydC5jby5qcDoxODA4MC9vcGVuYW0vb2F1dGgyIiwg
ImlhdCI6IDE0NjQ2ODI4ODQgfQ.UuAETq1iC3EarHH0YOXbrJxxSgnshwMeu52-mHYVqRG
1lGFpnXWzAzhl5OLfXg1f_10IO06O3nl7rRU1ZKCBjhK97LYEipF3C_cieuUDw7zx31ABv
6bYeN_A6Mi3x1ogqaIxOIiLSlQ0Knk9X4XNseZ6PzDMdVHehC7Wk5BHHiU",
"access_token":"bceb5fa5-a7a2-45e8-86b5-9bb34f92c2bc"
}