Admin Privileges to create clients using ReST API

Tagged: , ,

This topic has 4 replies, 2 voices, and was last updated 6 years, 7 months ago by pablodcar.

  • Author
  • #9604

    Hi, we need to create OAuth 2.0 clients using the ReST API that OpenAM exposes as described in
    /OAuth 2.0 administration endpoint and it is working perfectly when using a token for the default administrator, amadmin.

    As this user has a lot of privileges, e.g. to manage users, we want to use other user with only client administration capabilities, following the principle of least privilege.

    I have two questions:

    1) Is it possible to assign this granularity of permissions in OpenAM? What are good practices for this use case?
    2) If it is not possible, Can other user different from amadmin to be promoted to administrator?, i.e. If I have this code:

    # Step 1, get a token
    curl -X POST -H "X-OpenAM-Username: user1" -H "X-OpenAM-Password: <password>" "https://OPENAM_HOST/openam/json/authenticate"
    > 200 OK
      "successUrl": "/openam/console"
    # Step 2, Create a Client:
    curl -X POST -H "iplanetDirectoryPro: AQIC5wM2LY4SfczXBcv2lcJPbvsDyPGWOp-eqUJLCToAFGU.*AAJTSQACMDEAAlNLABIzMDcyMTg2MTQ0MzMxNTM5OTM.*" -H "Content-Type: application/json" -d '{"client_id":["testClient"],
       "":["My Test Client"],
       "com.forgerock.openam.oauth2provider.description":["OAuth 2.0 Client"]
    }' "https://OPENAM_HOST/openam/frrest/oauth2/client/?_action=create"
    > 403 Forbidden
      "code": 403,
      "reason": "Forbidden",
      "message": "User is not an administrator."

    How to avoid the 403 Forbidden for user1

     Scott Heger

    The dev guide states:

    The OAuth 2.0 administration endpoint lets OpenAM administrators and agent administrators create (that is, register) and delete OAuth 2.0 clients.

    There is a specific privilege you can add. It is:

    Read and write access to all configured Agents

    Go into your root realm, create a group (i.e. Agent Admins), and put user1 in that group. Then go to the Privileges tab in the root realm, click on your group name, and check the checkboxes next to the privileges you want to assign to that group including “Read and write access to all configured Agents”. Then try as you did above.

    See if that works for you.


    Hi Scott, thanks for replying.

    I have done that, but that only enables the user to do it from the UI, the REST API still returns 403 Forbidden – “User is not an administrator.” with the steps I provided.

    In fact, I gave the group where the user belongs all “REST calls for …” privileges, but none of those allow the user to do client management using the REST API.

    Then, Should I create a ticket?

     Scott Heger

    Yea, if you have a support agreement I would create a ticket. Reference this thread in the ticket if you wish.


    Thanks, createdOPENAM-8718

Viewing 5 posts - 1 through 5 (of 5 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?