Protect personal data with UMA

This topic has 2 replies, 1 voice, and was last updated 5 years, 1 month ago by abarry.

  • Author
    Posts
  • #18631
     abarry
    Participant

    Hello,
    I’m a little bit lost and don’t know where to check…
    I would like to protect user personal data such as : name, birthday, credit card,…
    I’m using openAM to register a resource (picture) for a user and the user can share this picture with another users. Now I would like to register in openAM default data store a user credit card, phone number and allow the user to share those data. Is it possible to do it with openAM ?
    Thank you in advance for your help.

    #18632
     abarry
    Participant

    I found the “Discovery Service” here : https://docs.oracle.com/cd/E19681-01/820-3885/gavxl/index.html and I think it’s what I need. But I can’t find this service under Realms > realm name > services > add a service > Choose a service type. Is it deprecated in openam 14.1.0 ?

    #18653
     abarry
    Participant

    I just had to use /oauth2/userinfo endpoint.
    Before all, need to create an Oauth2 agent in openAM (in my case agent1) and add email in the scopes.
    I followed those steps :
    1) Get the authorization from the authorization server
    Enter this link in web borwser
    http://openam.test.com:8080/openam/oauth2/authorize?realm=/openLDAP&client_id=agent1&redirect_uri=http://openam.test.com:8080/openam&response_type=code&scope=email
    Authenticate user paul and allow access. After that I’m redirected here :
    http://openam.test.com:8080/openam/XUI/?code=19691934-1bfc-4aaf-8416-2465e385b1c7&scope=email&iss=http%3A%2F%2Fopenam.test.com%3A8080%2Fopenam%2Foauth2%2Fopenldap&client_id=agent1#switchRealm/

    I used the parameter “code” retrieved in above url in this request to get the access token :

    $ curl \
     --request POST \
     --data 'client_id=agent1' \
     --data 'client_secret=agent1' \
     --data 'grant_type=authorization_code' \
     --data 'code=19691934-1bfc-4aaf-8416-2465e385b1c7 ' \
     --data 'redirect_uri=http://openam.test.com:8080/openam' \
     http://openam.test.com:8080/openam/oauth2/access_token?realm=/openLDAP 
    output :
    {"access_token":"2de8e20f-cb5d-46ec-84e8-ec6621e9b2d6","scope":"email","token_type":"Bearer","expires_in":604799} 

    2) Request the access to paul’s email
    Use the above access_token :

    curl \
     --request GET\
     --header "Authorization: Bearer 2de8e20f-cb5d-46ec-84e8-ec6621e9b2d6" \
     http://openam.test.com:8080/openam/oauth2/userinfo?realm=openLDAP

    output :
    {"email":"[email protected]","sub":"paul"}

    Then I got paul’s email.
    Hope it will help someone :)

    • This reply was modified 5 years, 1 month ago by abarry.
Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?