I’ve created external log in page which sends post to openidm/authentication?_action=login. Server returns property mappings as well as httpOnly cookie. This allows me to make subsequent requests to /openidm/config/ or to openidm/config/provisioner.openicf/QADevAccount466673. I’m able to hit these two end points without having to specify X-OpenIDM-Username and X-OpenIDM-Password headers. However when I try to POST, PUT or DELETE on these endpoints server returns 401/403. To make things interesting when I set X-OpenIDM-Username and X-OpenIDM-Password on POST, PUT or DELETE request completes successfully.
Now, I don’t want to believe that API is forcing me to send these headers all the time as this would mean that application needs to maintain username and password in order for user to perform anything but GET.
Could someone shed some light on this for me please?