Product Selector

Fusion 5.12
    Fusion 5.12

    AEM connector OAuth authorization

    The AEM V2 Connector supports OAuth 2.0 authorization with JWT token.

    Supported authorization options

    Requests are authorized by including an Access Token in the Authorization header.

    Example:

    curl -H 'Authorization: Bearer {placeholderAccessToken}' http://HOST:PORT/content/COMPANY/us/en/community/messaging.html

    There are three ways the connector can get Access Token:

    • From the datasource configuration

    • From AEM server using Refresh Token

    • From AEM server using JWT token

    Request Access Token, Refresh Token, and JWT token manually and set them in the datasource configuration:

    AEM token request

    Other settings: Client Id, Client Secret, and Redirect Uri can be found in the AEM admin page under Security→Oauth Clients:

    AEM client settings

    Getting Access Token

    1. Open this URL in a browser:

      http://HOST:PORT/oauth/authorize?response_type=code&client_id=placeholderClientId&client_secret=placeholderClientSecret&username=admin&password=PASSWORD&scope=offline_access&redirect_uri=REDIRECT_URI
    2. You are redirected to login page (if you are not logged in):

      AEM login screen

    3. Logging in redirects you to confirm the authorization. Click Yes, I authorize this request.

      AME login confirmation

    4. You are redirected to the URL provided in redirect_uri with parameter code: <REDIRECT_URI>?code=<AUTHORIZATION_CODE>.

    5. Copy the value of the code parameter. This is your Authorization Code.

    6. Execute the request to get Access Token:

      curl --location --request POST 'http://HOST:PORT/oauth/token?code={placeholderAuthorizationCode}&client_id={placeholderClientId}&client_secret={placeholderClientSecret}&grant_type=authorization_code&redirect_uri=<REDIRECT_URI>' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json'

      Example:

      curl --location --request POST 'http://34.71.168.50:4502/oauth/token?code={placeholderAuthorizationCode}&client_id={placeholderClientId}&client_secret={placeholderClientSecret}&grant_type=authorization_code&redirect_uri=http://localhost:8080/test' --header 'Content-Type: application/x-www-form-urlencoded' --header 'Accept: application/json'
      "access_token":"{placeholderAccessToken}","refresh_token":"{placeholderRefreshToken}","expires_in":3600

    Getting Refresh Token

    To get Refresh Token, follow the same proccess for Access Token, but:

    1. You must include offline_access in the scope list.

    2. You must revoke all the previously obtained token. It can be done by clicking Revoke All Tokens.

    Getting JWT Bearer Token

    1. Download Private Key from the AEM Oauth client section.

      You should have downloaded file store.p12.

    2. Run:

      openssl pkcs12 -in store.p12 -out store.crt.pem -clcerts -nokeys

      When asked about password type notasecret.

      You should have generated file named store.crt.pem.

    3. Run

      openssl pkcs12 -in store.p12 -passin pass:notasecret -nocerts -nodes -out store.private.key.txt

      You should have generated file named store.private.key.txt.

    4. Create JWT token with the below payload and encrypt it with the private key using RS256:

      {
        "aud": "http://<HOST>:<PORT>/oauth/token",
        "iss": "<client id>",
        "sub": "<user name>",
        "exp": <Current time in milliseconds+expiry>,
        "iat": <Current time in milliseconds>,
        "scope": "<scope>",
        "cty": "code"
      }

      For example, install pyjwt to use this python script:

      pip install pyjwt
      import jwt
      
      payload_data = {
        "aud": "http://34.71.168.50:4502/oauth/token",
        "iss": "dp0dtqd9lqpcntvb6t12hrscpa-z1hqkpdg",
        "sub": "admin",
        "exp": 1697840880541,
        "iat": 1697740880541,
        "scope": "offline_access",
        "cty": "code"
      }
      
      private_key = open('store.private.key.txt', 'r').read()
      
      token = jwt.encode(
          payload=payload_data,
          key=private_key,
          algorithm='RS256'
      )
      
      print(token)