Programmatic access to a Resource protected by IBM APP ID

Question

I am trying to access a rest API secured by APP ID service instance. I have tried two approaches to access the rest resource but alway I get <title>Redirect To OP</title> redirect HTML as the response instead of an actual resource.

1. approach 1
Using cloud directory user & and grant_type=password for token endpoint

1.1 I have added a user and password in cloud directory.

1.2 HTTP POST to <oauthServer>/token endpoint with clientID and Secret as Basic authentication and grant_type=password, username=<cloud_direcotry_user>, password=<password>

1.3 I get access_token and Identity Token

1.4 Invoked protected resource with authorization header that has an access token and identity token as header value 'authorization' Bearer <accesstoken> <identity token>

1.5 response contains redirect HTML instead of actual resource JSON/XML.

Approach 2

2.1 Fetch access token using <oauthserverUrl>/token endpoint and grant_type=client_credentials add Basic authentication with Client ID and Secret as username and password

2.2 I got access token with type Bearer

2.3 invoke protected resource with authorization header

authorization: Bearer <access_toke>

2.4 I get the same redirect response<title>Redirect To OP</title> instead of actual resource JSON/XML

___ New Update____

Here is the iberty's openid connect client configuration of the resource provider.

<openidConnectClient id="<identifier>"
                     clientId= "${APPID_CLIENT_ID}"
                     clientSecret= "${APPID_CLIENT_SECRET}"                         authorizationEndpointUrl="${APPID_AUTH_SERVER}/authorization"
                     tokenEndpointUrl="${APPID_AUTH_SERVER}/token"
                     jwkEndpointUrl="${APPID_AUTH_SERVER}/publickeys"
                     issuerIdentifier="${APPID_AUTH_SERVER_ISSUER}"
                     tokenEndpointAuthMethod="basic"
                     signatureAlgorithm="RS256"
                     authFilterid="myAuthFilter"
                     trustAliasName="ng.bluemix.net"
                     trustStoreRef="appidtruststore"
                     redirectToRPHostAndPort="https://${env.APPID_SAMPLE_HOST}:${env.APPID_SAMPLE_SSL_PORT}"
         userIdentityToCreateSubject="email"
         inboundPropagation="supported"
         validationEndpointUrl="${APPID_AUTH_SERVER}/introspect"
         validationMethod="introspect"

/>

Answer 1

I am assuming you are using WebSphere Liberty and configured an OIDC client. It seems that you should configure your OIDC client in your server.xml to support protected REST endpoints as stated in the documentation:

12. Optional: You can configure an OpenID Connect Client to optionally accept a valid OAuth 2.0 bearer access token as an authentication token without redirecting the request to an OpenID Connect provider. If a request contains a valid OAuth 2.0 bearer access token, then the Liberty OpenID Connect Client will automatically validate the access token, and create an authenticated subject based on the token validation result. If the request does not contain an access token or the access token is invalid, then the Liberty OpenID Connect Client continues to redirect the user to an OpenID Connect provider. This function enables the Liberty server to serve both the browser client and non-browser client like a RESTful client. You can add inboundPropagation=”supported” to the configuration to enable this function.

See: Configuring an OpenID Connect Client in Liberty

Answer 2

1. In your approach 1, the header of "authorization Bearer accesstoken identity token" is not supported, it is supposed to be "authorization Bearer accesstoken".
2. Is accessToken an opaque token or JWT? can you post a sample JWT or result from opaque introspection?