Hello,
I am currently evaluating the OpenIAM REST API and OAuth2 integration on OpenIAM 4.2.1.13
I created an OAuth Client according to the official documentation:
-
Create Auth Provider
-
Granting Authorization
-
API Call Examples
OAuth Client configuration:
-
Grant Type: Client Credentials (also tested with Authorization Code)
-
Auth Type: Basic HTTP
-
Scopes:
-
MTK-/webconsole/*
-
MTK-/selfservice/*
-
OAUTH_user_name
-
The OAuth flow itself appears to work correctly.
Client Credentials Flow
Request:
POST /idp/oauth2/token
grant_type=client_credentials
Response:
{
"access_token": "...",
"token_type": "Bearer"
}
Token validation:
GET /idp/oauth2/userinfo
Authorization: Bearer <token>
Response:
{
"sub": "0001",
"user_name": "system"
}
Authorization Code Flow
Request:
GET /idp/oauth2/userinfo
Authorization: Bearer <token>
Response:
{
"sub": "3000",
"user_name": "sysadmin"
}
The token is also correctly stored in the OAUTH_TOKEN table and associated with the expected user.
Problem
Any call to the WebConsole REST API fails.
Example:
POST /webconsole/rest/api/users/search?deepCopy=true
Authorization: Bearer <token>
Content-Type: application/json
Body:
{
"from": 0,
"size": 20,
"principal": "sysadmin"
}
Response:
{
"timestamp": ...,
"status": 404,
"error": "Not Found",
"path": "/openiam-ui-static/401"
}
This appears to be an internal 401 Unauthorized that is redirected to /openiam-ui-static/401, which does not exist and therefore results in a 404.
Question
Since /idp/oauth2/userinfo successfully validates the token and resolves the correct user, OAuth itself seems to be working.
Are additional configuration steps required to authorize OAuth clients against:
/webconsole/rest/api/*
or
/selfservice/rest/api/*
endpoints?
Is there a specific API role, resource mapping, scope configuration, or OAuth provider setting required beyond what is described in the API documentation?
Any guidance would be appreciated.