OAuth2 Token works with /idp/oauth2/userinfo but WebConsole REST API returns /openiam-ui-static/401

Getting Started with OpenIAM
1

Hello,

I am currently evaluating the OpenIAM REST API and OAuth2 integration on OpenIAM 4.2.1.13

I created an OAuth Client according to the official documentation:

  • Create Auth Provider

  • Granting Authorization

  • API Call Examples

OAuth Client configuration:

  • Grant Type: Client Credentials (also tested with Authorization Code)

  • Auth Type: Basic HTTP

  • Scopes:

    • MTK-/webconsole/*

    • MTK-/selfservice/*

    • OAUTH_user_name

The OAuth flow itself appears to work correctly.

Client Credentials Flow

Request:

POST /idp/oauth2/token
grant_type=client_credentials

Response:

{
  "access_token": "...",
  "token_type": "Bearer"
}

Token validation:

GET /idp/oauth2/userinfo
Authorization: Bearer <token>

Response:

{
  "sub": "0001",
  "user_name": "system"
}

Authorization Code Flow

Request:

GET /idp/oauth2/userinfo
Authorization: Bearer <token>

Response:

{
  "sub": "3000",
  "user_name": "sysadmin"
}

The token is also correctly stored in the OAUTH_TOKEN table and associated with the expected user.

Problem

Any call to the WebConsole REST API fails.

Example:

POST /webconsole/rest/api/users/search?deepCopy=true
Authorization: Bearer <token>
Content-Type: application/json

Body:

{
  "from": 0,
  "size": 20,
  "principal": "sysadmin"
}

Response:

{
  "timestamp": ...,
  "status": 404,
  "error": "Not Found",
  "path": "/openiam-ui-static/401"
}

This appears to be an internal 401 Unauthorized that is redirected to /openiam-ui-static/401, which does not exist and therefore results in a 404.

Question

Since /idp/oauth2/userinfo successfully validates the token and resolves the correct user, OAuth itself seems to be working.

Are additional configuration steps required to authorize OAuth clients against:

/webconsole/rest/api/*

or

/selfservice/rest/api/*

endpoints?

Is there a specific API role, resource mapping, scope configuration, or OAuth provider setting required beyond what is described in the API documentation?

Any guidance would be appreciated.

2

Hello @Luca,

Thanks for your questions. I’ve reached out internally and will have answers for you shortly.

Thanks,

Ameet

3

Hello @Luca ,

Please add the OAUTH scope-user_name to your OAuth Provider configuration. This should help ensure that the user_name claim is included in the token introspection response, allowing the reverse proxy to correctly identify the user and complete the authentication flow.

Thanks.

1 Like
4

Hello Ameet,

Thank you for your response.

I would like to clarify that the OAUTH_user_name scope was already present in the OAuth Provider configuration before I opened this thread.

Current scopes are:

  • MTK-/webconsole/*

  • Main-Taunus-Kreis-/webconsole/*

  • OAUTH_user_name

OpenIamClient
OpenIamClient1425×1123 37.3 KB

To verify this, I generated completely new access tokens and repeated all tests.

Token validation

GET /idp/oauth2/userinfo
Authorization: Bearer CTQRoDfeGBOM01R.7UBCV3HTZlZE4rnWHMQ4_y.HwFu3nyYSdagy7oLtwhKnC2RtdOXLWXmX0A8qNO

Response:

{
  "sub":"3000",
  "user_name":"sysadmin",
  "auth_time":1780992128
}

This confirms that:

  • OAuth authentication works

  • the token is valid

  • the token resolves to the correct user

  • the user_name claim is already present

API tests

Using the exact same access token:

GET /webconsole/rest/api/profile


GET /selfservice/rest/api/profile


POST /webconsole/rest/api/users/search

All requests return:

{
  "status":404,
  "error":"Not Found",
  "path":"/openiam-ui-static/401"
}

The same behavior occurs with:

  • Authorization Code Flow (sysadmin)

  • Client Credentials Flow (system)

In both cases /idp/oauth2/userinfo succeeds, while all /webconsole/rest/api/* and /selfservice/rest/api/* requests fail.

Is there any additional configuration required to allow OAuth Bearer Tokens to access the WebConsole or Selfservice REST APIs?

Thank you.