To support troubleshooting in OAuth 2.0/OpenID Connect authentication you can log personal login data, such as information about tokens or issuers. The log is written to the object log file (<appName>_object.log) of the respective One Identity Manager component.
To log authentication data
In the Designer, set the QBM | DebugMode | OAuth2 | LogPersonalInfoOnException configuration parameter.
The One Identity Manager REST API is an integral part of the application server. To use OAuth 2.0/OpenID Connect authentication for accessing the application server's REST API, there is support for the OAuth2.0/OpenID Connect and OAuth2.0/OpenID Connect (role-based) authentication modules.
Authentication is done using the access token provided. The first time a request is made with a new access token, a session is established with that token and the authentication module. Further accesses with the same token use the same session. The validity period of the token is checked in the process.
For more information about the One Identity Manager REST API, see One Identity Manager REST API Reference Guide.
NOTE: To access the REST API in the application server, users need the AppServer_API program function.
To set up authentication for the REST API using OAuth 2.0/OpenID Connect
In the , set the QBM | AppServer | AccessTokenAuth configuration parameter.
In the , set the respective authentication module either OAuth 2.0/OpenID Connect or OAuth 2.0/OpenID Connect (role-based).
If the OAuth 2.0/OpenID Connect (role-based) authentication module is used, set the QBM | AppServer | AccessTokenAuth | RoleBased confguration parameter as well.
In the , create the OAuth 2.0/OpenID Connect configuration and assign the configuration to the web application for the application server.
The URL for the application server must be declared.
When the application server is installed, an entry for the web application is created with the URL in the QBMWebApplication table. Check whether the URL (BaseURL column) is entered.
To display a web application's settings
In the , select the Base data > Security settings > Web server configurations category.
In List Editor, select the web application.
An authentication module is provided within the application server to authenticate using access tokens. The application server client uses the information from the authentication module to determine the access token for logging in on the server side.
For example, the authentication module can be used for Job servers that do not have a direct connection to the database but work against an application server.
To use the authentication module, ensure that authentication for accessing the REST API is set up using OAuth 2.0/OpenID Connect.
NOTE: If authentication is by access token, other authentication modules are excluded from use and the application server returns an error.
Module=Token;Url=<URL of the application server>;ClientId=<client-ID>;ClientSecret=<secret>;TokenEndpoint=<token endpoint>.
With the following parameters:
URL: URL of the application server
ClientId: Client ID for authentication at the token endpoint.
ClientSecret: Secret value for authentication at the token endpoint.
TokenEndpoint: URL of the token endpoint.
For more information about providing connection and authentication data to the application server for Job servers, see the One Identity Manager Configuration Guide.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center
Display settings for web applications