curl Commands for OpenAM OpenID Connect

Posted on March 3, 2017 by Jianming Li

Contents

  1. Authorization Flow
  2. Implicit Flow
  3. OpenID Token VIA OAuth2.0 Access Token endpoint
  4. Get iPlanetDirectoryPro from Existing Cookie
  5. References
 

Authorization Flow

* First, we authenticate the user, e.g. user.0.
– once authenticated, we can use the iPlanetDirectoryPro cookie value instead of username and password

curl -X POST -H "X-OpenAM-Username: user.0" -H "X-OpenAM-Password: Password1" -H "Content-Type: application/json" -d "" -k -v https://openam.my.com:10443/openam/json/authenticate?realm=/

tokenId value, which is the same as iPlanetDirectoryPro cookie value, is returned in JSON format:

{"tokenId":"AQIC5wM2LY4SfcyahxlTLD4Ye4wZ7-k8sH3508KQU9LUbas.*AAJTSQACMDEAAlNLABQtNDMyMDIwODg5OTQwMDI5Mzc4MQACUzEAAA..*","successUrl":"/openam/console"}

* Next, we use iPlanetDirectoryPro cookie value to request for authorization token:

curl -X POST -H "Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcyahxlTLD4Ye4wZ7-k8sH3508KQU9LUbas.*AAJTSQACMDEAAlNLABQtNDMyMDIwODg5OTQwMDI5Mzc4MQACUzEAAA..*" -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d "response_type=code&scope=openid%20profile&client_id=MyClientID&redirect_uri=https://ssoapp.my.com/testopenid2.asp&save_consent=0&decision=Allow" -k -v https://openam.my.com:10443/openam/oauth2/authorize

authorization code is returned as the value of code query parameter in the redirect URL:

< Location: https://ssoapp.my.com/testopenid2.asp?code=aa287f7c-af45-4aee-a5fe-ed3c8441c268&scope=openid%20profile

* With authorization token, we can get access token:

curl -X POST --user MyClientID:Password1  -H "Cache-Control: no-cache" -d "grant_type=authorization_code&realm=/&code=aa287f7c-af45-4aee-a5fe-ed3c8441c268&redirect_uri=https://ssoapp.my.com/testopenid2.asp" -k -v https://openam.my.com:10443/openam/oauth2/access_token

– access token is returned as JWT:

{"access_token":"75f03596-8ba5-47ca-937c-1317ee84abc3","scope":"openid profile","id_token":"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNV
PSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJBRjR0cjNubjA2OTlwWTlyWGJZU2RRIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0v
b2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgImF1ZCI6IFsgIk15Q2xpZW50SUQiIF0sICJjX2hhc2giOiAiMUR5TnB3amZGamh5eVNwOXNwNHFVUSIsICJv
cmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogImE4ZDQ4NjQ4LTZkNzktNDk5Ni1hMzQxLWYxNTg4MzczYjJkOCIsICJtQXBwbFB3ZCI6ICJMdWNreTEyMyIsICJhenAiOiAiTXlDbGllbnRJRCIsICJt
QXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg0OTI4MjEsICJuYW1lIjogIkFhY2NmIEFtYXIiLCAicmVhbG0iOiAiLyIsICJleHAiOiAxNDg4NDk2NTE4LCAidG9rZW5UeXBlIjog
IkpXVFRva2VuIiwgImlhdCI6IDE0ODg0OTI5MTgsICJmYW1pbHlfbmFtZSI6ICJBbWFyIiB9.pwFfotwVklPDc6vulV5yiaF7SHjJtofqSPqu9DD1w8hMIawkhxzJq8YzUkCuDO8k6DAuc3_lqaqbPWfj1OpGlvg
B4xqmQMvvXxrdoxD7vPxB0vTjz-TT1nrahsKbxrqhPrMnd55SmyGMwhrYNfPRPZqKX9hJVIuJTUo_iNJVrxM","token_type":"Bearer","expires_in":3599}
 
- We can decode id_token using Linux command:
 
<pre lang="bash">echo -n "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJBRjR0cjNubjA2OTlwWTlyWGJZU2RRIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0vb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgImF1ZCI6IFsgIk15Q2xpZW50SUQiIF0sICJjX2hhc2giOiAiMUR5TnB3amZGamh5eVNwOXNwNHFVUSIsICJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogImE4ZDQ4NjQ4LTZkNzktNDk5Ni1hMzQxLWYxNTg4MzczYjJkOCIsICJtQXBwbFB3ZCI6ICJMdWNreTEyMyIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg0OTI4MjEsICJuYW1lIjogIkFhY2NmIEFtYXIiLCAicmVhbG0iOiAiLyIsICJleHAiOiAxNDg4NDk2NTE4LCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgImlhdCI6IDE0ODg0OTI5MTgsICJmYW1pbHlfbmFtZSI6ICJBbWFyIiB9.pwFfotwVklPDc6vulV5yiaF7SHjJtofqSPqu9DD1w8hMIawkhxzJq8YzUkCuDO8k6DAuc3_lqaqbPWfj1OpGlvgB4xqmQMvvXxrdoxD7vPxB0vTjz-TT1nrahsKbxrqhPrMnd55SmyGMwhrYNfPRPZqKX9hJVIuJTUo_iNJVrxM" | cut -d "." -f 1 | base64 -d
 
# first part of JWT:
cut -d "." -f 1:
{ "typ": "JWT", "kid": "SylLC6Njt1KGQktD9Mt+0zceQSU=", "alg": "RS256" }
 
# second part of JWT:
cut -d "." -f 2:
{ "at_hash": "AF4tr3nn0699pY9rXbYSdQ", "sub": "user.0", "iss": "https://openam.my.com:10443/openam/oauth2", "tokenName": "id_token", "given_name": "Aaccf", "aud": [ "MyClientID" ], "c_hash": "1DyNpwjfFjhyySp9sp4qUQ", "org.forgerock.openidconnect.ops": "a8d48648-6d79-4996-a341-f1588373b2d8", "mApplPwd": "Lucky123", "azp": "MyClientID", "mApplLoginName": "JM1111A", "auth_time": 1488492821, "name": "Aaccf Amar", "realm": "/", "exp": 1488496518, "tokenType": "JWTToken", "iat": 1488492918, "family_name": "Amar" }

* Finally, we use access token for all future requests, e.g. user info:

curl -X POST -H "Authorization: Bearer 75f03596-8ba5-47ca-937c-1317ee84abc3" -d "" -k -v https://openam.my.com:10443/openam/oauth2/userinfo

– user info is returned:

{"sub":"user.0","given_name":"Aaccf","mApplPwd":"Lucky123","mApplLoginName":"JM1111A","name":"Aaccf Amar","family_name":"Amar"}

Implicit Flow

* In implicit flow, instead of getting authorization code first, we obtain access token directly by posting iPlanetDirectoryPro cookie value.
* First, we authenticate the user, e.g. user.0:

curl -X POST -H "X-OpenAM-Username: user.0" -H "X-OpenAM-Password: Password1" -H "Content-Type: application/json" -d "" -k -v https://openam.my.com:10443/openam/json/authenticate?realm=/

* Now we get access token directly using iPlanetDirectoryPro cookie value without needing to get authorization token frist:

curl -X POST -H "Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcyahxlTLD4Ye4wZ7-k8sH3508KQU9LUbas.*AAJTSQACMDEAAlNLABQtNDMyMDIwODg5OTQwMDI5Mzc4MQACUzEAAA..*" -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d "response_type=token%20id_token&amp;scope=openid%20profile&amp;client_id=MyClientID&amp;redirect_uri=https://ssoapp.my.com/testopenid2.asp&amp;save_consent=0&amp;decision=Allow&amp;nonce=1234" -k -v https://openam.my.com:10443/openam/oauth2/authorize

access_token is returned as query parameter in the redirect URL:

&lt; Location: https://ssoapp.my.com/testopenid2.asp#access_token=1f7fa255-791e-490f-a35b-458bc0da5046&amp;scope=openid%20profile&amp;id_token=eyAidHlwIjogIkpXVCIsICJraWQi
OiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJ0SkJZYll3YTFmZUxBcF9jUHg2M1VBIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBz
Oi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0vb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgIm5vbmNlIjogIjEyMzQiLCAiYXVkIjogWyAiTXlDbGll
bnRJRCIgXSwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiNGJmYTVlMWItMDc0My00ZmQ5LWExMWMtODE2MjMxODIyN2UwIiwgIm1BcHBsUHdkIjogIkx1Y2t5MTIzIiwgImF6cCI6ICJNeUNs
aWVudElEIiwgIm1BcHBsTG9naW5OYW1lIjogIkpNMTExMUEiLCAiYXV0aF90aW1lIjogMTQ4ODQ5MjgyMSwgIm5hbWUiOiAiQWFjY2YgQW1hciIsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0ODg0OTY4NDUsICJ0
b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ4ODQ5MzI0NSwgImZhbWlseV9uYW1lIjogIkFtYXIiIH0.Qadoixhd3znvnoWbwWWfDt4B3iA6ydyg4Syt8TL1pa8U8Px8hgh4UFxGsd-k1Bu14Ti3uNzX
4WV1cZ9yyZgyQln7c2jI8CHbQen_Y_Z_diJcECDKonpCT-znx0kR4xXuDv-MTr4EyW-r3CMfnKYvIkYDVp76gJEB-dPSR3gs7AE&amp;token_type=Bearer&amp;expires_in=3599

id_token can be decoded using Linux command:

echo -n "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJ0SkJZYll3YTFmZUxBcF9jUHg2M1VBIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0vb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgIm5vbmNlIjogIjEyMzQiLCAiYXVkIjogWyAiTXlDbGllbnRJRCIgXSwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiNGJmYTVlMWItMDc0My00ZmQ5LWExMWMtODE2MjMxODIyN2UwIiwgIm1BcHBsUHdkIjogIkx1Y2t5MTIzIiwgImF6cCI6ICJNeUNsaWVudElEIiwgIm1BcHBsTG9naW5OYW1lIjogIkpNMTExMUEiLCAiYXV0aF90aW1lIjogMTQ4ODQ5MjgyMSwgIm5hbWUiOiAiQWFjY2YgQW1hciIsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0ODg0OTY4NDUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ4ODQ5MzI0NSwgImZhbWlseV9uYW1lIjogIkFtYXIiIH0.Qadoixhd3znvnoWbwWWfDt4B3iA6ydyg4Syt8TL1pa8U8Px8hgh4UFxGsd-k1Bu14Ti3uNzX4WV1cZ9yyZgyQln7c2jI8CHbQen_Y_Z_diJcECDKonpCT-znx0kR4xXuDv-MTr4EyW-r3CMfnKYvIkYDVp76gJEB-dPSR3gs7AE"  | cut -d "." -f 1 | base64 -d
 
cut -d "." -f 1:
{ "typ": "JWT", "kid": "SylLC6Njt1KGQktD9Mt+0zceQSU=", "alg": "RS256" }
 
cut -d "." -f 2:
{ "at_hash": "tJBYbYwa1feLAp_cPx63UA", "sub": "user.0", "iss": "https://openam.my.com:10443/openam/oauth2", "tokenName": "id_token", "given_name": "Aaccf", "nonce": "1234", "aud": [ "MyClientID" ], "org.forgerock.openidconnect.ops": "4bfa5e1b-0743-4fd9-a11c-8162318227e0", "mApplPwd": "Lucky123", "azp": "MyClientID", "mApplLoginName": "JM1111A", "auth_time": 1488492821, "name": "Aaccf Amar", "realm": "/", "exp": 1488496845, "tokenType": "JWTToken", "iat": 1488493245, "family_name": "Amar" }

* access_token can be used for future requests such as OpenID Connect UserInfo:

curl -X POST -H "Authorization: Bearer 1f7fa255-791e-490f-a35b-458bc0da5046" -d "" -k -v https://openam.my.com:10443/openam/oauth2/userinfo

OpenID Token VIA OAuth2.0 Access Token endpoint

* You can use client id/pass AND resource owner id/pass to obtain access_token AND OpendID’s id_token all in one scoop:

curl --request POST --user "MyClientID:Password1" --data "grant_type=password&amp;username=user.0&amp;password=Password1&amp;scope=openid%20profile" -k -v "https://openam.my.com:10443/openam/oauth2/access_token"

– return is in JWT format:

{"access_token":"d5f79649-bbf8-46d9-ab23-4721e0e43c38","scope":"openid profile","id_token":"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNV
PSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJicW5teHVrdG0tbjlrY0UwQW1KaURnIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0v
b2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgImF1ZCI6IFsgIk15Q2xpZW50SUQiIF0sICJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogIjQ0
ODgyOGZiLTUzNDQtNGE4MS1iZWM2LTk4NzMxOGY0NDk0YyIsICJtQXBwbFB3ZCI6ICJMdWNreTEyMyIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGlt
ZSI6IDE0ODg1MDIwMDIsICJuYW1lIjogIkFhY2NmIEFtYXIiLCAicmVhbG0iOiAiLyIsICJleHAiOiAxNDg4NTA1NjAyLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgImlhdCI6IDE0ODg1MDIwMDIsICJmYW1p
bHlfbmFtZSI6ICJBbWFyIiB9.GPuBCFbMYQ-Ue2DOnk3zAitOtFAOkitS8aDcaSIwYDawYS8ruZhnKxTHnCTXmenOBiURf2mxwmGs0sGRwOhjAYnFydq0LrMZeI_7tcqSMXK5h_ip9Jf95gBVOj8pg3s3xs-q4E4
wnEkdNamQcNVa3tXQtn7ny-fQO2fZiUyYVFo","token_type":"Bearer","expires_in":3599}

– base 64 decode:

echo -n "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJicW5teHVrdG0tbjlrY0UwQW1KaURnIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0vb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgImF1ZCI6IFsgIk15Q2xpZW50SUQiIF0sICJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogIjQ0ODgyOGZiLTUzNDQtNGE4MS1iZWM2LTk4NzMxOGY0NDk0YyIsICJtQXBwbFB3ZCI6ICJMdWNreTEyMyIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg1MDIwMDIsICJuYW1lIjogIkFhY2NmIEFtYXIiLCAicmVhbG0iOiAiLyIsICJleHAiOiAxNDg4NTA1NjAyLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgImlhdCI6IDE0ODg1MDIwMDIsICJmYW1pbHlfbmFtZSI6ICJBbWFyIiB9.GPuBCFbMYQ-Ue2DOnk3zAitOtFAOkitS8aDcaSIwYDawYS8ruZhnKxTHnCTXmenOBiURf2mxwmGs0sGRwOhjAYnFydq0LrMZeI_7tcqSMXK5h_ip9Jf95gBVOj8pg3s3xs-q4E4wnEkdNamQcNVa3tXQtn7ny-fQO2fZiUyYVFo" | cut -d "." -f 1 | base64 -d
 
{ "typ": "JWT", "kid": "SylLC6Njt1KGQktD9Mt+0zceQSU=", "alg": "RS256" }
{ "at_hash": "bqnmxuktm-n9kcE0AmJiDg", "sub": "user.0", "iss": "https://openam.my.com:10443/openam/oauth2", "tokenName": "id_token", "given_name": "Aaccf", "aud": [ "MyClientID" ], "org.forgerock.openidconnect.ops": "448828fb-5344-4a81-bec6-987318f4494c", "mApplPwd": "Lucky123", "azp": "MyClientID", "mApplLoginName": "JM1111A", "auth_time": 1488502002, "name": "Aaccf Amar", "realm": "/", "exp": 1488505602, "tokenType": "JWTToken", "iat": 1488502002, "family_name": "Amar" }

Get iPlanetDirectoryPro from Existing Cookie

* Here we copy iPlanetDirectoryPro coolie value from browser where user already logged in OpenAM and use it to request access_token and id_token in implicit flow:

curl -X POST -H "Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfczAAivq80vg9bBWZfV5wzInKuyNq2sxhz0.*AAJTSQACMDEAAlNLABM3Nzc4MzU2MDIxMTUwMzE3NTE3AAJTMQAA*" -H "Content-Type: application/x-www-form-urlencoded" -H "Cache-Control: no-cache" -d "response_type=token%20id_token&amp;scope=openid%20profile&amp;client_id=MyClientID&amp;redirect_uri=https://ssoapp.my.com/testopenid2.asp&amp;save_consent=0&amp;decision=Allow&amp;nonce=1234" -k -v https://openam.my.com:10443/openam/oauth2/authorize

– returned JWT token:

&lt; Location: https://ssoapp.my.com/testopenid2.asp#access_token=77cd2357-c737-43d0-880a-3bb8e70a060b&amp;scope=openid%20profile&amp;id_token=eyAidHlwIjogIkpXVCIsICJraWQi
OiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyeHpMeGVoQlN1UlVIZXBGUVNLcEVRIiwgInN1YiI6ICJqaWFsaSIsICJpc3MiOiAiaHR0cHM6
Ly9vcGVuYW0ubXkuY29tOjEwNDQzL29wZW5hbS9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgIm5vbmNlIjogIjEyMzQiLCAiYXVkIjogWyAiTXlDbGllbnRJRCIgXSwgIm9yZy5mb3JnZXJvY2su
b3BlbmlkY29ubmVjdC5vcHMiOiAiZjBkMjI4ZjAtOTM3Yi00MTUyLTg0MTMtMzM0ZDk4MzNmODg2IiwgIm1BcHBsUHdkIjogIlBhc3N3b3JkMSIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFt
ZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg1MTI2NDksICJuYW1lIjogIkppbW15IExpIiwgInJlYWxtIjogIi8iLCAiZXhwIjogMTQ4ODUxNjM0OCwgInRva2VuVHlwZSI6ICJKV1RUb2tlbiIsICJp
YXQiOiAxNDg4NTEyNzQ4LCAiZmFtaWx5X25hbWUiOiAiSmltbXkiIH0.p4YvcDm-nkzVJj0hCpu6HW1o-X0PYhWqU_d5iLJYTwaWGXnI7IwDxiREvD4dkyu_-9noq79qIGjS-8dJgQmftwI5_bMs5nLNPl_U38IY
doWjYKlDuRBK2nIqlKoViLzGdxgZnVdcIplUFMTvoV4dHq5HLKGWFv6iWvg0tvAPG4A&amp;token_type=Bearer&amp;expires_in=3599

– base 64 decode:

echo -n "eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyeHpMeGVoQlN1UlVIZXBGUVNLcEVRIiwgInN1YiI6ICJqaWFsaSIsICJpc3MiOiAiaHR0cHM6Ly9vcGVuYW0ubXkuY29tOjEwNDQzL29wZW5hbS9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgIm5vbmNlIjogIjEyMzQiLCAiYXVkIjogWyAiTXlDbGllbnRJRCIgXSwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiZjBkMjI4ZjAtOTM3Yi00MTUyLTg0MTMtMzM0ZDk4MzNmODg2IiwgIm1BcHBsUHdkIjogIlBhc3N3b3JkMSIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg1MTI2NDksICJuYW1lIjogIkppbW15IExpIiwgInJlYWxtIjogIi8iLCAiZXhwIjogMTQ4ODUxNjM0OCwgInRva2VuVHlwZSI6ICJKV1RUb2tlbiIsICJpYXQiOiAxNDg4NTEyNzQ4LCAiZmFtaWx5X25hbWUiOiAiSmltbXkiIH0.p4YvcDm-nkzVJj0hCpu6HW1o-X0PYhWqU_d5iLJYTwaWGXnI7IwDxiREvD4dkyu_-9noq79qIGjS-8dJgQmftwI5_bMs5nLNPl_U38IYdoWjYKlDuRBK2nIqlKoViLzGdxgZnVdcIplUFMTvoV4dHq5HLKGWFv6iWvg0tvAPG4A" | cut -d "." -f 1 | base64 -d
 
{ "typ": "JWT", "kid": "SylLC6Njt1KGQktD9Mt+0zceQSU=", "alg": "RS256" }
{ "at_hash": "2xzLxehBSuRUHepFQSKpEQ", "sub": "jiali", "iss": "https://openam.my.com:10443/openam/oauth2", "tokenName": "id_token", "nonce": "1234", "aud": [ "MyClientID" ], "org.forgerock.openidconnect.ops": "f0d228f0-937b-4152-8413-334d9833f886", "mApplPwd": "Password1", "azp": "MyClientID", "mApplLoginName": "JM1111A", "auth_time": 1488512649, "name": "Jimmy Li", "realm": "/", "exp": 1488516348, "tokenType": "JWTToken", "iat": 1488512748, "family_name": "Jimmy" }

References

* OpenID Connect – Curl Commands

This entry was posted in OpenIdm and tagged , , . Bookmark the permalink.