{"id":11985,"date":"2017-03-03T10:53:39","date_gmt":"2017-03-03T15:53:39","guid":{"rendered":"http:\/\/jianmingli.com\/wp\/?p=11985"},"modified":"2019-10-10T14:09:01","modified_gmt":"2019-10-10T19:09:01","slug":"curl-commands-for-openam-openid-connect","status":"publish","type":"post","link":"https:\/\/jianmingli.com\/wp\/?p=11985","title":{"rendered":"curl Commands for OpenAM OpenID Connect"},"content":{"rendered":"
\n

Contents<\/h2>\n
    \n\t
  1. \n\t\tAuthorization Flow<\/a>\n\t<\/li>\n\t
  2. \n\t\tImplicit Flow<\/a>\n\t<\/li>\n\t
  3. \n\t\tOpenID Token VIA OAuth2.0 Access Token endpoint<\/a>\n\t<\/li>\n\t
  4. \n\t\tGet iPlanetDirectoryPro <\/em>from Existing Cookie<\/a>\n\t<\/li>\n\t
  5. \n\t\tReferences<\/a>\n\t<\/li>\n<\/ol>\n<\/ol>\n<\/div>\n
     <\/div>\n

    Authorization Flow<\/h2><\/span>\n

    * First, we authenticate the user, e.g. user.0<\/em>.
    \n– once authenticated, we can use the iPlanetDirectoryPro<\/em> cookie value instead of username and password<\/p>\n

    curl -X POST -H \"X-OpenAM-Username: user.0\" -H \"X-OpenAM-Password: Password1\" -H \"Content-Type: application\/json\" -d \"\" -k -v https:\/\/openam.my.com:10443\/openam\/json\/authenticate?realm=\/\n<\/pre>\n
    tokenId<\/em> value, which is the same as iPlanetDirectoryPro<\/em> cookie value, is returned in JSON format:<\/p>\n
    {\"tokenId\":\"AQIC5wM2LY4SfcyahxlTLD4Ye4wZ7-k8sH3508KQU9LUbas.*AAJTSQACMDEAAlNLABQtNDMyMDIwODg5OTQwMDI5Mzc4MQACUzEAAA..*\",\"successUrl\":\"\/openam\/console\"}\n<\/pre>\n
    * Next, we use iPlanetDirectoryPro<\/em> cookie value to request for authorization token:<\/p>\n
    curl -X POST -H \"Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcyahxlTLD4Ye4wZ7-k8sH3508KQU9LUbas.*AAJTSQACMDEAAlNLABQtNDMyMDIwODg5OTQwMDI5Mzc4MQACUzEAAA..*\" -H \"Content-Type: application\/x-www-form-urlencoded\" -H \"Cache-Control: no-cache\" -d \"response_type=code&scope=openid%20profile&client_id=MyClientID&redirect_uri=https:\/\/ssoapp.my.com\/testopenid2.asp&save_consent=0&decision=Allow\" -k -v https:\/\/openam.my.com:10443\/openam\/oauth2\/authorize\n<\/pre>\n
    authorization code<\/em> is returned as the value of code<\/em> query parameter in the redirect URL:<\/p>\n
    < Location: https:\/\/ssoapp.my.com\/testopenid2.asp?code=aa287f7c-af45-4aee-a5fe-ed3c8441c268&scope=openid%20profile\n<\/pre>\n
    * With authorization token, we can get access token:<\/p>\n
    curl -X POST --user MyClientID:Password1  -H \"Cache-Control: no-cache\" -d \"grant_type=authorization_code&realm=\/&code=aa287f7c-af45-4aee-a5fe-ed3c8441c268&redirect_uri=https:\/\/ssoapp.my.com\/testopenid2.asp\" -k -v https:\/\/openam.my.com:10443\/openam\/oauth2\/access_token\n<\/pre>\n
    – access token is returned as JWT:<\/p>\n
    {\"access_token\":\"75f03596-8ba5-47ca-937c-1317ee84abc3\",\"scope\":\"openid profile\",\"id_token\":\"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNV\nPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJBRjR0cjNubjA2OTlwWTlyWGJZU2RRIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0v\nb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgImF1ZCI6IFsgIk15Q2xpZW50SUQiIF0sICJjX2hhc2giOiAiMUR5TnB3amZGamh5eVNwOXNwNHFVUSIsICJv\ncmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogImE4ZDQ4NjQ4LTZkNzktNDk5Ni1hMzQxLWYxNTg4MzczYjJkOCIsICJtQXBwbFB3ZCI6ICJMdWNreTEyMyIsICJhenAiOiAiTXlDbGllbnRJRCIsICJt\nQXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg0OTI4MjEsICJuYW1lIjogIkFhY2NmIEFtYXIiLCAicmVhbG0iOiAiLyIsICJleHAiOiAxNDg4NDk2NTE4LCAidG9rZW5UeXBlIjog\nIkpXVFRva2VuIiwgImlhdCI6IDE0ODg0OTI5MTgsICJmYW1pbHlfbmFtZSI6ICJBbWFyIiB9.pwFfotwVklPDc6vulV5yiaF7SHjJtofqSPqu9DD1w8hMIawkhxzJq8YzUkCuDO8k6DAuc3_lqaqbPWfj1OpGlvg\nB4xqmQMvvXxrdoxD7vPxB0vTjz-TT1nrahsKbxrqhPrMnd55SmyGMwhrYNfPRPZqKX9hJVIuJTUo_iNJVrxM\",\"token_type\":\"Bearer\",\"expires_in\":3599}\n\n- We can decode id_token using Linux command:\n\n
    echo -n \"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJBRjR0cjNubjA2OTlwWTlyWGJZU2RRIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0vb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgImF1ZCI6IFsgIk15Q2xpZW50SUQiIF0sICJjX2hhc2giOiAiMUR5TnB3amZGamh5eVNwOXNwNHFVUSIsICJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogImE4ZDQ4NjQ4LTZkNzktNDk5Ni1hMzQxLWYxNTg4MzczYjJkOCIsICJtQXBwbFB3ZCI6ICJMdWNreTEyMyIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg0OTI4MjEsICJuYW1lIjogIkFhY2NmIEFtYXIiLCAicmVhbG0iOiAiLyIsICJleHAiOiAxNDg4NDk2NTE4LCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgImlhdCI6IDE0ODg0OTI5MTgsICJmYW1pbHlfbmFtZSI6ICJBbWFyIiB9.pwFfotwVklPDc6vulV5yiaF7SHjJtofqSPqu9DD1w8hMIawkhxzJq8YzUkCuDO8k6DAuc3_lqaqbPWfj1OpGlvgB4xqmQMvvXxrdoxD7vPxB0vTjz-TT1nrahsKbxrqhPrMnd55SmyGMwhrYNfPRPZqKX9hJVIuJTUo_iNJVrxM\" | cut -d \".\" -f 1 | base64 -d\n\n# first part of JWT:\ncut -d \".\" -f 1:\n{ \"typ\": \"JWT\", \"kid\": \"SylLC6Njt1KGQktD9Mt+0zceQSU=\", \"alg\": \"RS256\" }\n\n# second part of JWT:\ncut -d \".\" -f 2:\n{ \"at_hash\": \"AF4tr3nn0699pY9rXbYSdQ\", \"sub\": \"user.0\", \"iss\": \"https:\/\/openam.my.com:10443\/openam\/oauth2\", \"tokenName\": \"id_token\", \"given_name\": \"Aaccf\", \"aud\": [ \"MyClientID\" ], \"c_hash\": \"1DyNpwjfFjhyySp9sp4qUQ\", \"org.forgerock.openidconnect.ops\": \"a8d48648-6d79-4996-a341-f1588373b2d8\", \"mApplPwd\": \"Lucky123\", \"azp\": \"MyClientID\", \"mApplLoginName\": \"JM1111A\", \"auth_time\": 1488492821, \"name\": \"Aaccf Amar\", \"realm\": \"\/\", \"exp\": 1488496518, \"tokenType\": \"JWTToken\", \"iat\": 1488492918, \"family_name\": \"Amar\" }\n<\/pre>\n
    * Finally, we use access token for all future requests, e.g. user info:<\/p>\n
    curl -X POST -H \"Authorization: Bearer 75f03596-8ba5-47ca-937c-1317ee84abc3\" -d \"\" -k -v https:\/\/openam.my.com:10443\/openam\/oauth2\/userinfo\n<\/pre>\n
    - user info is returned:<\/p>\n
    {\"sub\":\"user.0\",\"given_name\":\"Aaccf\",\"mApplPwd\":\"Lucky123\",\"mApplLoginName\":\"JM1111A\",\"name\":\"Aaccf Amar\",\"family_name\":\"Amar\"}\n<\/pre>\n
    Implicit Flow<\/h2><\/span>\n
    * In implicit flow, instead of getting authorization code first, we obtain access token directly by posting iPlanetDirectoryPro<\/em> cookie value.
    \n* First, we authenticate the user, e.g. user.0<\/em>:<\/p>\n
    curl -X POST -H \"X-OpenAM-Username: user.0\" -H \"X-OpenAM-Password: Password1\" -H \"Content-Type: application\/json\" -d \"\" -k -v https:\/\/openam.my.com:10443\/openam\/json\/authenticate?realm=\/\n<\/pre>\n
    * Now we get access token directly using iPlanetDirectoryPro<\/em> cookie value without needing to get authorization token frist:<\/p>\n
    curl -X POST -H \"Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcyahxlTLD4Ye4wZ7-k8sH3508KQU9LUbas.*AAJTSQACMDEAAlNLABQtNDMyMDIwODg5OTQwMDI5Mzc4MQACUzEAAA..*\" -H \"Content-Type: application\/x-www-form-urlencoded\" -H \"Cache-Control: no-cache\" -d \"response_type=token%20id_token&scope=openid%20profile&client_id=MyClientID&redirect_uri=https:\/\/ssoapp.my.com\/testopenid2.asp&save_consent=0&decision=Allow&nonce=1234\" -k -v https:\/\/openam.my.com:10443\/openam\/oauth2\/authorize\n<\/pre>\n
    - access_token<\/em> is returned as query parameter in the redirect URL:<\/p>\n
    < Location: https:\/\/ssoapp.my.com\/testopenid2.asp#access_token=1f7fa255-791e-490f-a35b-458bc0da5046&scope=openid%20profile&id_token=eyAidHlwIjogIkpXVCIsICJraWQi\nOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJ0SkJZYll3YTFmZUxBcF9jUHg2M1VBIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBz\nOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0vb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgIm5vbmNlIjogIjEyMzQiLCAiYXVkIjogWyAiTXlDbGll\nbnRJRCIgXSwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiNGJmYTVlMWItMDc0My00ZmQ5LWExMWMtODE2MjMxODIyN2UwIiwgIm1BcHBsUHdkIjogIkx1Y2t5MTIzIiwgImF6cCI6ICJNeUNs\naWVudElEIiwgIm1BcHBsTG9naW5OYW1lIjogIkpNMTExMUEiLCAiYXV0aF90aW1lIjogMTQ4ODQ5MjgyMSwgIm5hbWUiOiAiQWFjY2YgQW1hciIsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0ODg0OTY4NDUsICJ0\nb2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ4ODQ5MzI0NSwgImZhbWlseV9uYW1lIjogIkFtYXIiIH0.Qadoixhd3znvnoWbwWWfDt4B3iA6ydyg4Syt8TL1pa8U8Px8hgh4UFxGsd-k1Bu14Ti3uNzX\n4WV1cZ9yyZgyQln7c2jI8CHbQen_Y_Z_diJcECDKonpCT-znx0kR4xXuDv-MTr4EyW-r3CMfnKYvIkYDVp76gJEB-dPSR3gs7AE&token_type=Bearer&expires_in=3599\n<\/pre>\n
    - id_token<\/em> can be decoded using Linux command:<\/p>\n
    echo -n \"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJ0SkJZYll3YTFmZUxBcF9jUHg2M1VBIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0vb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgIm5vbmNlIjogIjEyMzQiLCAiYXVkIjogWyAiTXlDbGllbnRJRCIgXSwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiNGJmYTVlMWItMDc0My00ZmQ5LWExMWMtODE2MjMxODIyN2UwIiwgIm1BcHBsUHdkIjogIkx1Y2t5MTIzIiwgImF6cCI6ICJNeUNsaWVudElEIiwgIm1BcHBsTG9naW5OYW1lIjogIkpNMTExMUEiLCAiYXV0aF90aW1lIjogMTQ4ODQ5MjgyMSwgIm5hbWUiOiAiQWFjY2YgQW1hciIsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0ODg0OTY4NDUsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ4ODQ5MzI0NSwgImZhbWlseV9uYW1lIjogIkFtYXIiIH0.Qadoixhd3znvnoWbwWWfDt4B3iA6ydyg4Syt8TL1pa8U8Px8hgh4UFxGsd-k1Bu14Ti3uNzX4WV1cZ9yyZgyQln7c2jI8CHbQen_Y_Z_diJcECDKonpCT-znx0kR4xXuDv-MTr4EyW-r3CMfnKYvIkYDVp76gJEB-dPSR3gs7AE\"  | cut -d \".\" -f 1 | base64 -d\n\ncut -d \".\" -f 1:\n{ \"typ\": \"JWT\", \"kid\": \"SylLC6Njt1KGQktD9Mt+0zceQSU=\", \"alg\": \"RS256\" }\n\ncut -d \".\" -f 2:\n{ \"at_hash\": \"tJBYbYwa1feLAp_cPx63UA\", \"sub\": \"user.0\", \"iss\": \"https:\/\/openam.my.com:10443\/openam\/oauth2\", \"tokenName\": \"id_token\", \"given_name\": \"Aaccf\", \"nonce\": \"1234\", \"aud\": [ \"MyClientID\" ], \"org.forgerock.openidconnect.ops\": \"4bfa5e1b-0743-4fd9-a11c-8162318227e0\", \"mApplPwd\": \"Lucky123\", \"azp\": \"MyClientID\", \"mApplLoginName\": \"JM1111A\", \"auth_time\": 1488492821, \"name\": \"Aaccf Amar\", \"realm\": \"\/\", \"exp\": 1488496845, \"tokenType\": \"JWTToken\", \"iat\": 1488493245, \"family_name\": \"Amar\" }\n<\/pre>\n
    * access_token <\/em>can be used for future requests such as OpenID Connect UserInfo<\/em>:<\/p>\n
    curl -X POST -H \"Authorization: Bearer 1f7fa255-791e-490f-a35b-458bc0da5046\" -d \"\" -k -v https:\/\/openam.my.com:10443\/openam\/oauth2\/userinfo\n<\/pre>\n
    OpenID Token VIA OAuth2.0 Access Token endpoint<\/h2><\/span>\n
    * You can use client id\/pass AND resource owner id\/pass to obtain access_token AND OpendID's id_token all in one scoop:<\/p>\n
    curl --request POST --user \"MyClientID:Password1\" --data \"grant_type=password&username=user.0&password=Password1&scope=openid%20profile\" -k -v \"https:\/\/openam.my.com:10443\/openam\/oauth2\/access_token\"\n<\/pre>\n
    - return is in JWT format:<\/p>\n
    {\"access_token\":\"d5f79649-bbf8-46d9-ab23-4721e0e43c38\",\"scope\":\"openid profile\",\"id_token\":\"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNV\nPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJicW5teHVrdG0tbjlrY0UwQW1KaURnIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0v\nb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgImF1ZCI6IFsgIk15Q2xpZW50SUQiIF0sICJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogIjQ0\nODgyOGZiLTUzNDQtNGE4MS1iZWM2LTk4NzMxOGY0NDk0YyIsICJtQXBwbFB3ZCI6ICJMdWNreTEyMyIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGlt\nZSI6IDE0ODg1MDIwMDIsICJuYW1lIjogIkFhY2NmIEFtYXIiLCAicmVhbG0iOiAiLyIsICJleHAiOiAxNDg4NTA1NjAyLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgImlhdCI6IDE0ODg1MDIwMDIsICJmYW1p\nbHlfbmFtZSI6ICJBbWFyIiB9.GPuBCFbMYQ-Ue2DOnk3zAitOtFAOkitS8aDcaSIwYDawYS8ruZhnKxTHnCTXmenOBiURf2mxwmGs0sGRwOhjAYnFydq0LrMZeI_7tcqSMXK5h_ip9Jf95gBVOj8pg3s3xs-q4E4\nwnEkdNamQcNVa3tXQtn7ny-fQO2fZiUyYVFo\",\"token_type\":\"Bearer\",\"expires_in\":3599}\n<\/pre>\n
    - base 64 decode:<\/p>\n
    echo -n \"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICJicW5teHVrdG0tbjlrY0UwQW1KaURnIiwgInN1YiI6ICJ1c2VyLjAiLCAiaXNzIjogImh0dHBzOi8vb3BlbmFtLm15LmNvbToxMDQ0My9vcGVuYW0vb2F1dGgyIiwgInRva2VuTmFtZSI6ICJpZF90b2tlbiIsICJnaXZlbl9uYW1lIjogIkFhY2NmIiwgImF1ZCI6IFsgIk15Q2xpZW50SUQiIF0sICJvcmcuZm9yZ2Vyb2NrLm9wZW5pZGNvbm5lY3Qub3BzIjogIjQ0ODgyOGZiLTUzNDQtNGE4MS1iZWM2LTk4NzMxOGY0NDk0YyIsICJtQXBwbFB3ZCI6ICJMdWNreTEyMyIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg1MDIwMDIsICJuYW1lIjogIkFhY2NmIEFtYXIiLCAicmVhbG0iOiAiLyIsICJleHAiOiAxNDg4NTA1NjAyLCAidG9rZW5UeXBlIjogIkpXVFRva2VuIiwgImlhdCI6IDE0ODg1MDIwMDIsICJmYW1pbHlfbmFtZSI6ICJBbWFyIiB9.GPuBCFbMYQ-Ue2DOnk3zAitOtFAOkitS8aDcaSIwYDawYS8ruZhnKxTHnCTXmenOBiURf2mxwmGs0sGRwOhjAYnFydq0LrMZeI_7tcqSMXK5h_ip9Jf95gBVOj8pg3s3xs-q4E4wnEkdNamQcNVa3tXQtn7ny-fQO2fZiUyYVFo\" | cut -d \".\" -f 1 | base64 -d\n\n{ \"typ\": \"JWT\", \"kid\": \"SylLC6Njt1KGQktD9Mt+0zceQSU=\", \"alg\": \"RS256\" }\n{ \"at_hash\": \"bqnmxuktm-n9kcE0AmJiDg\", \"sub\": \"user.0\", \"iss\": \"https:\/\/openam.my.com:10443\/openam\/oauth2\", \"tokenName\": \"id_token\", \"given_name\": \"Aaccf\", \"aud\": [ \"MyClientID\" ], \"org.forgerock.openidconnect.ops\": \"448828fb-5344-4a81-bec6-987318f4494c\", \"mApplPwd\": \"Lucky123\", \"azp\": \"MyClientID\", \"mApplLoginName\": \"JM1111A\", \"auth_time\": 1488502002, \"name\": \"Aaccf Amar\", \"realm\": \"\/\", \"exp\": 1488505602, \"tokenType\": \"JWTToken\", \"iat\": 1488502002, \"family_name\": \"Amar\" }\n<\/pre>\n
    Get iPlanetDirectoryPro <\/em>from Existing Cookie<\/h2><\/span>\n
    * Here we copy iPlanetDirectoryPro <\/em>coolie value from browser where user already logged in OpenAM and use it to request access_token <\/em>and id_token <\/em>in implicit flow:<\/p>\n
    curl -X POST -H \"Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfczAAivq80vg9bBWZfV5wzInKuyNq2sxhz0.*AAJTSQACMDEAAlNLABM3Nzc4MzU2MDIxMTUwMzE3NTE3AAJTMQAA*\" -H \"Content-Type: application\/x-www-form-urlencoded\" -H \"Cache-Control: no-cache\" -d \"response_type=token%20id_token&scope=openid%20profile&client_id=MyClientID&redirect_uri=https:\/\/ssoapp.my.com\/testopenid2.asp&save_consent=0&decision=Allow&nonce=1234\" -k -v https:\/\/openam.my.com:10443\/openam\/oauth2\/authorize\n<\/pre>\n
    - returned JWT token:<\/p>\n
    < Location: https:\/\/ssoapp.my.com\/testopenid2.asp#access_token=77cd2357-c737-43d0-880a-3bb8e70a060b&scope=openid%20profile&id_token=eyAidHlwIjogIkpXVCIsICJraWQi\nOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyeHpMeGVoQlN1UlVIZXBGUVNLcEVRIiwgInN1YiI6ICJqaWFsaSIsICJpc3MiOiAiaHR0cHM6\nLy9vcGVuYW0ubXkuY29tOjEwNDQzL29wZW5hbS9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgIm5vbmNlIjogIjEyMzQiLCAiYXVkIjogWyAiTXlDbGllbnRJRCIgXSwgIm9yZy5mb3JnZXJvY2su\nb3BlbmlkY29ubmVjdC5vcHMiOiAiZjBkMjI4ZjAtOTM3Yi00MTUyLTg0MTMtMzM0ZDk4MzNmODg2IiwgIm1BcHBsUHdkIjogIlBhc3N3b3JkMSIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFt\nZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg1MTI2NDksICJuYW1lIjogIkppbW15IExpIiwgInJlYWxtIjogIi8iLCAiZXhwIjogMTQ4ODUxNjM0OCwgInRva2VuVHlwZSI6ICJKV1RUb2tlbiIsICJp\nYXQiOiAxNDg4NTEyNzQ4LCAiZmFtaWx5X25hbWUiOiAiSmltbXkiIH0.p4YvcDm-nkzVJj0hCpu6HW1o-X0PYhWqU_d5iLJYTwaWGXnI7IwDxiREvD4dkyu_-9noq79qIGjS-8dJgQmftwI5_bMs5nLNPl_U38IY\ndoWjYKlDuRBK2nIqlKoViLzGdxgZnVdcIplUFMTvoV4dHq5HLKGWFv6iWvg0tvAPG4A&token_type=Bearer&expires_in=3599\n<\/pre>\n
    - base 64 decode:<\/p>\n
    echo -n \"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJhbGciOiAiUlMyNTYiIH0.eyAiYXRfaGFzaCI6ICIyeHpMeGVoQlN1UlVIZXBGUVNLcEVRIiwgInN1YiI6ICJqaWFsaSIsICJpc3MiOiAiaHR0cHM6Ly9vcGVuYW0ubXkuY29tOjEwNDQzL29wZW5hbS9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgIm5vbmNlIjogIjEyMzQiLCAiYXVkIjogWyAiTXlDbGllbnRJRCIgXSwgIm9yZy5mb3JnZXJvY2sub3BlbmlkY29ubmVjdC5vcHMiOiAiZjBkMjI4ZjAtOTM3Yi00MTUyLTg0MTMtMzM0ZDk4MzNmODg2IiwgIm1BcHBsUHdkIjogIlBhc3N3b3JkMSIsICJhenAiOiAiTXlDbGllbnRJRCIsICJtQXBwbExvZ2luTmFtZSI6ICJKTTExMTFBIiwgImF1dGhfdGltZSI6IDE0ODg1MTI2NDksICJuYW1lIjogIkppbW15IExpIiwgInJlYWxtIjogIi8iLCAiZXhwIjogMTQ4ODUxNjM0OCwgInRva2VuVHlwZSI6ICJKV1RUb2tlbiIsICJpYXQiOiAxNDg4NTEyNzQ4LCAiZmFtaWx5X25hbWUiOiAiSmltbXkiIH0.p4YvcDm-nkzVJj0hCpu6HW1o-X0PYhWqU_d5iLJYTwaWGXnI7IwDxiREvD4dkyu_-9noq79qIGjS-8dJgQmftwI5_bMs5nLNPl_U38IYdoWjYKlDuRBK2nIqlKoViLzGdxgZnVdcIplUFMTvoV4dHq5HLKGWFv6iWvg0tvAPG4A\" | cut -d \".\" -f 1 | base64 -d\n\n{ \"typ\": \"JWT\", \"kid\": \"SylLC6Njt1KGQktD9Mt+0zceQSU=\", \"alg\": \"RS256\" }\n{ \"at_hash\": \"2xzLxehBSuRUHepFQSKpEQ\", \"sub\": \"jiali\", \"iss\": \"https:\/\/openam.my.com:10443\/openam\/oauth2\", \"tokenName\": \"id_token\", \"nonce\": \"1234\", \"aud\": [ \"MyClientID\" ], \"org.forgerock.openidconnect.ops\": \"f0d228f0-937b-4152-8413-334d9833f886\", \"mApplPwd\": \"Password1\", \"azp\": \"MyClientID\", \"mApplLoginName\": \"JM1111A\", \"auth_time\": 1488512649, \"name\": \"Jimmy Li\", \"realm\": \"\/\", \"exp\": 1488516348, \"tokenType\": \"JWTToken\", \"iat\": 1488512748, \"family_name\": \"Jimmy\" }\n<\/pre>\n
    References<\/h2><\/span>\n
    * OpenID Connect - Curl Commands<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
    Authorization Flow * First, we authenticate the user, e.g. user.0. – once authenticated, we can use the iPlanetDirectoryPro cookie value instead of username and password curl -X POST -H “X-OpenAM-Username: user.0” -H “X-OpenAM-Password: Password1” -H “Content-Type: application\/json” -d “” -k … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_exactmetrics_skip_tracking":false,"_exactmetrics_sitenote_active":false,"_exactmetrics_sitenote_note":"","_exactmetrics_sitenote_category":0,"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":false,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[203],"tags":[756,721,726],"class_list":["post-11985","post","type-post","status-publish","format-standard","hentry","category-openidm","tag-curl","tag-openam","tag-openid"],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p8cRUO-37j","_links":{"self":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/11985","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11985"}],"version-history":[{"count":4,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/11985\/revisions"}],"predecessor-version":[{"id":12363,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=\/wp\/v2\/posts\/11985\/revisions\/12363"}],"wp:attachment":[{"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11985"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11985"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/jianmingli.com\/wp\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11985"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}