REST API usage

By: Julien Chezeaux user 30 Jun 2020 at 2:55 p.m. CDT

5 Responses
Julien Chezeaux gravatar
Hello, I'm trying to use the oxTrust REST API described [here](https://gluu.org/docs/gluu-server/api-guide/oxtrust-api). I had success adding an OpenID Scope, and changing some attributes. However I'm currently stuck with 3 API requests: - Changing the SMTP configuration with /api/v1/configuration/smtp. All the configuration is correct, except the password, which is not defined (it is displayed as "blank field" when I access the SMTP configuration through the web interface) - Creating an OpenID client with /api/v1/clients. The client can be created, but without a secret (also displayed as blank field in the web interface). Its seems that it expects an "encodedClientSecret", but how is it encoded? - Creating an user with /api/v1/users. The user can be created, but how can I add other "gluuPerson" attributes? In these 3 API requests, I get a 200 or 201 response, and the object is created or modified, but not fully. This leads me to some more general questions: - Do I use the right APIs? I choose the oxTrust API because it seemed to be the more complete in the doc (it can alter system configuration, OpenID configuration, and manage internal LDAP users). The point is not having neither a too complex API (I'm currently scripting with bash, meaning I don't have access to a complete client library to use a complex API), nor having to manage different API systems for different tasks - Did I miss some documentation? I checked the official doc mentionned, this support portal, and dove into the source code of oxTrust, OxTrust-API and OxCore, but I still can make this work. I also went playing with /opt/opendj/bin/encode-password but realized that SMTP config stored in LDAP was not using any of the supported scheme... - Do you offer other ways to automate the setup of a Gluu system? The goal is to integrate Gluu into our Dockerized application. I've already replaced the reverse-proxy by ours, managed to distribute the HTTPS certificates to oxtrust/oxauth... Getting a functional Gluu system is OK for our basic authentication needs (for now), but automate the installation to be able to deploy an instance of our application in seconds is another thing! So I'd be glad to get your view on this topic (both for the detail and the general approach). Thanks.
Docker 19.03
closed

Answers

By Michael Schwartz Account Admin 05 Jul 2020 at 4:01 p.m. CDT

Copy
Michael Schwartz gravatar
Maybe you should setup a call to discuss your requirements. This sounds like a project for a commerical costumer. Gluu is a business, not a charity for large organizations who want free software, and free technical support. We'd be happy to chat, and if there us a potential business opportunity, we can assign your questions to an engineer. If there is no business opportunity, and you just want "free", then I suggest you read the docs and code on GitHub, and post your answers here so others in the community can benefit in the future.

By Julien Chezeaux user 06 Jul 2020 at 5:06 a.m. CDT

Copy
Julien Chezeaux gravatar
Ok, I've scheduled a meeting to discuss business opportunity.

By Michael Schwartz Account Admin 06 Jul 2020 at 10:36 a.m. CDT

Copy
Michael Schwartz gravatar
I see it. Thanks for scheduling.

By Michael Schwartz Account Admin 08 Jul 2020 at 9:27 a.m. CDT

Copy
Michael Schwartz gravatar
For user management you need [SCIM](https://tools.ietf.org/html/rfc7644#section-3.2) For example: https://your-server/identity/restv1/scim/v2/Users You can see the scim endpoints on the config url: https://your-server/.well-known/scim-configuration There is a [node client](https://github.com/GluuFederation/SCIM-Node) Also, please read the docs: [https://gluu.org/docs/gluu-server/4.1/user-management/scim2/](https://gluu.org/docs/gluu-server/4.1/user-management/scim2/) 2. My recommendation is not to use the built-in password reset. The risk of priviledge escalation is too high. For example, if there is an attack against `/identity` and the hacker can escalate privledge, then the hack could configure the OpenID or SAML components. First, you could build your own reset mechanism and use SCIM to set the data. Second, there is a [registration](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/registration) and [forgot password](https://github.com/GluuFederation/oxAuth/tree/master/Server/integrations/forgot_password) custom authn script you can look at. For example, when you send an [OpenID Authn Request](https://openid.net/specs/openid-connect-core-1_0.html#AuthRequest) use the `acr_values` param, which corresponds to the name of the script. 3. I think oxAuth has an SMTP server also. It might not have an API for config in oxTrust, in which case you could also write the config using LDIF and an ldapmodify command.

By Julien Chezeaux user 16 Apr 2021 at 6:40 a.m. CDT

Copy
Julien Chezeaux gravatar
Thanks Michael for your time last year. Just for following-up: - I was able to use the [pyDes.py](https://github.com/GluuFederation/community-edition-setup/blob/master/pylib/pyDes.py) script for encrypting needed items in Gluu configuration (OIDC clients secrets, Gluu SMTP password ...) - Gluu server API is too limited for user management, we are using SCIM as you suggested with a node client - For backup and restore we are using ldif files and ldapmodify command which works great (combined with pydes.py for properties that need encrypted content) So thanks for your help!

Post an answer