IBM Security Verify

1.3 Fill General Tab

1.6

1.7

SSO tab is complete

 

1.8  go to API Access Tab. I enabled all APIs you can restrict by selecting specific ones

Save

1.9  make note of Client ID and Client secret that will be used in further API calls

2  Using APIs

2.1 Get the access token

2.2 node, the parameters being passed, grant_type=password

curl -X POST --header 'Content-Type: application/x-www-form-urlencoded'  --header 'Accept: application/json' -d 'username=xx&password=xxx&client_id=xxx7-146b-4fa7-affd-1c0d1398c86a&client_secret=xxxx &grant_type=password&scope=openid' 'https://xxx.ice.ibmcloud.com:443/v1.0/endpoint/default/token'

Response

{"access_token":"MJKcEKhkrv67U0TrrO6OkLpFvPn6PvK2S0p4J2fE","refresh_token":"v5T4WCe0GZsmFvqh7WdqGPZJCDWYwhqZsIIVoeqz45dc5lILEX","scope":"openid","grant_id":"8c5922ef-7b4d-4755-b4d0-ea5782e003e8","id_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6InNlcnZlciJ9.eyJydF9oYXNoIjoiel8zaVV5SnhzM0RScUZkNndoMTBDUSIsInVzZXJUeXBlIjoicmVndWxhciI

2.3 use the access token in the next call To get User information

API: /v2.0/Me

curl -X GET --header 'Content-Type: application/json' --header 'Accept: application/scim+json' -H 'Authorization: Bearer MJKcEKhkrv67U0TrrO6OkLpFvPn6PvK2S0p4J2fE' https://tphost.ice.ibmcloud.com:443/v2.0/Me

response

{"emails":[{"type":"work","value":"tushar.xxxx"}],"meta":{"created":"2019-04-15T07:44:21Z","location":"https://xxxt.ice.ibmcloud.com/v2.0/Users/6400000PU9","lastModified":"2019-09-04T03:40:52Z","resourceType":"User"},"schemas":["urn:ietf:params:scim:schemas:core:2.0:User","urn:ietf:params:scim:schemas:extension:ibm:2.0:User"],"name":{"formatted":"testtp1 testtp1","familyName":"testtp1","givenName":"testtp1"},"urn:ietf:params:scim:schemas:extension:ibm:2.0:User":{"userCategory":"regular","twoFactorAuthentication":false,"realm":"cloudIdentityRealm","pwdChangedTime":"2019-05-20T13:41:54Z"},"groups":[{"displayName":"application owners","id":"6400000PU3","$ref":"https://tphost.ice.ibmcloud.com/v2.0/Groups/6400000PU3"}],"active":true,"id":"6400000PU9","userName":"testtp1","phoneNumbers":[{"type":"mobile","value":"xxxx"}]}

2.4

Lets call user password change

Few notes:

It needs following json format in the body

"newPassword": "usernewpassword",

   "currentPassword": "current password",

   "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification": {

     "notifyType": "EMAIL",

     "notifyPassword": true,

     "notifyManager": true

   },

   "schemas": [

     "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification",

             "urn:ietf:params:scim:schemas:ibm:core:2.0:ChangePassword"

   ]

Actual command

curl -X POST --header 'Content-Type: application/scim+json' --header 'Accept: application/scim+json' -H 'Authorization: Bearer xxxEKhkrv67U0TrrO6OkLpFvPn6PvK2S0p4xxx' \

-d '{

   "newPassword": "xxxx",

   "currentPassword": "xxxx",

   "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification": {

     "notifyType": "EMAIL",

     "notifyPassword": true,

     "notifyManager": true

   },

   "schemas": [

     "urn:ietf:params:scim:schemas:extension:ibm:2.0:Notification",

             "urn:ietf:params:scim:schemas:ibm:core:2.0:ChangePassword"

   ]

 }' https://tphost.ice.ibmcloud.com:443/v2.0/Me/password

An email notification will be sent

This completes the use case to use ROPC to authentication user , get user information and change the password

Summarily , 3 user cases through ROPC

1. Authenticate user, using ROPC and IBM Cloud Identity API
   
   
   

2. Get User information
   
   
3. User Password change
   
   

Tushar Prasad is an Identity and Access Management Specialist and part of WW L2 Team. He has

Over 10 years’ experience in Identity and Access Management which involved Consulting, Support , Deployment and Implementation of IBM Identity and Access Solutions.

Email: tushar.prasad@ibm.com