Dear community members,
I have successfully configured the com.ibm.ws.security.oidc.client.RelyingParty interceptor for my Spring Boot web application, and the authentication works seamlessly.
When I try to access a protected resource that is not included in the excludedPath filter, I am redirected to the Microsoft login page. After entering the credentials and upon successful authentication, I am redirected back to the requested resource as an authenticated user.
Now, I want to configure almost the same with another Spring boot application but it does nor have frontend part it is just a REST API and no user interaction, meaning that redirection to the Microsoft login page is not an acceptable option. It should be done programmatically and I imagine the following steps:
- User calls unprotected https://hostname/v1/api/token , providing username and password (azure app registration is created with ROPC) and WebSphere returns LtpaToken2 cookie
- Users calls a protected url https://hostname/v1/api/getCaseList providing the Ltpa2Token cookie got from the previous call
How should be configured the OIDC to handle above requests ? I would like to avoid user interaction of passing usr/pass in webform, The credentials will be provided in the body and authentication against Azure will be done by the username and password provided by the user and clientId and secret configured in the TAI.
Currently I have the following configuration in my interceptor:
Thank you very much for your support!
------------------------------
Petre Petreski
------------------------------