It’s not that well known, but OpenAM has a REST interface for login/logging/authorization and also for basic identity Management too. This post will describe the IDM functionality of the REST API, so it’s about creating, updating and deleting users in the DataStores.
When you google the term ‘OpenAM REST’, you won’t find much thing, because it’s not really well documented part of OpenAM, but if you google hard enough you will find this link to Docteger’s blog. This post is just GREAT, everything in one place, but it’s missing the answer for the ‘how-can-I-handle-realms-with-this’ type of question. So here is my result of few hours reading of IdentityServicesImpl:
https://<FQDNSSO>/openam/identity/create?identity_name=username&identity_realm=/& identity_type=user&identity_attribute_names=cn&identity_attribute_values_cn= MyNewCn&identity_attribute_names=userPassword& identity_attribute_values_userPassword=password
The password length needs to be at least 8 characters by default, if you want to change this, read this mail.
You could use the attributes_names parameter to ask specific parameters of the given identity.
Here you only have to add the parameters to the query, which are actually changed.
If you want to change the password like this, then you need an authenticated admin token, since the user can’t (always?) update it’s own password.
There’s no really Gotcha here, you just have to specify, that the deletable item is actually a user.
This is great and everything, but you can’t do these stuff without login & search the user, so here are these calls too:
Note the %3D (‘=’) and %26 (‘&’) characters, they are url-encoded, since it’s a single value for the ‘uri’ param.
You can use the filter with some dirty hack to give OR filters too as the previous URL shows.
The REST interface is great and FAST, so use it whenever you have the chance. The only problem with it this weird parameter-handling, one time it’s ‘identity_name’, another time it’s ‘username’, so you probably going to need a few parser for using it, but I think it’s worth it. If I heard right, it’s going to use JSON-format parameters in the future, so it’s going to be much better. 🙂