0

I am playing around with the Appid implementation using the NodeJs SDK and I am currently trying to fetch ApplicationIdentityToken via the TokenManager. And below is my code snippet.

The tokenManager.getApplicationIdentityToken() gives you a valid token, but the problem I am facing is that whenever I pass this token to the userProfileManager.getUserInfo(token) it gives me a UnauthorizedException.

I have stripped down the entire code and created a small function just to test the fetching of token and verifying it with the userProfileManager.getUserInfo function.

Note: Please ignore the antipattern it is just for providing the code snippet.

const userProfileManager = require('ibmcloud-appid').UserProfileManager;

userProfileManager.init({
  oauthServerUrl: process.env.APPID_URL,
  profilesUrl: process.env.APPID_PROFILES_URL,
});

const config = {
  tenantId: process.env.TENANT_ID,
  clientId: process.env.CLIENT_ID,
  secret: process.env.CLIENT_SECRET,
  oauthServerUrl: process.env.APPID_URL,
  profilesUrl: process.env.APPID_PROFILES_URL,
};

let token = '';

const { TokenManager } = require('ibmcloud-appid');

const tokenManager = new TokenManager(config);

const getAppIdentityToken = async () => {
  tokenManager
    .getApplicationIdentityToken()
    .then((appIdAuthContext) => {
      console.log(` Access tokens from SDK : ${JSON.stringify(appIdAuthContext)}`);
      token = appIdAuthContext.accessToken;
    })
    .then(async () => {
      const data = await userProfileManager.getUserInfo(token);
      console.log(data);
    })
    .catch((err) => {
      console.error(err);
    });
};

exports.getAppIdentityToken = getAppIdentityToken;
Sagar Sawant
  • 1
  • 3

2 Answers2

0

I believe there is some confusion.

  1. AppID is an IBM Cloud service and you can manage the service as a user of IBM Cloud. This requires that you are logged in or have an API key or access token.

  2. Then, AppID is able to manage users and access. For that, there are self-service actions as well as access token for working with an app or other resources.

It seems to me that you generated a token for 2), but performing the user profile access which requires an IAM token.

data_henrik
  • 16,724
  • 2
  • 28
  • 49
0

TokenManager is used for Custom Identity or Application Identity flows. Application Identity flows are for app-to-app communication (i.e. client_credentials grant type). Getting the user info is user-to-app communication (e.g. authorization_code grant type) so you need a user's access token. You can get that token from the session, provided that the user is logged in:

accessToken = req.session[WebAppStrategy.AUTH_CONTEXT].accessToken;

See the SDK's README for more details: https://github.com/ibm-cloud-security/appid-serversdk-nodejs#manage-user-profile

What is your use case? You may not need to make this additional request using UserProfileManager. You can find the user info in the identity token, and can add additional information to the token using custom claims mapping https://cloud.ibm.com/docs/appid?topic=appid-customizing-tokens

Laura Tebben
  • 1
  • 2