AEM as OAuth Server – Part 2 – Testing OAuth

In previous blog we looked at how we can setup scopes and what other configurations we need  when an OAuth client is successfully setup in AEM.

In this blog, we will look at how to these our OAuth Client Setup using Postman.

Configurations needed in AEM server to accept Post Requests from outside.

This is done just for testing purposes. This configuration must not be applied to any production environments, since with this configuration, we are opening AEM server to accept post requests from outside. In regular environments usually this is controlled by using safe user agents or allowed clients. In this case, we are just opening up the server to accept Posts so we can test if out OAuth client setup is working okay.

To do that, access these 2 configs – For Sling Referrer Filter and CSRF Filter and remove the “POST” method from the filter and save.



This step is needed because the OAuth Token request is a post request and in order for postman to successfully make this call the AEM server should accept it.

Using Out of the box setup in Postman

Create a new request in postman where the user is trying to access one of the end points – for eg :  /bin/oauth/sample/one . The servlet for this end point is available in the previous blog.

Try this request without any login/authorization – It should load the login page as shown below.

Now for Authorization, choose, OAuth 2.0 :

Callback Url :

Token Name : new-token

Auth URL : http://localhost:4504/oauth/authorize

Access Token URL : http://localhost:4504/oauth/token

Client Id : To be taken from the OAuth client that was setup

Client Secret :  To be taken from the OAuth client that was setup

Scope : Whatever scopes were setup. This is a sample : sampleScopeOne%20sampleScopeTwo – Notice that when there are multiple scopes they need to be separated by space (encoded as %20)

Grant Type – Authorization code.

On clicking on get token button, It will first try to open the Authorization screen that prompts the user to accept the access. If the user is not logged in to AEM, then it will first ask the user to login and then show the authorization screen. After the user clicks on Accept in the AEM Authorization screen, we can see a new entry in postman for the token.

Postman gives an option to add the token to url or to header. AEM OAuth implementation accepts the token only in header and not in url.

On clicking on “Use Token” , the token returned would get added in the header with Key – Authorization and entry “Bearer” and then the token. Sometimes, the token will not get added properly and the header would show “Bearer undefined”, as shown below, in this case we have to manually test it out.

Once the Bearer is added to the Authorization header, access the sample one scope end point. Now it should let the user through.

Testing Step by Step.

In case Postman does not add the access token generated to the header properly, we can test the authorization call and the token call manually.

Call the Authorization url

For this first we call the Authorization url passing all the necessary parameters. This is a get call.


This opens the Authorization page ( If the user is not logged in then first prompts for login and then shows the authorization page). After clicking on accept, it returns the authorization code to the redirect url. The response would be like this.

Out of this, the value in “code=” is our authorization code.

It is possible to analyse this authorization code which us a JSON Web Token for details here :

This is a sample where we have placed this JWT from the previous url :


Note that category of code implies that this is an authorization code (not an access token)

Call the access token url

The request for access token url is a post request and can be made through Postman.

This is a sample

URL : http://localhost:4504/oauth/token

grant_type : authorization_code

code : authorization code returned by the previous url. In this case :


redirect_uri :

client_id : client id of the OAuth client.

client_secret : Client secret of the OAuth client.

This call if successful, returns the results in this format :



This token can also be placed in to checkout details.

Here is a sample :

Place the access token in Request Header – Authorization

Place the access token received in request header under “Authorization” as shown below :

and now send the request. The request now sends the appropriate response, since we have a valid access token returned in the OAuth flow.

Note the user id in this case is something like : This is the OAuth user id that AEM creates on an OAuth login – oauth-cA1CRJluFLNQGFwIQD8etJWB-7Ivsh5-gV9cS91j7bl.QfiQXYiojI5R3YiwiIl52TlB3bjNVZsBXbhNHLvdHVlB3bjNVZsBXbhNnI6ISZw92YzJCLxUzM4UjNxATNxojI0FWaiwSM1kTM2YTMwUTM6ICc4VmIsIibp1GZhJiOiIWdzJCLiUGdp5WYydEIlJ2bkFkI6IyczlmIsISM4YGcsVWcp1iMnpmcyx2NoJGcwJzYs9WOx0mcutWd1hWMwJiOiQWdhJye.9JCVXpkI6ICc5RnIsIiN1IzUIJiOicGbhJye

How to get the logged in user using the OAuth User Id

This is just an extra snippet ,which is not related to testing, however, maybe be useful. On successful login using OAuth, the OAuth login is different from the user login who authorized it.

Using the OAuth userid, it is possible to retrieve the actual user who logged in and authorized the request.

This is a sample which is from the decompiled jar that contains AEM’s OAuth server implementation.

public static String getJwtFromUserId(String userId) {
    return new StringBuilder(userId.substring("oauth-".length())).reverse().toString();
public static String getSubject(String accessToken) {
    JWT jwt = (JWT) new JWTReader().read(accessToken);
    return jwt.getClaimsSet().getSubject();
public static String getSubjectUsingOAuthUserId(String oAuthUserId) {
    String subjectUserId = null;
    String accessToken = getJwtFromUserId(oAuthUserId);
    subjectUserId = getSubject(accessToken);
    return subjectUserId;

Sample Project for AEM as OAuth server implementation

This is a sample maven-AEM project that has OAuth Scopes and necessary configs in them.


About The Author

Priya Noohu

AEM Developer

One comment

  1. Hatim

    September 13, 2018 at 11:20 am

    I followed all the testing steps to use AEM as OAUTH Server. I got the code successfully by using /oauth/authorize url, but when i call to /oauth/token url passing all information, i got error in postman like
    Could not get any response
    There was an error connecting to /oauth/token.

    samething i tried using HttpUrlConnection in java, i got 400 bed request.
    Please suggest and help in this regard.

Leave a Reply