Thursday, November 28, 2013

OpenAM RESTful Services

Prior to OpenAM 11.0, there is a set of RESTful APIs for developers to use to perform various operations like Authentication, Logout, Token Validation, Token Attributes Retrieval (See Use OpenAM RESTful Services).

In OpenAM 11.0, there is an enhanced set of RESTful APIs. These are JSON-based APIs. (See Using RESTful Web Services)

The proper use of RESTful Web Services can be briefly illustrated like the following flowchart:

This makes the applications making RESTful calls independent of any domain cookies, which is nice to have. This is really useful in a Cross Domain Single Sign-On (CDSSO) scenario. (Of course, the other alternative is to use Policy Agent which will transparently make the CDSSO work like a charm.)

2 days ago when I visited one of my customers, I came to know that their developers have somehow mis-interpreted the original intention of RESTful Web Services. They have a hybrid way of using RESTful Web Services.

Of course, it works previously as the application resides in the same domain as the OpenAM servers. But it would not work when we start to change the domain name of the application, which the higher management has the intention to do so for branding purpose. 

Please … if one is to use RESTful Web Services, please do not work with cookie. Make it a pure RESTful experience!



  1. Great post. Apparently, this was the same thing I was attempting to do! I basically have 2 questions:

    1. Since I do not want to put in my credentials every time I try logging in from a new domain, how do I find out if the current user is already authenticated to OpenAM (i.e., the web agent is) ?

    2. I could find any REST API to determine of the current user is logged in or not. Is there?


    Token Validation e.g. .../identity/isTokenValid

  3. Yeah, I know about TokenValidation, I am talking about the method the agent uses to communicate with the CDCServlet and determine if the session is valid. The way I am doing this now is, have an app reside on the LB URL (hence the cookie is visible) and use an iframe to retrieve the cookie.

    So back to the question, is there any way to determine if the user is logged in?

  4. Hi Rahul/ Chee,

    I also have the same question. Here is my scenario & i stuck how to achieve it.

    3 php applicaitons are on domain --->,,

    And forgerock is on domain -->

    Now is it possible to authenticate with REST API from php application to forgerock and do opensso for all three applications.

    I think I need to do CDSSO, but how it is possible for REST API ?

    Any hint will be useful. I really stuck on this and need to get out of this.

    Thanks & Regards,
    Amit Doshi

    1. Amit Doshi. Did u get a reply to this? I am also stuck in implementing CDSSO without using policy agents