The Resource Owner Flow is one of the modes in the OAuth protocol. In this flow, a user can authenticate using the IDP contract that uses form-based authentication. Sometime during client application development, the application expects more than user credentials and wants to use additional information such as user DOB, PAN Card, etc. In such cases, it is not possible to use default contracts. To achieve such use cases, NAM provides a functionality to create and use a custom contract class.

From Access Manager 4.3 onwards, it’s possible to define which contract must be executed based on the parameter value sent during OAuth request or it can be configured through the admin console oauth configuration section.

How it works:

Create a custom authentication class with the desired additional parameter (sample attached – MultiParameterAuthClass). To learn more about how to use sample class, check the access manager developer documentation. How to deploy authentication class.

Define this either in the Oauth Resource Owner Configuration UI in the global setting or pass this parameter as acr value of the Oauth Resource owner request.

Note: This will work with NAM 4.4. For an alternate option, “Send additional param as part of password by some delimiter not contained in usual password like ppp$param2$param3. Let the custom auth class split the password into constituent part and validate.”


Let us consider a scenario where a client application requires the user’s PAN number along with the user’s credentials for authentication. For this requirement, the administrator can configure Access Manager using the following steps:

  1. Create custom claas based on the provided sample file.
  2. Add custom class created in step 1 to Oauth global configuration.
  3. Update IDP server.

Testing the Authentication:

Create a resource owner flow request such as the following:

Case 1: When Parameters are correct:

curl -v -k -X POST -d 'grant_type=password&client_id=9fb726a1-1dd0-4717-874-bfc34b90d423&client_secret=j-L5uKeRnarmPNuoXos-h1EqeUjR3AWSZvwwDNtxbONEvmCI3vu0kPAMKQBGxkHvdfqkNXiXC-SmodPRoqFFBQ&username=vneeraj&password=novell&pan=pan123&acr=/custom/contract'

For information on the parameter click here.

If all of the parameters in the request are correct, the server will return the token and refresh token (optionally).

Case 2: In case parameter PAN value is incorrect:

{        "error":"invalid_grant",

"error_description":"invalid_grant: Invalid pan"



0 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 50 votes, average: 0.00 out of 5 (0 votes, average: 0.00 out of 5)
You need to be a registered member to rate this post.

Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment.  It just worked for at least one person, and perhaps it will be useful for you too.  Be sure to test in a non-production environment.

Leave a Reply

No Comments
By: VNeeraj
Dec 4, 2017
9:16 am
Active Directory Authentication Automation Cloud Computing Cloud Security Configuration Customizing Data Breach DirXML Drivers End User Management Identity Manager Importing-Exporting / ICE/ LDIF Intelligent Workload Management IT Security Knowledge Depot LDAP Monitoring Open Enterprise Server Passwords Reporting Secure Access Supported Troubleshooting Workflow