Recommended way to authenticate service accounts with elevated privileges

[pdaterao]

Hi,
I am trying to build a webapp to manage identities in OpenAM using REST APIs. The idea is to obtain a token for a service account which has elevated privileges. What is the best way to go about this?
I was initially trying to make service-account a member of some group and give elevated privileges to this group but there seem to be several issues in privilege assignment to group (either the privileges are never assigned or they never get removed)
What's the best way to forward given this issue? Any workarounds?

[vharseko]

A Bearer token is a type of authorization token that is provided to a user after successful authentication to access protected resources. This token is usually a string that the user must pass in the HTTP request header for each request to a secure service or application.

[pdaterao]

Hi @vharseko. That's the approach I am taking but I am not able to get elevated privileges for that Bearer Token.
Here is what I did:

1. Create a group called "service-group"
2. Create a user called "service-account" and make it a member of "service-group"

Authenticate "service-user" and use its token as a bearer token to make REST calls to read identities from OpenAM. As expected, I am getting an error message that says "The user do not have privileges to perform the operation"

I went to the Privileges tab in OpenAM UI and tried assigning the "RealmAdmin" privilege to service-group but I get an error (see screenshot below). This also happens for any new group I create.

I wanted to know if there is a special "internal token" with elevated privileges I can use to read/modifty identities in OpenAM.

[pdaterao]

For context, this was tracked in issue #758