AEM exposes a variety of HTTP endpoints that can be interacted with in a headless manner, from GraphQL, AEM Content Services to Assets HTTP API. Often, these headless consumers may need to authenticate to AEM in order to access protected content or actions. To facilitate this, AEM supports token-based authentication of HTTP requests from external applications, services or systems.
In this tutorial well explore how an external application can programmatically authenticate and interact with to AEM as a Cloud Service over HTTP using access tokens.
Ensure the following are in place before following along with this tutorial:
The execution flow of the Node.js application is as follows:
The Node.js application is invoked from the command line
Command line parameters define:
The access token used to authenticate to AEM is derived from the JSON file provided via command line parameter
a. If Service Credentials used for non-local development are provided in the JSON file (
file), the access token is retrieved from Adobe IMS APIs
The application uses the access token to access AEM and list all assets in the folder specified in the command line parameter
For each asset in the folder, the application updates its metadata based on the property name and value specified in the command line parameters
While this example application is Node.js, these interactions can be developed using different programming languages and executed from other external systems.
Local Development Access Tokens are generated for a specific AEM as a Cloud Service environment and providing access to Author and Publish services. These access tokens are temporary, and are only to be used during the development of external applications or systems that interact with AEM over HTTP. Instead of a developer having to obtain and manage bonafide Service Credentials, they can quickly and easily self-generate a temporary access token allowing them to develop their integration.
Service Credentials are the bonafide credentials used in any non-development scenarios - most obviously production - that facilitate an external application or system’s ability to authenticate to, and interact with, AEM as a Cloud Service over HTTP. Service Credentials themselves are not sent to AEM for authentication, instead the external application uses these to generate a JWT, which is exchanged with Adobe IMS’s APIs for an access token, which can then be used to authenticate HTTP requests to AEM as a Cloud Service.