In a previous post, OAM: Configuring Mobile & Social To Authenticate With Google, we configured OAM Mobile and Social to allow authentication to protected resources via Google OpenID. During this process, after a user logs in with his/her Google account, they are redirected to a registration page, which is partially filled in with attributes retrived from Google.

In this post, I’m going to show you how you can create your own custom registration page that will automatically submit the registration and redirect the user to the target url. The custom registration page will decode the saeToken which contains the attributes that Google sends and will use the OAM User Profile REST APIs to create the account in our OUD directory.


If you want a custom registration page, you must make sure that User Registration is enabled. After you are authenticated by Google (or another InternetIdnetityProvider) OAM will redirect you to the Registration URL defined for the Application via a POST. This POST will include two parameters:

  • saeToken – This contains the attributes received from the source (Google) and is encrypted using the Shared Secret defined in the Application.
  • Application – The application name
Outline for our custom registration page:
  • Decrypt the saeToken
  • Read and parse the value of the reg_attrs attribute from the saeToken. The reg_attrs value inside the token will look something like this:,mail:Email Address::,
    timezone:Time Zone::,postaladdress:Country:US:,preferredlanguage:Language:en-US:,
    lastname:Last Name:doe:,commonname:First Name:john:,password:Password::,,
  • Create a JSON string and post it to the OAM’s User Profile service REST API end point to create the user
  • Redirect the user to the return_url value in the saeToken with “oicUserRegister=done” appended to the querystring

JSP Code

In order to decrypt and use the saeToken, we must make use of the Internet Identity Services Client SDK, which is in the <pre></pre> package.  You need to download this SDK from Oracle; it can be found on the Identity Management download section under “Oracle Access Management Mobile and Social SDKs” (at the time of this writing). The file is named “”. From this file you will need all the jars found in the oic_clientsdk folder (jackson-core-asl-1.8.0.jar, jackson-jaxrs-1.8.0.jar, jackson-mapper-asl-1.8.0.jar, jackson-xc-1.8.0.jar, jersey-client-1.8.jar, jersey-core-1.8.jar, jersey-json-1.8.jar, jettison-1.3.jar, oic_clientsdk.jar, oic_common.jar, oic_sae.jar, ojdl.jar).

Decrypt And Read saeToken

The following code will decrypt the saeToken and store the relevant attributes into a Map

//Read encrypted saeToken from POST data
String saeToken = request.getParameter("saeToken");

//configurations for RPClient
Properties conf = new java.util.Properties();

//Create RPClient
RPClient client = new RPClient("TestApp", conf );

HashMap<String, String> fields = new HashMap();

//Decrypt saeToken
Map<String, String> saeAttrs = client.getAttrFromSaeToken(saeToken, "Password","Password");

//Get the reg_attrs and return_url attributes
String regAttrs = saeAttrs.get ("reg_attrs");
String redirectURL = saeAttrs.get ("return_url") + "oicUserRegister=done";

//Put User Profile attributes into a Map
String[] attributeArray = regAttrs.split(",");
for (String a : attributeArray){

Verify REST End Point

We want to verify that OAM’s REST API end point is listening. To find out what its URL is, we can trace it back from the Application configuration.

  • Open the Social Application configuration page
  • Note the value of User Profile Service Endpoint, in my case “/userprofile”.
  • Edit the Service Profile for that endpoint from Mobile Serices > Service Profiles
  • The URL will be show under URI Category Information
  • In my case, the full REST URL end point for user management would be
  • If you open the URL in a browser you should see a simple JSON string

Calling REST API

This part is fairly straight forward, we simply do a POST on the REST endpoint and pass a JSON formatted string which contains the attributes we want to set. Here we have flexibility to manipulate the attributes, generate uids or passwords, or perform any other provisioning task. My code is very simple and simply creates the user with the CN and UID attribute set to the user’s mail attribute received from the saeToken

//Create User
try {
 URL url = new URL("");
 HttpURLConnection conn = (HttpURLConnection) url.openConnection();
 conn.setRequestProperty("Content-Type", "application/json");
 String input = "{\"uid\":\""+ fields.get("mail") + "\",\"mail\":\""+ fields.get("mail") + "\",\"lastname\":\""+ fields.get("lastname") + "\",\"commonname\":\""+ fields.get("mail") + "\",\"firstname\":\""+ fields.get("firstname") + "\"}";
 OutputStream os = conn.getOutputStream();
 if (conn.getResponseCode() != HttpURLConnection.HTTP_OK) {
 throw new RuntimeException("Failed : HTTP error code : " + conn.getResponseCode());
 BufferedReader br = new BufferedReader(new InputStreamReader((conn.getInputStream())));
 String output;
 out.print("Output from Server .... \n");
 while ((output = br.readLine()) != null) {
 //for debugging or catching creation errors
} catch (MalformedURLException e) {
} catch (IOException e) {

<span style="line-height: 1.5em;">

Don’t forget to redirect the user after everything is done to the redirectURL.

Finishing up

You’ll also need to change the registration URL in the Application configuration. I deployed my JSP to the oam_server1 managed server under “/service” context root, so my page URL is

You also want to make sure this page is not protected by OAM, wherever you decide to deploy it.