Use CURL to access /demo/mobile-demo/rba with the access token

Use CURL to run the following command in a shell terminal.

The command includes the previously obtained access token with the Authorization header. Use this command to access the protected application resource /demo/mobile-demo/rba.


curl ­k ­v ­H "Authorization: Bearer C57M09" ­H "Content­Type: application/json" 
­H "Accept: application/json" https://<reverse proxy address>/demo/mobile­demo/rba

The response is the result of enforcement of the previously attached CBA policy. The policy requires completion of a TOTP authentication.


< HTTP/1.1 200 OK
<
{
"mechanism": "urn:ibm:security:authentication:asf:mechanism:totp",
"message": "",
"state": "9efd546c5a574d218a027a79110c2f19",
"location": "/mga/sps/apiauthsvc?StateId=9efd546c5a574d218a027a79110c2f19",
"execptionMsg": "NA"
}

The next request validates the TOTP for testuser1. The otp value is supplied by testuser1 by reading its Google Authenticator app.


curl ­k ­v ­X PUT ­H "Content­Type: application/json" ­H "Accept: application/json" ­H 
"Authorization: Bearer C57M09" ­­data "{'otp': '842998'}"  "https://<reverse  proxy  
address>/mgaapi/sps/apiauthsvc?StateId=9efd546c­5a57­4d21­8a02­7a79110c2f19"

The resulting response is the actual protected resource from /demo/mobile-demo/rba. Its data format is HTML. However, the basic configuration and REST client experience is successfully deployed.


< HTTP/1.1 200 OK
< content­language: en­US
<  content­type:  text/html;charset=ISO­8859­1
< date: Mon, 08 Feb 2016 04:06:34 GMT
< p3p: CP="NON CUR OTPi OUR NOR UNI"
< x­old­content­length: 1554
< transfer­encoding: chunked
< cache­control: no­cache="set­cookie, set­cookie2"
< expires: Thu, 01 Dec 1994 16:00:00 GMT


<HTML>
<BODY>
<div class="content">
<div  class="contentHeader">
<h1 class="pageTitle">Risk­based access protected resource</h1>
<div  class="instructions"></div>
</div>
<div class="pageContent" style="width: 600">

If you get the following page, then either you have a match for the device fingerprint or you were already authenticated at a high level (for example, one-time password).


</div>
</div>
</BODY>
</HTML>