Test using cURL

Test using cURL

tutorials

There are several ways to test an OAuth flow and different tools that can be used in the process. In this article we will take a look at how to use cURL and a browser to run through the Code Flow.

Retrieve a code

Start in the browser, the following example URL will result in the Authenticator configured for the www client to be triggered. The response_type indicates that we want a code and we have to provide a redirect_uri that matches what has been configured in the client in Curity.

https://localhost:8443/oauth/v2/oauth-authorize?client_id=www&response_type=code&redirect_uri=https://localhost/callback&scope=openid

Change hostname

Replace localhost:8443 to match the hostname and port of your installation of the Curity Identity Server. This should match the configured Base URL in System -> General in the Curity admin UI.

The username-password authenticator created previously is configured to be used with the client we created. If an account is available, use it to log in. If this is the first time running though this test chances are that no account exists.

The username/password authenticator can handle registration.

Authentication - Create Account

Click Create Account, on the next screen, fill out the information for the new account. Username, email and password are mandatory fields. Click the Create account button.

When the account creation is complete there is an option to Return to login.

After a successful authentication the browser redirects to a URL that looks like this:

https://localhost/callback?code=k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb&session_state=DvrfPGQ5NmQiQHRUKRsSA5bKq7ccEtdWQPFP1rvu89Y%3D.cH1KuVFQm8Sv

The part we need for the next step is the code k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb.

Redirect URI

Note here that we got redirected to the redirect_uri that we passed in our original request to the server.

Redeem Authorization Code

The next step in the code flow is a POST to the token endpoint of the Curity Identity Server. Here we need to also authenticate the client. The client we use is configured to use secret as the authentication mechanism, so we can simply add -u www:Password1 to our request.

We also send the grant_type, redirect_uri, code and as url encoded parameters.

curl -Ssk \
https://localhost:8443/oauth/v2/oauth-token \
-u www:Password1 \
-d grant_type=authorization_code \
-d redirect_uri=https%3A%2F%2Flocalhost%2Fcallback \
-d code=k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb

Untrusted Certificate

The -k flag of curl is there because the default certificate generated by install is self signed and not trusted by curl. If the default certificate is replaced by a trusted one, the -k is no longer needed.

The response looks something like this:

{
  "id_token": "eyJraWQiOiI4NzQ1ODQ3NTQiLCJ4NXQiOiJFbTlmdFpuVnFxQzdVVkxhTGJ2Y2M1ZkhPT2ciLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2MDUzMTAyMzYsIm5iZiI6MTYwNTMwNjYzNiwianRpIjoiODY4NDM0Y2YtMGY4Zi00OTNhLTliNGEtNDgzNDhmNGJjZmY1IiwiaXNzIjoiaHR0cHM6Ly9pZ2dib20tY3VyaXR5Lm5ncm9rLmlvL29hdXRoL3YyL29hdXRoLWFub255bW91cyIsImF1ZCI6Ind3dyIsInN1YiI6ImE5NmQ2MjEwOGYwYzllNThkMGYzZTI2ZWM0MmQ1ODMzMDUxZDI2MjMwYTlhOTQ2MDFjOTg5NzZhMDNjMjA3NDQiLCJhdXRoX3RpbWUiOjE2MDUzMDU2OTAsImlhdCI6MTYwNTMwNjYzNiwicHVycG9zZSI6ImlkIiwiYXRfaGFzaCI6IjNPZWtnMk9MVUdaOWp0NXYxUTVCY1EiLCJkZWxlZ2F0aW9uX2lkIjoiZDJjZGUyNWYtN2M3Ny00ZDk2LTkwNmQtMjhmMTVlMTRhZjQxIiwiYWNyIjoidXJuOnNlOmN1cml0eTphdXRoZW50aWNhdGlvbjpodG1sLWZvcm06dXNlcm5hbWUtcGFzc3dvcmQiLCJhenAiOiJ3d3ciLCJhbXIiOiJ1cm46c2U6Y3VyaXR5OmF1dGhlbnRpY2F0aW9uOmh0bWwtZm9ybTp1c2VybmFtZS1wYXNzd29yZCIsInNpZCI6IlJCV29vaFpJZ1Y2UFIzcVEifQ.PhWxwlWeJbgNQCk4Vz7OiijOE0njN6IMdPCeGWKtT_kFs9HBw10QVmmgiG74tu-WHG2TOedsl6o_k3xaOgwptvSXlwlM7P5EK_AJAegYqzQtA32m7RcuPT3vn7_1aPcy2K-cbiWDaF7DI-g5SfPIKIbFFFVF0eVMR53VW2uDk55VhIVdkhSKIL8_jNZu__sl_PGLyNtFxBYeVmgad18FClWGStsRy0pqhlvtwVKZglyipBFpce0JdPIs2TenjtkzoBEilerAj1TkA8Sth3G_3NHHtteI8HDXtKTJGg3DhjTozoeerWAQDI-yt1LPhNdZtpn_GuxOP4SN_HGlczOf5Q",
  "token_type": "bearer",
  "access_token": "664c267a-5a84-4cb4-a1e9-7301759cee01",
  "refresh_token": "000789a1-31d4-4db5-895e-8f4ff2544314",
  "scope": "openid",
  "expires_in": 300
}

We have now received an Access Token, a Refresh Token and an ID Token. The ID token is issued thanks to the fact that we requested the openid scope.

Next Steps

This concludes the basic “Getting started” track. Head over to the summary article that also covers further suggested reading on additional advanced configuration and integration options.

Keep up with our latest articles and how-tos RSS feeds.