Test using cURL
On this page
There are several ways to test an OAuth flow and different tools that can be used in the process. In this article you will learn how to use cURL and a browser to run through the Code Flow.
Start in the browser. Enter the following example URL to start the flow. This triggers the Authenticator configured for the
www client. The
response_type tells the Curity Identity Server to return a code. Provide a
redirect_uri that matches one of the redirect URIs configured for the client in the Curity Identity Server.
localhost:8443 to match the hostname and port of your installation of the Curity Identity Server. This should match the configured
Base URL in System -> General in the admin UI.
If an account is available, use it to log in. If this is the first time running through this test chances are that no account exists. In this case, create an account.
The username/password authenticator can handle registration.
Click the Create account link. Fill out the information for the new account. Username, email and password are mandatory fields. Submit the form and finish account creation by clicking the Create account button under the form.
After successful account creation you have the option to Return to login.
Log in with the account. After a successful authentication the browser redirects to a URL that looks like this:
For the next step extract the code from the URL. In the above example, the code is
Note, that the browser got redirected to the
redirect_uri that was passed in the original request to the server.
The next step in the code flow is an HTTP
POST request to the token endpoint of the Curity Identity Server. As part of this request, the server requires the client to authenticate. In this case, the client is configured to use
secret as the authentication mechanism, i.e. it has a username and password (client id and secret). Simply specify the credentials as part of the command, e.g.,
Add also the
code as url-encoded parameters.
curl -Ssk \https://localhost:8443/oauth/v2/oauth-token \-u www:Password1 \-d grant_type=authorization_code \-d redirect_uri=https%3A%2F%2Flocalhost%2Fcallback \-d code=k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb
The command above specifies the
-k flag of
curl because the default certificate of the Curity Identity Server is self-signed and not trusted by
curl. If the default certificate is replaced by a trusted one, the
-k is no longer needed.
The response looks something like this:
There are three tokens now: an Access Token, a Refresh Token and an ID Token. The ID Token was issued because the request included the
This concludes the basic "Getting started" track. Head over to the summary article that also covers further suggested reading on additional advanced configuration and integration options.