Test using OAuth Tools

Test using OAuth Tools

tutorials

OAuth.tools is a great tool for testing OAuth flows. It’s a public web application that acts as an OAuth client application and communicates with the Curity Identity Server endpoints. OAuth.tools already comes with a configured playground out of the box. This could suffice for some very simple tests but it doesn’t allow to tweak the configuration in place in the Curity Identity Server. In this article we’ll take a look at how to configure

OAuth.tools to use an instance of the Curity Identity Server that we control and can configure to our own needs.

Configuring an environment

When visiting OAuth.tools for the first time you will see a set of pre-defined flows on the left side. These flows are all using the pre-configured Curity Playground environment. We want to set up an environment in OAuth.tools that instead uses our own instance of the Curity Identity Server (wherever that is installed).

The first step is to go to the Environments menu and from there click New Environment. If Webfinger is enabled (recommended) in the Curity Identity Server, click the Use webfinger button and enter the URL of the Curity Identity Server, ex. https://idsvr.example.com. This would correspond to the configured Base URL in Curity.

Use Webfinger

Webfinger can be enabled in the Curity Identity Server by going to System -> Deployment -> Click the service role, scrolling down to Advanced and then enabling Enable WebFinger for Issuer Discovery.

If Webfinger is not enabled it’s also possible to enter the Issuer or Metadata URL. The Issuer URL would look something like this https://idsvr.example.com/oauth/v2/oauth-anonymous and the Metadata URL like this https://idsvr.example.com/oauth/v2/oauth-anonymous/.well-known/openid-configuration.

Finding the Issuer value

The issuer value can be found by going to Token Service -> General and clicking the Info button in the top right corner.

Either of these options should discover the endpoints needed to test a configured client.

Local Curity installation

If the Curity Identity Server is installed locally it might not be possible for OAuth.tools to reach the Curity instance. This can be resolved by leveraging a reverse proxy like ngrok for example. The Exposing Curity Using ngrok article outlines details on how to configure ngrok.

Configuring a client

With an environment configured in OAuth.tools we can configure a client to use for testing. In the Client tab of the newly configured environment, click New Client.

Enter the Client ID/Name and Secret and enable the flow(s) that corresponds to the client configured in the Curity Identity Server from the previous step, Configure client.

In this tutorial we will use a client with the ID www and use the Code Flow.

Automatically import client

It is also possible to automatically import the client information from the Curity Identity Server. In the admin UI, go to the Client you want to import into OAuth.tools and click the button Open in OAuth.tools.

Test a configured flow

With an environment set up and a client configured we can now start testing.

  1. Click Start Flow and choose the flow to test, Code Flow in our case.
  2. From the drop-down, choose the www client and also choose the openid scope.
  3. Scroll down and click the Run button.

With the configuration in place this should bring you to an authentication. If an account is available, use it to log in. If this is the first time running though this test chances are that no account exists.

The username/password authenticator can handle registration.

Authentication - Create Account

Click Create Account, on the next screen, fill out the information for the new account. Username, email and password are mandatory fields. Click the Create account button.

When the account creation is complete there is an option to Return to login.

  1. Use the newly created account to authenticate.
  2. In OAuth.tools this should now result in an Authorization code retrieved.
  3. In order to streamline this for future tests you can enable Auto-redeem code. This will automatically redeem the code for tokens on subsequent runs. Since that wasn’t enabled for the first run we now have to click Redeem Code.

We should now have 3 tokens, an Access Token, Refresh Token and an ID Token. The ID Token is issued because the openid scope was requested.

Next Steps

This concludes the basic “Getting started” track. Head over to the summary article that also covers further suggested reading on additional advanced configuration and integration options.

Let’s Stay in Touch!

Get the latest on identity management, API Security and authentication straight to your inbox.

Keep up with our latest articles and how-tos using RSS feeds