There are several ways to test an OAuth flow and different tools that can be used in the process. In this article we will take a look at how to use cURL and a browser to run through the Code Flow.
Retrieve a code
Start in the browser, the following example URL will result in the Authenticator configured for the www
client to be triggered. The response_type
indicates that we want a code and we have to provide a redirect_uri
that matches what has been configured in the client in Curity.
https://localhost:8443/oauth/v2/oauth-authorize?client_id=www&response_type=code&redirect_uri=https://localhost/callback&scope=openid
Change hostname
Replace localhost:8443
to match the hostname and port of your installation of the Curity Identity Server. This should match the configured Base URL
in System -> General in the Curity admin UI.
The username-password authenticator created previously is configured to be used with the client we created. If an account is available, use it to log in. If this is the first time running though this test chances are that no account exists.
The username/password authenticator can handle registration.
Click Create Account
, on the next screen, fill out the information for the new account. Username, email and password are mandatory fields. Click the Create account
button.
When the account creation is complete there is an option to Return to login
.
After a successful authentication the browser redirects to a URL that looks like this:
https://localhost/callback?code=k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb&session_state=DvrfPGQ5NmQiQHRUKRsSA5bKq7ccEtdWQPFP1rvu89Y%3D.cH1KuVFQm8Sv
The part we need for the next step is the code k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb
.
Redirect URI
Note here that we got redirected to the redirect_uri that we passed in our original request to the server.Redeem Authorization Code
The next step in the code flow is a POST
to the token endpoint of the Curity Identity Server. Here we need to also authenticate the client. The client we use is configured to use secret
as the authentication mechanism, so we can simply add -u www:Password1
to our request.
We also send the grant_type, redirect_uri, code and as url encoded parameters.
curl -Ssk \
https://localhost:8443/oauth/v2/oauth-token \
-u www:Password1 \
-d grant_type=authorization_code \
-d redirect_uri=https%3A%2F%2Flocalhost%2Fcallback \
-d code=k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb
Untrusted Certificate
The `-k` flag of `curl` is there because the default certificate generated by install is self signed and not trusted by `curl`. If the default certificate is replaced by a trusted one, the `-k` is no longer needed.The response looks something like this:
{
"id_token": "eyJraWQiOiI4NzQ1ODQ3NTQiLCJ4NXQiOiJFbTlmdFpuVnFxQzdVVkxhTGJ2Y2M1ZkhPT2ciLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2MDUzMTAyMzYsIm5iZiI6MTYwNTMwNjYzNiwianRpIjoiODY4NDM0Y2YtMGY4Zi00OTNhLTliNGEtNDgzNDhmNGJjZmY1IiwiaXNzIjoiaHR0cHM6Ly9pZ2dib20tY3VyaXR5Lm5ncm9rLmlvL29hdXRoL3YyL29hdXRoLWFub255bW91cyIsImF1ZCI6Ind3dyIsInN1YiI6ImE5NmQ2MjEwOGYwYzllNThkMGYzZTI2ZWM0MmQ1ODMzMDUxZDI2MjMwYTlhOTQ2MDFjOTg5NzZhMDNjMjA3NDQiLCJhdXRoX3RpbWUiOjE2MDUzMDU2OTAsImlhdCI6MTYwNTMwNjYzNiwicHVycG9zZSI6ImlkIiwiYXRfaGFzaCI6IjNPZWtnMk9MVUdaOWp0NXYxUTVCY1EiLCJkZWxlZ2F0aW9uX2lkIjoiZDJjZGUyNWYtN2M3Ny00ZDk2LTkwNmQtMjhmMTVlMTRhZjQxIiwiYWNyIjoidXJuOnNlOmN1cml0eTphdXRoZW50aWNhdGlvbjpodG1sLWZvcm06dXNlcm5hbWUtcGFzc3dvcmQiLCJhenAiOiJ3d3ciLCJhbXIiOiJ1cm46c2U6Y3VyaXR5OmF1dGhlbnRpY2F0aW9uOmh0bWwtZm9ybTp1c2VybmFtZS1wYXNzd29yZCIsInNpZCI6IlJCV29vaFpJZ1Y2UFIzcVEifQ.PhWxwlWeJbgNQCk4Vz7OiijOE0njN6IMdPCeGWKtT_kFs9HBw10QVmmgiG74tu-WHG2TOedsl6o_k3xaOgwptvSXlwlM7P5EK_AJAegYqzQtA32m7RcuPT3vn7_1aPcy2K-cbiWDaF7DI-g5SfPIKIbFFFVF0eVMR53VW2uDk55VhIVdkhSKIL8_jNZu__sl_PGLyNtFxBYeVmgad18FClWGStsRy0pqhlvtwVKZglyipBFpce0JdPIs2TenjtkzoBEilerAj1TkA8Sth3G_3NHHtteI8HDXtKTJGg3DhjTozoeerWAQDI-yt1LPhNdZtpn_GuxOP4SN_HGlczOf5Q",
"token_type": "bearer",
"access_token": "664c267a-5a84-4cb4-a1e9-7301759cee01",
"refresh_token": "000789a1-31d4-4db5-895e-8f4ff2544314",
"scope": "openid",
"expires_in": 300
}
We have now received an Access Token, a Refresh Token and an ID Token. The ID token is issued thanks to the fact that we requested the openid
scope.
Next Steps
This concludes the basic “Getting started” track. Head over to the summary article that also covers further suggested reading on additional advanced configuration and integration options.
Let’s Stay in Touch!
Get the latest on identity management, API Security and authentication straight to your inbox.