Test using cURL

There are several ways to test an OAuth flow and different tools that can be used in the process. In this article we will take a look at how to use cURL and a browser to run through the Code Flow.

Retrieve a code

Start in the browser, the following example URL will result in the Authenticator configured for the www client to be triggered. The response_type indicates that we want a code and we have to provide a redirect_uri that matches what has been configured in the client in Curity.

https://localhost:8443/oauth/v2/oauth-authorize?client_id=www&response_type=code&redirect_uri=https://localhost/callback&scope=openid

The username-password authenticator created previously is configured to be used with the client we created. If an account is available, use it to log in. If this is the first time running though this test chances are that no account exists.

The username/password authenticator can handle registration.

Click Create Account, on the next screen, fill out the information for the new account. Username, email and password are mandatory fields. Click the Create account button.

When the account creation is complete there is an option to Return to login.

After a successful authentication the browser redirects to a URL that looks like this:

https://localhost/callback?code=k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb&session_state=DvrfPGQ5NmQiQHRUKRsSA5bKq7ccEtdWQPFP1rvu89Y%3D.cH1KuVFQm8Sv

The part we need for the next step is the code k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb.

Redeem Authorization Code

The next step in the code flow is a POST to the token endpoint of the Curity Identity Server. Here we need to also authenticate the client. The client we use is configured to use secret as the authentication mechanism, so we can simply add -u www:Password1 to our request.

We also send the grant_type, redirect_uri, code and as url encoded parameters.

curl -Ssk \
https://localhost:8443/oauth/v2/oauth-token \
-u www:Password1 \
-d grant_type=authorization_code \
-d redirect_uri=https%3A%2F%2Flocalhost%2Fcallback \
-d code=k6sdxUQjtZiaDjAJsH2bDWBwknZ6XXjb

The response looks something like this:

{
  "id_token": "eyJraWQiOiI4NzQ1ODQ3NTQiLCJ4NXQiOiJFbTlmdFpuVnFxQzdVVkxhTGJ2Y2M1ZkhPT2ciLCJhbGciOiJSUzI1NiJ9.eyJleHAiOjE2MDUzMTAyMzYsIm5iZiI6MTYwNTMwNjYzNiwianRpIjoiODY4NDM0Y2YtMGY4Zi00OTNhLTliNGEtNDgzNDhmNGJjZmY1IiwiaXNzIjoiaHR0cHM6Ly9pZ2dib20tY3VyaXR5Lm5ncm9rLmlvL29hdXRoL3YyL29hdXRoLWFub255bW91cyIsImF1ZCI6Ind3dyIsInN1YiI6ImE5NmQ2MjEwOGYwYzllNThkMGYzZTI2ZWM0MmQ1ODMzMDUxZDI2MjMwYTlhOTQ2MDFjOTg5NzZhMDNjMjA3NDQiLCJhdXRoX3RpbWUiOjE2MDUzMDU2OTAsImlhdCI6MTYwNTMwNjYzNiwicHVycG9zZSI6ImlkIiwiYXRfaGFzaCI6IjNPZWtnMk9MVUdaOWp0NXYxUTVCY1EiLCJkZWxlZ2F0aW9uX2lkIjoiZDJjZGUyNWYtN2M3Ny00ZDk2LTkwNmQtMjhmMTVlMTRhZjQxIiwiYWNyIjoidXJuOnNlOmN1cml0eTphdXRoZW50aWNhdGlvbjpodG1sLWZvcm06dXNlcm5hbWUtcGFzc3dvcmQiLCJhenAiOiJ3d3ciLCJhbXIiOiJ1cm46c2U6Y3VyaXR5OmF1dGhlbnRpY2F0aW9uOmh0bWwtZm9ybTp1c2VybmFtZS1wYXNzd29yZCIsInNpZCI6IlJCV29vaFpJZ1Y2UFIzcVEifQ.PhWxwlWeJbgNQCk4Vz7OiijOE0njN6IMdPCeGWKtT_kFs9HBw10QVmmgiG74tu-WHG2TOedsl6o_k3xaOgwptvSXlwlM7P5EK_AJAegYqzQtA32m7RcuPT3vn7_1aPcy2K-cbiWDaF7DI-g5SfPIKIbFFFVF0eVMR53VW2uDk55VhIVdkhSKIL8_jNZu__sl_PGLyNtFxBYeVmgad18FClWGStsRy0pqhlvtwVKZglyipBFpce0JdPIs2TenjtkzoBEilerAj1TkA8Sth3G_3NHHtteI8HDXtKTJGg3DhjTozoeerWAQDI-yt1LPhNdZtpn_GuxOP4SN_HGlczOf5Q",
  "token_type": "bearer",
  "access_token": "664c267a-5a84-4cb4-a1e9-7301759cee01",
  "refresh_token": "000789a1-31d4-4db5-895e-8f4ff2544314",
  "scope": "openid",
  "expires_in": 300
}

We have now received an Access Token, a Refresh Token and an ID Token. The ID token is issued thanks to the fact that we requested the openid scope.

Next Steps

This concludes the basic “Getting started” track. Head over to the summary article that also covers further suggested reading on additional advanced configuration and integration options.