Practice Authorization Grant Flows

This is the getting started lab for testing the simple OAuth 2.0 grants of OAuth 2.0 Authorization:

• Client Credentials

• Authorization Code

• Authorization Code with PKCE

As part of this we can also achieve the following targets:

1. Make sure the custom Spring Authorization Server is project is cloned and working as expected (see setup)

2. Get to know the tools to execute Http requests

• Curl

• Httpie

• Postman

Run Authorization Server

Make sure you have set up all projects as described in the Setup section.

Client Credentials Grant

The first grant type we will evaluate here is the OAuth 2.0 Client Credentials Grant.

Client Credentials

The required parameters for the client credentials grant are shown here:

Parameter	Value
token url	http://localhost:9000/oauth2/token
grant_type	client_credentials
client_id	demo-client
client_secret	secret
scope	openid

Curl

To retrieve an access token using curl use the following command in a terminal:

curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=demo-client&client_secret=secret" http://localhost:9000/oauth2/token

This should return a response similar to this one:

{
  "access_token":"eyJhbGciOiJSUzI1NiIsI...",
  "expires_in":300,
  "refresh_expires_in":1800,
  "refresh_token":"eyJhbGciOiJIUzI1N...",
  "token_type":"bearer",
  "scope":"openid ..."
}

Httpie

To retrieve an access token using httpie use the following command in a terminal:

http --form POST http://localhost:9000/oauth2/token grant_type='client_credentials' client_id='demo-client' client_secret='secret'

This should return a response similar to the one for curl.

Postman

To get an access token via the client credentials grant using postman just create a new request (the request url is not important). Then switch to the Authorization tab and select OAuth 2.0 in the Type drop down box and fill the request details.

Postman Authorization

Now click on the button Get New Access Token, this will open the following dialog.

Postman Result

Authorization Code Grant

The authorization code grant is the flow mostly used in today's applications adopting OAuth 2.0.

1. The flow starts with the authorization request, this redirects to the authorization server. Here the user logs in using his credentials and approves a consent page

2. After successfully logging in a 302 HTTP redirect request with the authorization code is being sent through to the browser which redirects to the callback entry point provided by the client application

3. Now the client application sends a token request to the authorization server to exchange the authorization code into an access token

PKCE

This grant cannot be performed in curl or httpie because of the interactive process of this grant flow requiring the user to manually log in using a web form.

The required parameters for the authorization code grant are shown here:

Parameter	Value
authorization url	http://localhost:9000/oauth2/authorize
token url	http://localhost:9000/oauth2/token
grant_type	code
client_id	demo-client
client_secret	secret
scope	openid
redirect_uri	http://127.0.0.1:9095/client/callback

Postman

To get an access token via the authorization code grant using postman just create a new request (the request url is not important). Then switch to the Authorization tab and select OAuth 2.0 in the Type drop down box.

Postman Authorization

Here, select Authorization Code in the Grant Type drop down box, then fill in the details of the Postman view shown using the required data from the table above and click Request Token. You may also switch on Authorize using browser check box, then Postman uses your web browser for the redirects instead of its own window.

Then you should see the response in Postman:

Postman Result

According to the OAuth2 specification:

The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once.

Spring Authorization Server uses a really short authorization code lifetime of 5 minutes by default. So you only have 5 minutes to grab the authorization code from the web browser and use it to exchange it into a token!

Authorization Code + Proof Key for Code Exchange (PKCE)

The required parameters for the authorization code grant + PKCE are shown here:

Parameter	Value
authorization url	http://localhost:9000/oauth2/authorize
token url	http://localhost:9000/oauth2/token
grant_type	code
client_id	demo-client-pkce
scope	openid
redirect_uri	http://127.0.0.1:9095/client/callback

You might notice that the client_secret is not required any more. This is because with the addition of PKCE the static credentials of client_secret is replaced by dynamically generated and calculated credentials (the code verifier and code challenge).

PKCE

Postman

To use this slightly changed and improved (security wise) grant flow in postman just select Authorization Code (with PKCE) in the Grant Type drop down box, replace the client_id with the one above and remove the client_secret value.

Postman Authorization

In the next labs we won't have to create all the requests on our own, instead we will let Spring Security do the work for us.