Authorization Grant Flows in Action
Last updated
Last updated
This is the getting started lab for testing the simple OAuth 2.0 grants of OAuth 2.0 Authorization:
Client Credentials
Resource Owner Password
As part of this we can also achieve the following targets:
Make sure Keycloak is installed and working as expected
Get to know the tools to execute Http requests
Curl
Httpie
Postman
Make sure you have set up Keycloak as described in the Setup section. Then dependent on which approach you are using start Keycloak locally or via docker image.
The first grant type we will evaluate here is the OAuth 2.0 Client Credentials Grant.
The required parameters for the client credentials grant are shown here:
Parameter
Value
token url
grant_type
client_credentials
client_id
library-client
client_secret
9584640c-3804-4dcd-997b-93593cfb9ea7
scope
library_user email profile
To retrieve an access token using curl use the following command in a terminal:
This should return a response similar to this one:
To retrieve an access token using httpie use the following command in a terminal:
This should return a response similar to the one for curl.
To get an access token via the client credentials grant using postman just create a new request (the request url is not important). Then switch to the Authorization tab and select OAuth 2.0 in the Type drop down box.
Now click on the button Get New Access Token, this will open the following dialog.
Here, select Client Credentials in the Grant Type drop down box, then fill in the details of the Postman view shown using the required data above and click Request Token.
Then you should see the response in Postman:
The next grant type we will evaluate here is the OAuth 2.0 Resource Owner Password Credentials Grant.
The required parameters for the RO password credentials grant are shown here:
Parameter
Value
token url
grant_type
password
client_id
library-client
client_secret
9584640c-3804-4dcd-997b-93593cfb9ea7
scope
library_user email profile
username
bwayne
password
wayne
To retrieve an access token using curl use the following command in a terminal:
This should return a response similar to this one:
To retrieve an access token using httpie use the following command in a terminal:
This should return a response similar to the one for curl.
To get an access token via the client credentials grant using postman just create a new request (the request url is not important). Then switch to the Authorization tab and select OAuth 2.0 in the Type drop down box.
Now click on the button Get New Access Token, this will open the following dialog.
Here, select Password Credentials in the Grant Type drop down box, then fill in the details of the Postman view shown using the required data above and click Request Token.
Then you should see the response in Postman:
The authorization code grant is the flow mostly used in today's applications adopting OAuth 2.0.
The flow starts with the authorization request, this redirects to the authorization server.
Here the user logs in using his credentials and approves a consent page
After successfully logging in a 302 HTTP redirect request with the authorization code is being sent through to the browser which redirects
to the callback entry point provided by the client application
Now the client application sends a token request to the authorization server to exchange
the authorization code into an access token
This grant cannot be performed completely in curl or httpie because of the interactive process of this grant flow requiring the user to manually log in using a web form.
So, for this grant flow you have two possibilities: 1. Use Postman (Postman is able to completely manage this grant) 2. Use the web browser and then curl or httpie:
First create the authorization request and paste it as url to the web browser
Grab the authorization code from the redirect request url from the web browser
Then create the token request using curl or httpie
To get an access token via the authorization code grant using postman just create a new request (the request url is not important). Then switch to the Authorization tab and select OAuth 2.0 in the Type drop down box.
Now click on the button Get New Access Token, this will open the following dialog.
Here, select Authorization Code in the Grant Type drop down box, then fill in the details of the Postman view shown using the required data above and click Request Token. You may also switch on Authorize using browser check box, then Postman uses your web browser for the redirects instead of its own window.
Then you should see the response in Postman:
To achieve the same using curl first copy this request into the page url of your web browser:
Now log in using bwayne/wayne then you should get an error message in the browser (because the callback address of the redirect is not found). The important part can be seen in the url of the web browser:
Just copy the code parameter:
code=b646d53e-8f12-42ee-bff4-e8db1fb5874f.8d475e5d-d096-42f9-9f0b-8ae9de7406e0.58f0efec-2e91-4c63-823f-85280996f8a5
and use this in the curl request to get an access token:
As response, you should get an access token.
According to the OAuth2 specification:
The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once.
Keycloak uses a really short authorization code lifetime of 2 minutes by default. So you only have 2 minutes to grab the authorization code from the web browser and copy it to the curl request!
In the next labs we won't have to create all the requests on our own, instead we will let Spring Security do the work for us.