This is the getting started lab for testing the simple OAuth 2.0 grants of OAuth 2.0 Authorization:
- Client Credentials
- Authorization Code
- Authorization Code with PKCE
As part of this we can also achieve the following targets:
- Make sure the custom Spring Authorization Server is project is cloned and working as expected (see setup)
- Get to know the tools to execute Http requests
- Curl
- Httpie
- Postman
Make sure you have set up all projects as described in the Setup section.
The first grant type we will evaluate here is the OAuth 2.0 Client Credentials Grant.
The required parameters for the client credentials grant are shown here:
| Parameter | Value |
|---|---|
| token url | http://localhost:9000/oauth2/token |
| grant_type | client_credentials |
| client_id | demo-client |
| client_secret | secret |
| scope | openid |
To retrieve an access token using curl use the following command in a terminal:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -d "grant_type=client_credentials&client_id=demo-client&client_secret=secret" http://localhost:9000/oauth2/tokenThis should return a response similar to this one:
{
"access_token":"eyJhbGciOiJSUzI1NiIsI...",
"expires_in":300,
"refresh_expires_in":1800,
"refresh_token":"eyJhbGciOiJIUzI1N...",
"token_type":"bearer",
"scope":"openid ..."
}To retrieve an access token using httpie use the following command in a terminal:
http --form POST http://localhost:9000/oauth2/token grant_type='client_credentials' client_id='demo-client' client_secret='secret'This should return a response similar to the one for curl.
To get an access token via the client credentials grant using postman just create a new request (the request url is not important). Then switch to the Authorization tab and select OAuth 2.0 in the Type drop down box and fill the request details.
Now click on the button Get New Access Token, this will open the following dialog.
The authorization code grant is the flow mostly used in today's applications adopting OAuth 2.0.
- The flow starts with the authorization request, this redirects to the authorization server. Here the user logs in using his credentials and approves a consent page
- After successfully logging in a 302 HTTP redirect request with the authorization code is being sent through to the browser which redirects to the callback entry point provided by the client application
- Now the client application sends a token request to the authorization server to exchange the authorization code into an access token
This grant cannot be performed in curl or httpie because of the interactive process of this grant flow requiring the user to manually log in using a web form.
The required parameters for the authorization code grant are shown here:
| Parameter | Value |
|---|---|
| authorization url | http://localhost:9000/oauth2/authorize |
| token url | http://localhost:9000/oauth2/token |
| grant_type | code |
| client_id | demo-client |
| client_secret | secret |
| scope | openid |
| redirect_uri | http://127.0.0.1:9095/client/callback |
To get an access token via the authorization code grant using postman just create a new request (the request url is not important). Then switch to the Authorization tab and select OAuth 2.0 in the Type drop down box.
Here, select Authorization Code in the Grant Type drop down box, then fill in the details of the Postman view shown using the required data from the table above and click Request Token. You may also switch on Authorize using browser check box, then Postman uses your web browser for the redirects instead of its own window.
Then you should see the response in Postman:
According to the OAuth2 specification:
The authorization code MUST expire shortly after it is issued to mitigate the risk of leaks. A maximum authorization code lifetime of 10 minutes is RECOMMENDED. The client MUST NOT use the authorization code more than once.
Spring Authorization Server uses a really short authorization code lifetime of 5 minutes by default. So you only have 5 minutes to grab the authorization code from the web browser and use it to exchange it into a token!
The required parameters for the authorization code grant + PKCE are shown here:
| Parameter | Value |
|---|---|
| authorization url | http://localhost:9000/oauth2/authorize |
| token url | http://localhost:9000/oauth2/token |
| grant_type | code |
| client_id | demo-client-pkce |
| scope | openid |
| redirect_uri | http://127.0.0.1:9095/client/callback |
You might notice that the client_secret is not required any more. This is because with the addition of PKCE the static credentials of client_secret is replaced by dynamically generated and calculated credentials (the code verifier and code challenge).
To use this slightly changed and improved (security wise) grant flow in postman just select Authorization Code (with PKCE) in the Grant Type drop down box, replace the client_id with the one above and remove the client_secret value.
In the next labs we won't have to create all the requests on our own, instead we will let Spring Security do the work for us.