This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

OAuth Request Path Authenticator

The OAuth Request Path Authenticator is engaged when an access token is sent along with a request for authentication. If the access token is valid, the user is authenticated by the authentication framework and the corresponding response builder takes over. The access token can be sent to the OAuth request path authenticator in two ways.

  • As a header in the authentication request:"Authorization: Bearer <access_token>"
  • As a query parameter in the request URL: "&token=<access_token>" 

For more information on Request Path Authentication in general, see Request Path Authentication.

Using the authorization header

  1. Start the IS server and login to the management console.
  2. Navigate to Service Providers>Add, enter a name for the new service provider and click Add. 
  3. Expand the Inbound Authentication Configuration section, then the OAuth2/OpenID Connect Configuration and click Configure. For more information, see Configuring OAuth/OpenID Connect

    Use the following Callback URL when configuring OAuth: https://curl-app/callback.

  4. Click Add and take note of the Client Key that is generated as you will need this later on. 
  5. Expand the Local & Outbound Authentication Configuration section and then the Request Path Authentication Configuration section. 
  6. Select oauth-bearer from the dropdown and click Add.
  7. Click Update to save changes to the service provider. 

  8. Use the following cURL command to get a valid token using password grant type. Replace the <CLIENT_ID>:<CLIENT_SECRET> tags with the client key and client secret of your service provider. 

    Request
    curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET> -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=USERNAME&password=PASSWORD" https://localhost:9443/oauth2/token
    Response
    {"token_type":"Bearer","expires_in":2655,"refresh_token":"2f03de95b8e196f78c94d07c23c9ef0a","access_token":"7ee57bc28a3336ccb7818b499941e4e4"}
  9.   Send a cURL request using the access token you received as a response for step1 in the authorization header, to the token endpoint. Replace the <CLIENT_ID> and <REDIRECT_URI> tags with the relevant values. 

    Request
    curl -v -X POST -H "Authorization: Bearer 7ee57bc28a3336ccb7818b499941e4e4" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=openid"  https://localhost:9443/oauth2/authorize
    Response
    Location: https://curl-app/callback?code=37c79c505960e90d5b25f62ce760c98c&session_state=6d1a72e0f3f6392d6648ec5e6ed0
  10. Use the following cURL command to get an access token using the authorization code received in step2. Replace the <CLIENT_ID>:<CLIENT_SECRET>,<CLIENT_ID> and <REDIRECT_URI> tags with the relevant values.


    Request
    curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET>  -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&code=37c79c505960e90d5b25f62ce760c98c&scope=openid" https://localhost:9443/oauth2/token
    Response
    { "scope":"openid", "token_type":"Bearer", "expires_in":3600, "refresh_token":"70f202ca2e4ecf571d0b6d2e49af8f3a", "id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NjA0NTkzMTYsImV4cCI6MTQ2MDQ2MjkxNiwic3ViIjoiYWRtaW4iLCJhenAiOiJlN2VrQldVTVBITnFTNU5WQmhxNGhmNWZqMkVhIiwiYXRfaGFzaCI6IkhCWFVKQW50LWFMV3JxQlZJcTFoV2ciLCJhdWQiOlsiZTdla0JXVU1QSE5xUzVOVkJocTRoZjVmajJFYSJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0NjA0NTkzMTZ9.PiqVn7B2vuICHmodnn9udjQrvGqRR-PZr-M8x8Xijg0bnAvzXY4hxqZ5luaLitBH2IgQ5p0Rh_gjPI7TWcQA7AK3iBCp7c29QY78hSSqt38_iG5bC0MYWoluH-jg5f3iyJ3aQ-DPAZexCXxEv65RPF5EDNfhA0fUFcsu79cb89k", "access_token":"7d6c01fb6bfaca22f01d9a24219cce45" }

Using the request URL

  •  To try out request path authentication by sending the access token as a query parameter in the request URL with the WSO2 Playground sample, see Try Request Path Authentication.