Basic Auth Request Path Authentication

The Basic Authentication Request Path Authenticator is engaged when user credentials (username and password) are sent along with a request for authentication. If the user credentials are valid, the user is authenticated by the authentication framework and the corresponding response builder takes over. The user credentials can be sent to the Basic Auth request path authenticator in two ways.

As a header in the authentication request:"Authorization: Basic <base64 encoded username:password>"
As a query parameter in the request URL:"&sectoken=<base64 encoded username:password>"
As a POST parameter in the form body: "sectoken=<base64 encoded username:password>"

For more information on Request Path Authentication in general, see Request Path Authentication.

Prerequisite

In order to get the authorization code using request path authentication, you have to either provide "approve always" consent before sending the request or configure the <SkipUserConsent> value in the <IS_HOME>/repository/conf/identity/identity.xml file to true. If you change the identity.xml file, you must send a prompt attribute with value none in the authorization request.

Using the authorization header

Start the IS server and login to the management console.
Navigate to Service Providers>Add, enter a name for the new service provider and click Add.
Expand the Inbound Authentication Configuration section, then the OAuth2/OpenID Connect Configuration and click Configure. For more information, see Configuring OAuth/OpenID Connect.

Use the following Callback URL when configuring OAuth: https://curl-app/callback.
Click Add and take note of the Client Key that is generated as you will need this later on.
Expand the Local & Outbound Authentication Configuration section and then the Request Path Authentication Configuration section.
Select basic-auth from the dropdown and click Add.
Click Update to save changes to the service provider.

Send a cURL request with the <SEC_TOKEN> in the authorization header, to the token endpoint. Replace the <SEC_TOKEN>,CLIENT_ID> and <REDIRECT_URI> tags with the relevant values.

The <SEC_TOKEN> in the Authorize Endpoint will be the username:password in Base64 encoded format. You can use a Base64 encoder to encode this. For instance, the username and password admin:admin, is "YWRtaW46YWRtaW4=".

Request

curl -v -X POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "response_type=code&client_id=OGeIUgBy60JLvXM7TX4f3ypMwl4a&redirect_uri=http://localhost:8080/playground2/oauth2client&scope=openid&prompt=none"  http://localhost:9763/oauth2/authorize?sectoken=YWRtaW46YWRtaW4=

Response

Location: http://localhost:8080/playground2/oauth2client?code=8a498de9-1f5d-3bd0-a3c9c06be6e08151&session_state=61cd6d0ac6f73bf2bab6f5d710d446c6592b6bedb01c240c1377312118f3e186.N92JLOL5gufcXSwxh2V4xg

Using the request URL

To try out request path authentication by sending the user credentials as a query parameter in the request URL with the WSO2 Playground sample, see Try Request Path Authentication.

If you apply the 3685 WUM update for WSO2 IS 5.7.0, SSO can be applied even when both the basic authenticator and the request path authenticator are used.

You can deploy a WUM update into production only if you have a paid subscription. If you do not have a paid subscription, you can use this feature when the next version of WSO2 Identity Server is released.

To configure this, add AuthMechanism as a parameter within both BasicAuthenticator and BasicAuthRequestPathAuthenticator in the application-authentication.xml file in <CARBON_HOME>/repository/conf/identity and define both the values as basic as shown below. This configuration is enabled by default.

<AuthenticatorConfig name="BasicAuthenticator" enabled="true">   
   <Parameter name="AuthMechanism">basic</Parameter> 
</AuthenticatorConfig>
<AuthenticatorConfig name="BasicAuthRequestPathAuthenticator" enabled="true" >
   <Parameter name="AuthMechanism">basic</Parameter>
</AuthenticatorConfig>