OAuth Request Path Authenticator

The OAuth Request Path Authenticator is engaged when an access token is sent along with a request for authentication. If the access token is valid, the user is authenticated by the authentication framework and the corresponding response builder takes over. The access token can be sent to the OAuth request path authenticator in two ways.

• As a header in the authentication request:"Authorization: Bearer <access_token>"
• As a query parameter in the request URL: "&token=<access_token>" 

Using the authorization header

1. Start the IS server and login to the management console.
2. Navigate to Service Providers>Add, enter a name for the new service provider and click Add. 

3. Expand the Inbound Authentication Configuration section, then the OAuth2/OpenID Connect Configuration and click Configure. For more information, see Configuring OAuth/OpenID Connect. 

   Use the following Callback URL when configuring OAuth: https://curl-app/callback.

4. Click Add and take note of the Client Key that is generated as you will need this later on. 
   
5. Expand the Local & Outbound Authentication Configuration section and then the Request Path Authentication Configuration section. 
6. Select oauth-bearer from the dropdown and click Add.
   

7. Click Update to save changes to the service provider. 

8. Use the following cURL command to get a valid token using password grant type. Replace the <CLIENT_ID>:<CLIENT_SECRET> tags with the client key and client secret of your service provider. 

   Request

   curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET> -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=USERNAME&password=PASSWORD" https://localhost:9443/oauth2/token

   Response

   {"token_type":"Bearer","expires_in":2655,"refresh_token":"2f03de95b8e196f78c94d07c23c9ef0a","access_token":"7ee57bc28a3336ccb7818b499941e4e4"}

9.   Send a cURL request using the access token you received as a response for step1 in the authorization header, to the token endpoint. Replace the <CLIENT_ID> and <REDIRECT_URI> tags with the relevant values. 

   Request

   curl -v -X POST -H "Authorization: Bearer 7ee57bc28a3336ccb7818b499941e4e4" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=openid"  https://localhost:9443/oauth2/authorize

   Response

   Location: https://curl-app/callback?code=37c79c505960e90d5b25f62ce760c98c&session_state=6d1a72e0f3f6392d6648ec5e6ed0

10. Use the following cURL command to get an access token using the authorization code received in step2. Replace the <CLIENT_ID>:<CLIENT_SECRET>,<CLIENT_ID> and <REDIRECT_URI> tags with the relevant values.

    
    

    Request

    curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET>  -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&code=37c79c505960e90d5b25f62ce760c98c&scope=openid" https://localhost:9443/oauth2/token

    Response

    { "scope":"openid", "token_type":"Bearer", "expires_in":3600, "refresh_token":"70f202ca2e4ecf571d0b6d2e49af8f3a", "id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NjA0NTkzMTYsImV4cCI6MTQ2MDQ2MjkxNiwic3ViIjoiYWRtaW4iLCJhenAiOiJlN2VrQldVTVBITnFTNU5WQmhxNGhmNWZqMkVhIiwiYXRfaGFzaCI6IkhCWFVKQW50LWFMV3JxQlZJcTFoV2ciLCJhdWQiOlsiZTdla0JXVU1QSE5xUzVOVkJocTRoZjVmajJFYSJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0NjA0NTkzMTZ9.PiqVn7B2vuICHmodnn9udjQrvGqRR-PZr-M8x8Xijg0bnAvzXY4hxqZ5luaLitBH2IgQ5p0Rh_gjPI7TWcQA7AK3iBCp7c29QY78hSSqt38_iG5bC0MYWoluH-jg5f3iyJ3aQ-DPAZexCXxEv65RPF5EDNfhA0fUFcsu79cb89k", "access_token":"7d6c01fb6bfaca22f01d9a24219cce45" }

Using the request URL

•  To try out request path authentication by sending the access token as a query parameter in the request URL with the WSO2 Playground sample, see Try Request Path Authentication.