OpenId Connect support with resource owner password grant type

According to the OpenId Connect specification, It is recommended to use authorization code and implicit grant types for OpenId Connect requests. But it is not mentioned that other grant types can not be used. Therefore you can use any other grant types for OpenId Connect authentication request. Some OAuth2 Authorization server supports for password grant type to obtain the id_token. Also there can be custom grant types as mentioned here.

WSO2IS also supports for granting an id_token with password grant type, Let see how it works.
Step 1. Register an OAuth application using WSO2IS management console.

Important : If you are using WSO2 APIM, You do not need this step. Once you subscribe to application, API Store would register an OAuth subscription automatically.

You can go to service provider configuration page and register a SP application. Then can configure the OAuth in bound authentication details

 

 

Callback url can be any url  as we are only using password grant type,  it is not important.
OAuth consumer key and secret are generated for you

Step 2. Send openid connect request using password grant type. Your request would be as follows,

POST /token HTTP/1.1
 Host: server.example.com
 Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW
 Content-Type: application/x-www-form-urlencoded
grant_type=password&username=asela&password=asela&scope=openid

Authorization header is created with base64 encoded client id and secret values

You can use simple curl command to generate the request. Sample curl command would be as follows.

curl --user  ZTh12LlAv8gU0I32KgCbwM5ouJ4a:XQ789Q0mfPr7VSNpp_MHhz4Pkeka 
-k -d "grant_type=password&username=asela&password=asela&scope=openid" 
-H  "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token

you will receive the id_token in the response.

{"scope":"openid","token_type":"bearer","expires_in":1807,"refresh_token":"bb42f2626a3aede2f13dbc95b9b448c5",
"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0MjU4OTM5NTMyMTUsImV4cCI6MTQyNTg5OTA0NTQyMywic3ViIjoiYXNlbGFAY2FyYm9uLnN1cGVyIiwiYXpwIjoiWlRoMTJMbEF2OGdVMEkzMktnQ2J3TTVvdUo0YSIsImF0X2hhc2giOiJNVFZrT1Rkak9UWmhabUV5TlRoa1kyTTFNVGMyTkdRMU9UVmxabU00WmpRPSIsImF1ZCI6WyJaVGgxMkxsQXY4Z1UwSTMyS2dDYndNNW91SjRhIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyZW5kcG9pbnRzXC90b2tlbiIsImlhdCI6MTQyNTg5NTQ0NTQyM30.EGecxRcOrtR4NAuWel-6Rx6jrI759Y9Jztv9TrPfLcLlBFBQWIJRVfGLMUbUURs3Y0vmIH-2KCbWhFdSz_6f3Pchk3pKwrGGFiTpyVEmjE217fFT3c3Dz__tHlpJJE30DUeHKObfkZpPdv5SoRTlp3IKaM2PBwWqoLeylgaUPBs",
"access_token":"15d97c96afa258dcc51764d595efc8f4"}

You can Base64 decode the id_token and see the content of it.   Please note id_token is a JWT token and it contains the header, body and signature which are separated with the  dot (.) .   Therefore you need to properly separate each component and decode it.

Decoded sample token body would be as following

{"auth_time":1425893953215,"exp":1425899045423,"sub":"[email protected]",
"azp":"ZTh12LlAv8gU0I32KgCbwM5ouJ4a","at_hash":"MTVkOTdjOTZhZmEyNThkY2M1MTc2NGQ1OTVlZmM4ZjQ=",
"aud":["ZTh12LlAv8gU0I32KgCbwM5ouJ4a"],"iss":"https://localhost:9443/oauth2endpoints/token",
"iat":1425895445423}

Step 3.   Retrieving user attributes.  You can retrieve the user attributes by calling /userinfo endpoint as well.  Your request would be as follows.

 GET /userinfo HTTP/1.1
 Host: server.example.com
 Authorization: Bearer 15d97c96afa258dcc51764d595efc8f4

Sample curl command for it

curl -k -H "Authorization: Bearer 15d97c96afa258dcc51764d595efc8f4"   https://localhost:9443/oauth2/userinfo?schema=openid

User’s attributes would be returned as json response…

{"phone_number":"+94777625933","email":"[email protected]",
"name":"asela","family_name":"Pathberiya","preferred_username":"asela",
"given_name":"asela","country":"United States"}

Thanks for reading…