According to the OpenId Connect specification, It is recommended to use authorization code and implicit grant types for OpenId Connect requests. But it is not mentioned that other grant types can not be used. Therefore you can use any other grant types for OpenId Connect authentication request. Some OAuth2 Authorization server supports for password grant type to obtain the id_token. Also there can be custom grant types as mentioned here.
WSO2IS also supports for granting an id_token with password grant type, Let see how it works.
Step 1. Register an OAuth application using WSO2IS management console.
Important : If you are using WSO2 APIM, You do not need this step. Once you subscribe to application, API Store would register an OAuth subscription automatically.
You can go to service provider configuration page and register a SP application. Then can configure the OAuth in bound authentication details
Callback url can be any url as we are only using password grant type, it is not important.
OAuth consumer key and secret are generated for you
Step 2. Send openid connect request using password grant type. Your request would be as follows,
POST /token HTTP/1.1 Host: server.example.com Authorization: Basic czZCaGRSa3F0MzpnWDFmQmF0M2JW Content-Type: application/x-www-form-urlencoded grant_type=password&username=asela&password=asela&scope=openid
Authorization header is created with base64 encoded client id and secret values
You can use simple curl command to generate the request. Sample curl command would be as follows.
curl --user ZTh12LlAv8gU0I32KgCbwM5ouJ4a:XQ789Q0mfPr7VSNpp_MHhz4Pkeka -k -d "grant_type=password&username=asela&password=asela&scope=openid" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
you will receive the id_token in the response.
{"scope":"openid","token_type":"bearer","expires_in":1807,"refresh_token":"bb42f2626a3aede2f13dbc95b9b448c5",
"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0MjU4OTM5NTMyMTUsImV4cCI6MTQyNTg5OTA0NTQyMywic3ViIjoiYXNlbGFAY2FyYm9uLnN1cGVyIiwiYXpwIjoiWlRoMTJMbEF2OGdVMEkzMktnQ2J3TTVvdUo0YSIsImF0X2hhc2giOiJNVFZrT1Rkak9UWmhabUV5TlRoa1kyTTFNVGMyTkdRMU9UVmxabU00WmpRPSIsImF1ZCI6WyJaVGgxMkxsQXY4Z1UwSTMyS2dDYndNNW91SjRhIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyZW5kcG9pbnRzXC90b2tlbiIsImlhdCI6MTQyNTg5NTQ0NTQyM30.EGecxRcOrtR4NAuWel-6Rx6jrI759Y9Jztv9TrPfLcLlBFBQWIJRVfGLMUbUURs3Y0vmIH-2KCbWhFdSz_6f3Pchk3pKwrGGFiTpyVEmjE217fFT3c3Dz__tHlpJJE30DUeHKObfkZpPdv5SoRTlp3IKaM2PBwWqoLeylgaUPBs",
"access_token":"15d97c96afa258dcc51764d595efc8f4"}
You can Base64 decode the id_token and see the content of it. Please note id_token is a JWT token and it contains the header, body and signature which are separated with the dot (.) . Therefore you need to properly separate each component and decode it.
Decoded sample token body would be as following
{"auth_time":1425893953215,"exp":1425899045423,"sub":"[email protected]",
"azp":"ZTh12LlAv8gU0I32KgCbwM5ouJ4a","at_hash":"MTVkOTdjOTZhZmEyNThkY2M1MTc2NGQ1OTVlZmM4ZjQ=",
"aud":["ZTh12LlAv8gU0I32KgCbwM5ouJ4a"],"iss":"https://localhost:9443/oauth2endpoints/token",
"iat":1425895445423}
Step 3. Retrieving user attributes. You can retrieve the user attributes by calling /userinfo endpoint as well. Your request would be as follows.
GET /userinfo HTTP/1.1 Host: server.example.com Authorization: Bearer 15d97c96afa258dcc51764d595efc8f4
Sample curl command for it
curl -k -H "Authorization: Bearer 15d97c96afa258dcc51764d595efc8f4" https://localhost:9443/oauth2/userinfo?schema=openid
User’s attributes would be returned as json response…
{"phone_number":"+94777625933","email":"[email protected]",
"name":"asela","family_name":"Pathberiya","preferred_username":"asela",
"given_name":"asela","country":"United States"}
Thanks for reading…