Client Credentials Grant with OAuth 2.0 Playground¶
This page guides you through using a sample Playground application to try out authentication to an OAuth 2.0/OpenID Connect web application using the Client Credentials grant type.
Set up the sample application¶
Prerequisites¶
-
Download Apache Tomcat 8.x and install it. Tomcat server installation location will later be referred to as
<TOMCAT_HOME>
in this guide. -
It is recommended that you use a hostname that is not
localhost
to avoid browser errors. Modify your machine's/etc/hosts
entry to reflect this.Info
Note that
wso2is.local
is used in this documentation as an example, but you must modify this when configuring the authenticators or connectors with this sample application.
Download the sample¶
To deploy a MWARE IAM sample application, you need download the playground2.war
file from the latest release assets.
Deploy the sample web app¶
To deploy the sample web app on a web container:
-
Copy the downloaded
playground2.war
file into the<TOMCAT_HOME>/apache-tomcat-<version>/webapps
folder. -
Start the Tomcat server.
-
Access the applcation through this URL:
http://wso2is.local:8080/playground2/oauth2.jsp
Info
By default, Tomcat runs on port 8080. If you have configured it to run on a different port, update the URL and access the playground application.
You will now be redirected to the landing page of the sample application.
Troubleshooting tip
If you are getting the following error, the sample applications do not have a keystore in them. Therefore, you may get this error after changing the tomcat hostname because the public key of the MWARE IAM does not exist in the Java certificate store.
javax.net.ssl.SSLHandshakeException: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target
Register a service provider¶
-
On MWARE IAM Management Console, go to Main > Identity > Service Providers and click Add.
-
Enter
playground2
as the Service Provider Name text box, and click Register. -
Expand the Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and click Configure.
-
Fill in the form that appears. By default, all Allowed Grant Types are selected; you can disable the grant types that are not required.
Note
The custom grant type will only appear on the UI if you have configured the JWT grant type. The value specified as the
name
of theoauth.custom_grant_type
in thedeployment.toml
file when creating the custom grant type is the value that will appear on the UI. For more information on writing a custom grant type, see Write a Custom OAuth 2.0 Grant Type. -
Enter the Callback Url as
http://wso2is.local:8080/playground2/oauth2client
.Tip
For more information on other advanced configurations refer, Advanced OpenID Connect.
-
Click Add. Note that
client key
andclient secret
are generated. -
Click Update.
Try Client Credentials grant¶
The following cURL command can be used to try this grant type.
Request Format
curl -v -X POST --basic -u <oauth_client_key>:<oauth_client_secret> -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=client_credentials" <token_endpoint>
Sample Request
curl -v -X POST --basic -u 7wYeybBGCVfLxPmS0z66WNMffyMa:WYfwHUsbsEvwtqmDLuaxF_VCQJwa -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=client_credentials" https://localhost:9443/oauth2/token
You will receive the following response with the access token.
{
"access_token":"16ab408c-0f31-3321-8bed-313e836df373",
"token_type":"Bearer",
"expires_in":2986
}
Note
MWARE IAM provides more control over issuing id tokens and
user claims for client-credential grant type. To facilitate this, add the following configurations to the deployment.toml
file found in the <IS_HOME>/repository/conf
folder in order
to register new ScopeHandlers
and
ScopeValidators
.
[oauth.custom_scope_validator]
class = "org.fully.qualified.class.name.CustomScopeValidator"
Further, by configuring the <IdTokenAllowed>
property
to true
or false
along with the
above configuration, you can turn on or turn off the process of issuing
ID tokens for the grant types that have the openid
scope. By default, IdTokenAllowed
is set to
true
, you can allow it to issue
id_tokens
for all grant types that have the
openid
scope. By configuring it to false, you can
stop issuing ID tokens.
Note: You can not turn off the process of issuing ID tokens for the
authorization_code
grant type.
By configuring the <IsRefreshTokenAllowed>
property
to true
or false
along with the
above configuration, you can turn on or turn off the process of issuing
refresh tokens. By default, IsRefreshTokenAllowed
is
set to true
, and you can allow it to
issue refresh tokens for all grant types. By configuring it to
false
, you can stop issuing refresh tokens.
Note: By default, issuing ID token for
client_credentials
grant type is disabled as it is
logically invalid.