Skip to content

Authenticate with OAuth Request Path Authenticator

This page guides you through using the request path authenticator for token-based authentication. The OAuth Request Path Authenticator is engaged when an access token is sent along with a request for authentication.

Register a service provider

To register your application as a service provider in the WSO2 Identity Server:

  1. Log in to the WSO2 Identity Server Management Console using administrator credentials.

  2. Go to Main > Identity > Service Providers > Add.

  3. Enter a Service Provider Name. Optionally, enter a Description.

  4. Click Register.

Configure the service provider

Now, let's configure the service provider you registered.

Basic OAuth/OIDC

Make the following changes to the created service provider.

  1. Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and click Configure.

  2. Enter the Callback Url.


    The Callback Url is the exact location in the service provider's application to which an access token will be sent. This URL should be the URL of the page that the user is redirected to after successful authentication.

  3. Click Add. Note the OAuth Client Key and OAuth Client Secret that appear.

Local & Outbound

  1. Expand the Local & Outbound Authentication Configuration section and then the Request Path Authentication Configuration section.

  2. Select OAuth Bearer from the dropdown list and click Add.


  3. Click Update to save changes to the service provider.

Configure the client application

Send the following requests via your application to connect your application to WSO2 IS.

  1. Use the following cURL command to get a valid token using password grant type. Replace the <CLIENT_ID>, <CLIENT_SECRET>, <USERNAME>, <PASSWORD>, <IS_HOST>, and <IS_PORT> tags with the relevant values.

    Request Format

    curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET> -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>" https://<IS_HOST>:<IS_PORT>/oauth2/token

    Response Format


  2. Send a cURL request using the access token you received as a response for step 1 in the authorization header, to the token endpoint. Replace the <CLIENT_ID>, <REDIRECT_URI>, <IS_HOST> and <IS_PORT> tags with the relevant values.

    Request Format

    curl -v -X POST -H "Authorization: Bearer 7ee57bc28a3336ccb7818b499941e4e4" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=openid"  https://<IS_HOST>:<IS_PORT>/oauth2/authorize

    Response Format

    Location: <REDIRECT_URI>?code=37c79c505960e90d5b25f62ce760c98c&session_state=6d1a72e0f3f6392d6648ec5e6ed0

  3. Use the following cURL command to get an access token using the authorization code received in step2. Replace the <CLIENT_ID>, <CLIENT_SECRET>, <REDIRECT_URI>, <IS_HOST> and <IS_PORT> tags with the relevant values.

    Request Format

    curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET>  -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&code=37c79c505960e90d5b25f62ce760c98c&scope=openid" https://<IS_HOST>:<IS_PORT>/oauth2/token

    Response Format



    If you have not disabled consent, the response will be as follows.

    Location: https://localhost:9443/authenticationendpoint/

    The consent page URL given in the response is the consent page that requires user interaction to either approve or deny the authorization request. You can access the consent page URL via a web browser and either approve or deny consent. The URL will then be redirected to the following page.


Try it

Let's set up the sample app and log in.

Set up the sample

  • Download Apache Tomcat 8.x from here and install. Tomcat server installation location will be referred as <TOMCAT_HOME> later in this guide.

  • It is recommended that you use a hostname that is not localhost to avoid browser errors. Modify the /etc/hosts entry in your machine to reflect this. Note that wso2is.local is used in this documentation as an example, but you must modify this when configuring the authenticators or connectors with this sample application.

  • Download the playground2.war file from the latest release assets.

Deploy the sample

Deploy this sample web app on a web container.

  1. Copy the playground2.war file from the latest release assets folder into the <TOMCAT_HOME>/apache-tomcat-<version>/webapps folder.

  2. Start the Tomcat server.


    To check the sample application, navigate to http://<TOMCAT_HOST>:<TOMCAT_PORT>/playground2/oauth2.jsp on your browser.

    For example, http://wso2is.local:8080/playground2/oauth2.jsp

  3. Update the param-value parameter in the WEB-INF/web.xml file with the server URL of WSO2 Identity Server if required.

    Make sure to enter the port the application is running on, in the URL. If you have started the Identity Server with a port offset, then the respective port needs to be configured here.



    Note that localhost is the server that hosts WSO2 Identity Server and 9443 is the default SSL port of it. Since playground application is accessing the admin service OAuth2TokenValidationService, you should have the correct serverUrl, username, and password.

  4. Update param-value parameter with credentials of an admin user if required.

  5. Restart Apache Tomcat.

Log in

Now, let's log in to the application.

  1. Access http://wso2is.local:8080/playground2/ to open the application.


    By default Tomcat runs on port 8080. If you have configured it to run on a different port make sure to update the URL and then access the playground application.

  2. Fill in the details on the screen that appears according to the local authenticator you selected for request path authentication. Identity Server will not prompt the login page since it can authenticate the user from the information available in the request.

    OAuth authenticator

    • Authorization Grant Type: Resource Owner (password grant)
    • Client ID: The client id received at the application registration
    • Client Secret: The client secret received at the application registration
    • Resource Owner User Name: User Name
    • Resource Owner Password: Password of the user
    • Scope: openid
    • Access Token Endpoint: https://localhost:9443/oauth2/token


Once you receive the access token, you can use the following for authorizing. https://localhost:9443/oauth2/authorize?access_token=<access_token>

Following is a sample cURL command you can use.

curl --location --request POST 'https://localhost:9443/oauth2/authorize?access_token=<access_token>' \
--data-urlencode 'response_type=code' \
--data-urlencode 'client_id=<CLIENT_ID>' \
--data-urlencode 'redirect_uri=<REDIRECT_URI>'\
--data-urlencode 'scope=openid'

Troubleshooting tip

If you are getting the following error, the sample applications do not have a keystore in them. Therefore, you may get this error after changing the tomcat hostname because the public key of the WSO2 Identity Server does not exist in the Java certificate store. PKIX path building failed: unable to find valid certification path to requested target