Skip to content

Try Authorization Code Grant

The Authorization Code Grant is one of the grant types in the OAuth 2.0 specification. For more information about this grant type, see Authorization Code Grant.

Before you begin

You must first set up the playground sample webapp. in order to try the following scenario.

This section demonstrates the Authorization Code Grant with PKCE and without PKCE.

Info

The Proof Key for Code Exchange (PKCE) is a specification supported by WSO2 Identity Server to mitigate code interception attacks. See Mitigating Authorization Code Interception Attacks to configure PKCE for an OAuth application.

Running the application (without PKCE)

  1. Visit the URL http://wso2is.local:8080/playground2/oauth2.jsp to start the application.

  2. Enter the following details and click Authorize. For information on how to obtain these authorization details, see Configuring OAuth2-OpenID Connect.

    Authorization Grant Type: Implicit
    Client ID: (the client id received at the application registration)
    Callback URL: http://wso2is.local:8080/playground2/oauth2client
    Authorize Endpoint: https://localhost:9443/oauth2/authorize

    running-app-without-pkce

    Tip

    The playground application will invoke the authorize endpoint of the WSO2 Identity Server using the following format.

    https://<host>:<port>/oauth2/authorize?response_type=code&client_id=<client-ID>&redirect_uri=<callback-url>&scope=<scope>
  3. Log in with the user credentials.
    log-into-app

  4. Select Approve Once or Approve Always in Access to profile information section. Also, select the attributes you agree to share. Click Continue.
    select-attributes-and-consent

  5. Provide the following details and click on Get Access Token.

    Callback URL: http://wso2is.local:8080/playground2/oauth2client
    Access Token Endpoint: https://localhost:9443/oauth2/token
    Client Secret: (client secret received at the application registration)

    access-token-endpoint

    At this point, the application receives the Access Token. Enter the introspection endpoint (i.e, https://localhost:9443/oauth2/introspect ) and click Get TokenInfo to get the token information.

    Click here for more information on OAuth 2.0 Token Introspection

    OAuth 2.0 Token Introspection defines a protocol that allows authorized protected resources to query the authorization server to determine the set of metadata for a given token that was presented to them by an OAuth Client. This metadata includes whether or not the token is currently active (or if it has expired or otherwise been revoked), what rights of access the token carries (usually conveyed through OAuth 2.0 scopes), and the authorization context in which the token was granted (including who authorized the token and which client it was issued to). Token introspection allows a protected resource to query this information regardless of whether or not it is carried in the token itself, allowing this method to be used along with or independently of structured token values.

    get-access-token

  6. Now you should be able to see the access token information as seen below, as long as the provided access token is valid.
    access-token-info

Running the application (with PKCE)

  1. Visit the URL http://wso2is.local:8080/playground2/oauth2.jsp to start the application.

  2. Enter the following details and click Authorize.

    Authorization Grant Type: Authorization Code
    Client ID: (the client id received at the application registration)
    Callback URL: http://wso2is.local:8080/playground2/oauth2client
    Authorize Endpoint: https://localhost:9443/oauth2/authorize
    Use PKCE: Yes
    PKCE Challenge Method:

    enter-details-to-authorize

  3. Log in with the user credentials.
    sign-in-with-pkce

  4. Click Approve to consent to this action.

    approve-consent-with-pkce.png

  5. Provide the following details and click on Get Access Token.

    Callback URL: http://wso2is.local:8080/playground2/oauth2client
    Access Token Endpoint: https://localhost:9443/oauth2/token
    Client Secret: (client secret received at the application registration)
    PKCE Verifier: (this will be populated using the value generated in step 1)

    access-token-end-point

  6. At this point, the application receives the Access Token. Enter the introspection endpoint (i.e, https://localhost:9443/oauth2/introspect ) and click Get TokenInfo to get the token information.

    Click here for more information on OAuth 2.0 Token Introspection

    OAuth 2.0 Token Introspection defines a protocol that allows authorized protected resources to query the authorization server to determine the set of metadata for a given token that was presented to them by an OAuth Client. This metadata includes whether or not the token is currently active (or if it has expired or otherwise been revoked), what rights of access the token carries (usually conveyed through OAuth 2.0 scopes), and the authorization context in which the token was granted (including who authorized the token and which client it was issued to). Token introspection allows a protected resource to query this information regardless of whether or not it is carried in the token itself, allowing this method to be used along with or independently of structured token values.

    introspection-endpoint

  7. Now you should be able to see the access token information as seen below, as long as the provided access token is valid.
    token-info-with-pkce

Related Topics

Top