Open in app

Sign in

Write

Sign in

Generating Access Tokens Using WSO2 Identity Server

Janak Amarasena
Identity Beyond Borders
Published in
5 min readFeb 18, 2019

A simple guide on how you can generate OAuth 2.0 access tokens for different grant types using WSO2 Identity Server.

I will be covering the following grant types.

  • Authorization Code Grant
  • Implicit Grant
  • Resource Owner Password Credentials Grant
  • Client Credentials Grant
  • Refresh Token Grant

What you will need

  1. WSO2 Identity Server 5.7.0 (Download Link)

Here we will use WSO2IS 5.7.0(you can download the “Binary without updates” from the download page) as it is the latest release of the Identity Server, but what we do here is usable in other versions as well.

Getting started

We will need to create a Service Provider and add an OAuth/OpenID Connect Configuration in the IS. To make things easier I will do this using Dynamic Client Registration. Simply execute the cURL below.

curl -k -X POST -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "Content-Type: application/json" -d '{  "client_name": "application_test", "grant_types": ["authorization_code","implicit","password","client_credentials","refresh_token"], "redirect_uris":["http://localhost:8080/playground2"] }' "https://localhost:9443/api/identity/oauth2/dcr/v1.1/register"

To give some quick info on what happens when this cURL is executed; the IS will create a Service Provider with the name application_test and add an OAuth/OpenID Connect Configuration enabling the grant types we sent in grant_types and set the Callback Url to the URI sent in redirect_uris.

You should get a response similar to this.

{"client_name":"application_test","client_id":"vyMSzVoLS0ZUnY3F2gHkhytEdnka","client_secret":"Z4MYJLQyhCfrVE9mZBCRfO0C6Msa","redirect_uris":["http://localhost:8080/playground2"]}

Make note of the client_id, client_secret and redirect_uris as we are going to need them. Also let's go ahead and get the baset64 encoded client_id:client_secret now itself as we are going to need this a lot. You can easily get the base64 encoded value from https://base64encode.org

Here I sent “http://localhost:8080/playground2” as the only redirect URI. Ideally, this will be some callback URL you have configured in your application. For this guide, the actual value of it won’t matter but we have to use the same URL we added when using to generate tokens as the IS does a validation.

<< Just a quick note: If you sent multiple redirect URIs in redirect_uris in the DCR request the Callback Url will register as a regex pattern.>>

We are all set to start generating access tokens now.

Authorization Code Grant

Let's generate the authorization code we need to get our access token. Since this uses browser redirection, this will be a simple browser call.

Request details:

https://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=<callback_url>&client_id=<client_id>&scope=<scopes>

A small intro into the parameters;

  • response_type=code -> Here I am telling the server at the end of this process I am expecting an authorization code in return.
  • redirect_uri -> This is where you will be redirected to at the end of the process. This should match the registered callback URL. For now, it is “http://localhost:8080/playground2”
  • client_id -> The client id for our OAuth app which we got as a response from the DCR call.
  • scope -> Optional parameter to define the scope of the access token we will be generating. You can define multiple scopes by space separating the scopes.

**Note: From here onwards I will only explain new parameters as within this guide same parameters has the same meaning.

Sample request:

https://localhost:9443/oauth2/authorize?response_type=code&redirect_uri=http://localhost:8080/playground2&client_id=vyMSzVoLS0ZUnY3F2gHkhytEdnka&scope=somescope_code

When you enter this request in a browser(replacing my client_id with yours) you will be first asked to enter your credentials. For this guide, you can use the default admin username(admin) and password(admin). Then your consent will be requested to give the application your profile information. Ultimately you will be redirected to your callback URL which will look like the following;

Notice the code query param in the URL? Make note of it.

Now we can get our access token.

Request details:

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(client_id:client_secret)>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=<authorization_code>&redirect_uri=<callback_url>'

A small intro into the parameters;

  • base64encoded(client_id:client_secret) -> Here we use the base64 encoded clientId and clientSecret which I mentioned earlier.
  • authorization_code -> This is the code we received from our previous step.

<< Just a quick note: You can also use the -u parameter and define the client credentials instead of using the Authorization header. Ex: -u <client_id>:<client_secret> >>

Sample request:

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic dnlNU3pWb0xTMFpVblkzRjJnSGtoeXRFZG5rYTpaNE1ZSkxReWhDZnJWRTltWkJDUmZPMEM2TXNh' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=authorization_code&code=55fe926f-3b43-3681-aecc-dc3ed7938325&redirect_uri=http://localhost:8080/playground2'

Sample response:

{"access_token":"5b6ae5e6-08c2-36d4-9dfe-baff099ddb29","refresh_token":"e4c868e6-c7b8-3c3b-809e-dcfd8bb2efad","scope":"somescope_code","token_type":"Bearer","expires_in":3600}

Implicit Grant

This will also be a simple browser call.

Request details:

https://localhost:9443/oauth2/authorize?response_type=token&redirect_uri=<callback_url>&client_id=<client_id>&scope=<scopes>

Sample request:

https://localhost:9443/oauth2/authorize?response_type=token&redirect_uri=http://localhost:8080/playground2&client_id=vyMSzVoLS0ZUnY3F2gHkhytEdnka&scope=somescope_implicit

When you enter this request in a browser(replacing my client_id with yours) just like when we generated the authorization code for the Authorization Code grant type you will be asked to sign in and give consent. Ultimately you will be redirected to your callback URL which will look like the following;

Notice the parameters? The token details are sent back like this.

Resource Owner Password Credentials Grant

Request details:

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(client_id:client_secret)>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&username=<username>&password=<password>&scope=<scopes>'

Sample request:

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic dnlNU3pWb0xTMFpVblkzRjJnSGtoeXRFZG5rYTpaNE1ZSkxReWhDZnJWRTltWkJDUmZPMEM2TXNh' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=password&username=admin&password=admin&scope=somescope_password'

In this sample request also I have used the default admin username(admin) and password(admin).

Sample response:

{"access_token":"ea6fdb4e-8b6f-3d8b-804a-79c3fadc9124","refresh_token":"4703ae44-63d4-39e1-ae75-6c6d9e3ea257","scope":"somescope_password","token_type":"Bearer","expires_in":3600}

Client Credentials Grant

Request details:

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(client_id:client_secret)>' -H 'Content-Type: application/x-www-form-urlencoded' -d grant_type=client_credentials

Sample request:

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic dnlNU3pWb0xTMFpVblkzRjJnSGtoeXRFZG5rYTpaNE1ZSkxReWhDZnJWRTltWkJDUmZPMEM2TXNh' -H 'Content-Type: application/x-www-form-urlencoded' -d grant_type=client_credentials

Sample response:

{"access_token":"c5e15909-3331-3b29-8a21-fceb657e23fa","token_type":"Bearer","expires_in":3600}

Refresh Token Grant

Request details:

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic <base64encoded(client_id:client_secret)>' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=refresh_token&refresh_token=<refresh_token>'

A small intro into the parameters;

  • refresh_token -> This is the refresh token we received from one of the refresh token supported grant types we used previously.

Sample request:

curl -k -X POST https://localhost:9443/oauth2/token -H 'Authorization: Basic dnlNU3pWb0xTMFpVblkzRjJnSGtoeXRFZG5rYTpaNE1ZSkxReWhDZnJWRTltWkJDUmZPMEM2TXNh' -H 'Content-Type: application/x-www-form-urlencoded' -d 'grant_type=refresh_token&refresh_token=4703ae44-63d4-39e1-ae75-6c6d9e3ea257'

Sample response:

{"access_token":"6f0dcea9-8e87-3ffa-9dba-24a0c0a4aa19","refresh_token":"53b5bb7c-2079-3e19-9a68-b3d8fd2c2bea","scope":"somescope_password","token_type":"Bearer","expires_in":3600}

In case you are wondering how I have scopes here. I used the refresh token received from generating tokens using the resource owner password credentials grant previously, therefore I received the same scopes for the new token.

Well, that’s it :)

Wso2
Wso2is
Oauth2
Access Token

--

--

Janak Amarasena
Identity Beyond Borders

Written by Janak Amarasena

135 Followers
Editor for

Software Engineer @ WSO2 IAM TEAM

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams