OAuth 2 Password Credentials&Client Credentials

by leelight · Published July 16, 2020 · Updated September 21, 2022

In microservices, the front service should use the Authorization Code(Grant Type) to let users log in with the web browser, and other services in the background should use Client Credentials(Grant Type).

1. Simulate Password Credentials in Postman

Spring yml example, here combine with Authorization Code

security:
    oauth2:
        client:
            access-token-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/token
            user-authorization-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/auth
            client-id: web_app
            client-secret: web_app
            scope: openid profile email
        resource:
            user-info-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/userinfo

security:

oauth2:

client:

access-token-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/token

user-authorization-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/auth

client-id: web_app

client-secret: web_app

scope: openid profile email

resource:

user-info-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/userinfo

user-authorization-uri is used to compile the login url:

https://localhost:9080/auth/realms/master/protocol/openid-connect/auth?client_id=security-admin-console&redirect_uri=https%3A%2F%2Fkeycloak_url%2Fauth%2Fadmin%2Fmaster%2Fconsole%2F%23%2Frealms%2FREALM_NAME%2Fclient-scopes%2F2cba1ee2-8c73-49b1-9fc2-1d3fcb5a48fd%2Fmappers&state=17e396b4-bc5d-4514-bfe6-62576e75c617&response_mode=fragment&response_type=code&scope=openid&nonce=0d962261-63cb-49af-85a3-7f809adbcb46

1-1. Retrieve token for collection

Edit one collection

Then all the APIs in this collection will be injected with the token in header. For example: Bearer xxxxxxxxxxx

1-2. Retrieve token manually

Create one Request:

The Username-Password in Authorization here is client_id and client_secret actually.

Request body:

curl --location --request POST 'http://keycloak_url/auth/realms/jhipster/protocol/openid-connect/token' \
--header 'Authorization: Basic d2ViX2FwcDp3ZWJfYXBw' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=password' \
--data-urlencode 'username=admin' \
--data-urlencode 'password=xxxxxxxxxx' \
--data-urlencode 'scope=jhipster profile email'

curl --location --request POST 'http://keycloak_url/auth/realms/jhipster/protocol/openid-connect/token' \

--header 'Authorization: Basic d2ViX2FwcDp3ZWJfYXBw' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--data-urlencode 'grant_type=password' \

--data-urlencode 'username=admin' \

--data-urlencode 'password=xxxxxxxxxx' \

--data-urlencode 'scope=jhipster profile email'

Then use the token to query resource:

curl --location --request GET 'http://keycloak_url/auth/realms/jhipster/protocol/openid-connect/userinfo' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer safsadfs'

curl --location --request GET 'http://keycloak_url/auth/realms/jhipster/protocol/openid-connect/userinfo' \

--header 'Content-Type: application/json' \

--header 'Authorization: Bearer safsadfs'

1-3. Revoke token manually

POST http://keycloak_url/auth/realms/<my_realm>/protocol/openid-connect/logout
Authorization: Bearer <access_token>
Content-Type: application/x-www-form-urlencoded

client_id=<my_client_id>&refresh_token=<refresh_token>

POST http://keycloak_url/auth/realms/<my_realm>/protocol/openid-connect/logout

Authorization: Bearer <access_token>

Content-Type: application/x-www-form-urlencoded

client_id=<my_client_id>&refresh_token=<refresh_token>

2. Simulate Client Credentials in Postman

Spring yml example:

security:
    oauth2:
        client:
            grant-type: client_credentials
            client-id: internal
            client-secret: internal
            access-token-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/token
        resource:
            user-info-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/userinfo

security:

oauth2:

client:

grant-type: client_credentials

client-id: internal

client-secret: internal

access-token-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/token

resource:

user-info-uri: http://localhost:9080/auth/realms/jhipster/protocol/openid-connect/userinfo

2-1. Retrieve token

Add a new request client_credentials-1-token

The Username-Password in Authorization here is client_id and client_secret actually.

curl --location --request POST 'http://keycloak_url/auth/realms/jhipster/protocol/openid-connect/token' \
--header 'Authorization: Basic aW50ZXJuYWw6aW50ZXJuYWw=' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--data-urlencode 'grant_type=client_credentials'

curl --location --request POST 'http://keycloak_url/auth/realms/jhipster/protocol/openid-connect/token' \

--header 'Authorization: Basic aW50ZXJuYWw6aW50ZXJuYWw=' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--data-urlencode 'grant_type=client_credentials'

If get tokenABC succesfully, copy it for further steps.

2-2. token resource

Add a new request client_credentials-2-tokeninfo

Copy tokenABC here from the first step 2.1.

curl --location --request POST 'http://eycloak_url/auth/realms/jhipster/protocol/openid-connect/token/introspect' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic aW50ZXJuYWw6aW50ZXJuYWw=' \
--data-urlencode 'token=eyJhbGciOiJSUzI1N'

curl --location --request POST 'http://eycloak_url/auth/realms/jhipster/protocol/openid-connect/token/introspect' \

--header 'Content-Type: application/x-www-form-urlencoded' \

--header 'Authorization: Basic aW50ZXJuYWw6aW50ZXJuYWw=' \

--data-urlencode 'token=eyJhbGciOiJSUzI1N'

2-3. User resource

Add a new request client_credentials-2-tokeninfo.

Copy tokenABC here from the first step 2.1.

curl --location --request GET 'http://keycloak_url/auth/realms/jhipster/protocol/openid-connect/userinfo' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer eyJhbGc'

curl --location --request GET 'http://keycloak_url/auth/realms/jhipster/protocol/openid-connect/userinfo' \

--header 'Content-Type: application/json' \

--header 'Authorization: Bearer eyJhbGc'

Ref:

https://www.javainuse.com/spring/springboot-oauth2-client-grant

https://docs.spring.io/autorepo/docs/spring-security-oauth2-boot/2.0.0.RC2/reference/html/boot-features-security-oauth2-resource-server.html

Tags: Oauth2 Security

Cookie	Duration	Description
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

OAuth 2 Password Credentials&Client Credentials

You may also like...

Leave a Reply Cancel reply

Meta

Categories

OAuth 2 Password Credentials&Client Credentials

1. Simulate Password Credentials in Postman

1-1. Retrieve token for collection

1-2. Retrieve token manually

1-3. Revoke token manually

2. Simulate Client Credentials in Postman

2-1. Retrieve token

2-2. token resource

2-3. User resource

Related posts:

You may also like...

Securing REST API using Keycloak and Spring Oauth2

[总结]微服务认证鉴权与API权限控制

[汇总]关于JWT扩展思考

Leave a Reply Cancel reply

Meta

Categories