-
Notifications
You must be signed in to change notification settings - Fork 97
Authorization code
Here I'll show how to test the Authorization Server with the grant type of Authorization Code.
References from the RFC:
Authorization Code
Authorization Code Grant
For this to work you will need to install the Advanced Rest Client for some of these steps.
Install dependencies and run the authorization node server
cd Oauth2orizeRecipes/authorization-server
npm install
node app.js
If you open your browser and go to
https://localhost:3000You should see the message of
Welcome to OAuth 2.0.
which means it's up and running
Put this directly into your browser
https://localhost:3000/dialog/authorize?redirect_uri=https://localhost:3000&response_type=code&client_id=abc123&scope=offline_accessYou should then get back a decision option. The decision option will have the text and two buttons of
Hi Bob Smith!
Samplr is requesting access to your account.
Do you approve?
[Allow] [Deny]
Click the [Allow] button and you will be redirected back to your above redirect_uri with the code attached as a query parameter like so
https://localhost:3000/?code=7HMEo1VA1xVS6EkJThat's your authorization code. You will need to exchange that for a token. Go to your Advanced Rest Client and do a POST using the URL of
https://localhost:3000/oauth/tokenThe Raw payload of:
code=7HMEo1VA1xVS6EkJ&redirect_uri=https://localhost:3000&client_id=abc123&client_secret=ssh-secret&grant_type=authorization_codeAnd set your content-type to: application/x-www-form-urlencoded
Then you'll get back your token which will look like this:
{
"access_token": "nvhxw0MQf9CPbT2fr8FN4uUvGCSmCE2MiTIo14mniaaI5lJiLUwhs1OJc1d6blyJVFfPjlyFX0BhmCgJicpCdfoxJPbsYzl34FLKQDfRjC4uB9F9LlPoMmRrd98g8HN1pqCs6LYMNV24QXfvar87bSKx8f1K5F1gyWsgHbiaa9DpyHNC0NmaXz1ojDprw0aCfGlbZ6osvMng9tTWR1LmegtEJrHslPvRIq0CPXiS2l81VPAPNLUgDYivSnzEY0q7",
"refresh_token": "lDsloBxS9wdqxgIEhZ8V3b1P3yw5WugnCiJPbHSKTo5PV94d7vU9gw2sEUKZrGqs0pDm5aZ6y6kLt3MtdMGPabn9cYVvyb6eKSnjiBprO9X0d1fKF6jfYEYJl3yFPXgAahOM6F2GdimGFc0sYAkvR4vIivHM1Z1vON2lMEYwe3CIQ3SkO9li6DZ7glbN9yynePvUz6BmfjQA7EJ3XBj1wgXhQFt2zaB1p6H5SvgVoSs2pYz3FeOeJMUHx78XVxit",
"expires_in": 3600,
"token_type": "bearer"
}From there you exchange that for access to a resource. We'll access the api/userinfo resource. In your Advanced Rest Client use this URL with GET
https://localhost:3000/api/userinfoIn the header section add the key of Authorization with the value of your access_token. It will look like this in Raw
Authorization: Bearer nvhxw0MQf9CPbT2fr8FN4uUvGCSmCE2MiTIo14mniaaI5lJiLUwhs1OJc1d6blyJVFfPjlyFX0BhmCgJicpCdfoxJPbsYzl34FLKQDfRjC4uB9F9LlPoMmRrd98g8HN1pqCs6LYMNV24QXfvar87bSKx8f1K5F1gyWsgHbiaa9DpyHNC0NmaXz1ojDprw0aCfGlbZ6osvMng9tTWR1LmegtEJrHslPvRIq0CPXiS2l81VPAPNLUgDYivSnzEY0q7s
You should then get back your user id like so
{
"user_id": "1",
"name": "Bob Smith",
"scope": "*"
}The scope=offline_access is optional above and by default if it is left out you will not get a refresh token. However, if you do get a refresh token and want to retrieve an access token from it then you would use the same token endpoint above. In the header section add the key of Authorization with the value of the client id and client secret of one of the clients, separated by a ":" and base64 encoded. You can use any online base64 encoder like this one to help you out.
It will look like this in Raw if you're using "abc123:ssh-secret"
Authorization: Basic YWJjMTIzOnNzaC1zZWNyZXQ=
Then do a POST using the URL of
https://localhost:3000/oauth/tokenThe Raw payload of:
grant_type=refresh_token&refresh_token=lDsloBxS9wdqxgIEhZ8V3b1P3yw5WugnCiJPbHSKTo5PV94d7vU9gw2sEUKZrGqs0pDm5aZ6y6kLt3MtdMGPabn9cYVvyb6eKSnjiBprO9X0d1fKF6jfYEYJl3yFPXgAahOM6F2GdimGFc0sYAkvR4vIivHM1Z1vON2lMEYwe3CIQ3SkO9li6DZ7glbN9yynePvUz6BmfjQA7EJ3XBj1wgXhQFt2zaB1p6H5SvgVoSs2pYz3FeOeJMUHx78XVxitAnd set your content-type to: application/x-www-form-urlencoded
Then you'll get back your token which will look like this:
{
"access_token": "NCjOmSY1Lat3crhi6325sJ3BWjSde0619QDIWlE0qGvoYu7da3OihpxecBapA87HswLqMWuRSrQI2wiTDlkas4NWLbOFjnd9ljFsXLJEqrkJCi9sfG9rg9Fn0MgROQ44qY4cTJDtVEFENFxLyKof2ItibkMUFB8tMt42CAHBI5tUXbeJuztZNoUD2eURwnIhzlD6QAAo8j24wvmkcBxiRAdmDy22SPkoBP3iQyeFPrR1gJ6ZYRR5vWuC6TFSm9F4",
"expires_in": 3600,
"token_type": "bearer"
}And there you go, Enjoy!