Skip to end of metadata
Go to start of metadata

This is the second section in the WSO2 Identity Server documentation related to OAuth 2.0 grant types in WSO2 API Manager (WSO2 Carbon platform). To attain a more complete understanding of this section, read and work on the examples described here.

This section addresses the Implicit grant type which is the recommended practice if your application (client) is a mobile application or a browser based app such as a JavaScript client. The key difference of implicit grant when comparing to the Authorization Code is, the client receives access token as the result of the authorization request. In our previous post, which was about Authorization Code grant, client had to make separate requests for authorization and access token. Also note that, the implicit grant does not include client authentication because it does not make use of client secret.

Before attempting to work on the sample, look through the steps involved in implicit grant type.

  1. The application (client) requests for a token from the authorization server by sending a HTTP GET request with the following query parameters.

    response_type = token
    client_id = VALUE_OF_CONSUMER_KEY

    The first two are mandatory parameters while the last two can be optional.

  2. Upon receiving the request, the authorization server must return a 302 redirection back to the client with a Location header pointing to the URL of user consent page. (e.g.:- Location: https://localhost:9443/carbon/oauth/oauth2_authn_ajaxprocessor.jsp)
  3. The resource owner confirms the authorization requested by client (application) by specifying the required credentials.
  4. The authorization server redirects the user back to the application (to the Callback URL which has been specified at the first step) with the access token.

The following steps expand more on the above procedure using the sample web application (this acts as the client/application) and WSO2 API Manager (acts as the authorization server).

Step 1

Access the OAuth playground application as instructed here. Once you click on the Import Photos icon, you are directed to a screen with a form with various options such as Authorization Grant Type, Client Id etc.

Step 2

  1. Select Implicit as the Authorization Grant Type.
  2. Copy the Consumer Key value from the application you have subscribed in WSO2 API Manager and enter it in Client Id text box.
  3. Specify any string value as scope. The scope attribute is not relevant in this example.
  4. Enter the Callback URL which must be identical to the value you have specified at the time of creating the new application in WSO2 API Manager. E.g.:- http://localhost:8090/playground2.0/oauth2client
  5. Enter the Authorize endpoint. This should be the endpoint of the authorization server where it accepts the authorization requests. In WSO2 API Manager, there is an API to handle all authorization requests and it can be accessed through http://localhost:8280/authorize.
  6. Once you have completed adding all values in the form in the playground app, click on Authorize.
  7. This generates an HTTP GET request similar to the following. You can see it contains all mandatory URL parameters which were discussed in under the general introduction of "Implicit grant type".

    GET /authorize?scope=api_scope&response_type=token&redirect_uri=http%3A%2F%2Flocalhost%3A8090%2Fplayground2.0%2Foauth2client&client_id=ePCzEHajPOZRKus4XS3pva_Ec5Ua HTTP/1.1
    User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:7.0.1) Gecko/20100101 Firefox/7.0.1
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
    Accept-Language: en-us,es;q=0.7,en;q=0.3
    Accept-Encoding: gzip, deflate
    Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
    Connection: keep-alive
    Cookie: i18next=en-US; region1_configure_menu=none; region3_registry_menu=none; region4_monitor_menu=none; region5_tools_menu=none

Step 3

  1. When you click on Authorize with all required parameters, the application generates the above HTTP GET call and you are redirected to the user consent screen as shown below.
  2. Click on Authorize. You are provided with options to enter the username and password (username and password of the resource owner/end user).
  3. Login as an admin.

Step 4

  1. You receive the Access Token as shown below.
  2. Now, you can use this Access Token to perform the actual API call.
  • No labels