This documentation is for WSO2 Identity Server 5.4.1 . View documentation for the latest release.

All docs This doc
Skip to end of metadata
Go to start of metadata

The OAuth Request Path Authenticator is engaged when an access token is sent along with a request for authentication. If the access token is valid, the user is authenticated by the authentication framework and the corresponding response builder takes over. The access token can be sent to the OAuth request path authenticator in two ways.

  • As a header in the authentication request:"Authorization: Bearer <access_token>"
  • As a query parameter in the request URL: "&token=<access_token>" 

For more information on Request Path Authentication in general, see Request Path Authentication.

Using the authorization header

  1. Start the IS server and login to the management console.
  2. Navigate to Service Providers>Add, enter a name for the new service provider and click Add. 
  3. Expand the Inbound Authentication Configuration section, then the OAuth2/OpenID Connect Configuration and click Configure. For more information, see Configuring OAuth/OpenID Connect

    Use the following Callback URL when configuring OAuth: https://curl-app/callback.

  4. Click Add and take note of the Client Key that is generated as you will need this later on. 
  5. Expand the Local & Outbound Authentication Configuration section and then the Request Path Authentication Configuration section. 
  6. Select oauth-bearer from the dropdown and click Add.
  7. Click Update to save changes to the service provider. 

  8. Use the following cURL command to get a valid token using password grant type. Replace the <CLIENT_ID>:<CLIENT_SECRET> tags with the client key and client secret of your service provider. 

    curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET> -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=USERNAME&password=PASSWORD" https://localhost:9443/oauth2/token
  9.   Send a cURL request using the access token you received as a response for step1 in the authorization header, to the token endpoint. Replace the <CLIENT_ID> and <REDIRECT_URI> tags with the relevant values. 

    curl -v -X POST -H "Authorization: Bearer 7ee57bc28a3336ccb7818b499941e4e4" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "response_type=code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&scope=openid"  https://localhost:9443/oauth2/authorize
    Location: https://curl-app/callback?code=37c79c505960e90d5b25f62ce760c98c&session_state=6d1a72e0f3f6392d6648ec5e6ed0

    Note: RequestPath authentication will only skip the login page and not the consent page. You can skip the user consent page by editing the following property at <IS_HOME>/repository/conf/identity/identity.xml file found under the <OAuth> <OpenIDConnect> tags. To skip user consent, set this property to true.


    If you set the above property value as ‘false’, then the response for the above step 9 will be as follows:

    Location: https://localhost:9443/authenticationendpoint/

    This is the consent page which will require the user interaction to either approve or deny the authorization request. You can go to the above consent page url via a web browser and provide approve or deny.Then the url will be redirected to


  10. Use the following cURL command to get an access token using the authorization code received in step2. Replace the <CLIENT_ID>:<CLIENT_SECRET>,<CLIENT_ID> and <REDIRECT_URI> tags with the relevant values.

    curl -v -X POST --basic -u <CLIENT_ID>:<CLIENT_SECRET>  -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&client_id=<CLIENT_ID>&redirect_uri=<REDIRECT_URI>&code=37c79c505960e90d5b25f62ce760c98c&scope=openid" https://localhost:9443/oauth2/token
    { "scope":"openid", "token_type":"Bearer", "expires_in":3600, "refresh_token":"70f202ca2e4ecf571d0b6d2e49af8f3a", "id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NjA0NTkzMTYsImV4cCI6MTQ2MDQ2MjkxNiwic3ViIjoiYWRtaW4iLCJhenAiOiJlN2VrQldVTVBITnFTNU5WQmhxNGhmNWZqMkVhIiwiYXRfaGFzaCI6IkhCWFVKQW50LWFMV3JxQlZJcTFoV2ciLCJhdWQiOlsiZTdla0JXVU1QSE5xUzVOVkJocTRoZjVmajJFYSJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0NjA0NTkzMTZ9.PiqVn7B2vuICHmodnn9udjQrvGqRR-PZr-M8x8Xijg0bnAvzXY4hxqZ5luaLitBH2IgQ5p0Rh_gjPI7TWcQA7AK3iBCp7c29QY78hSSqt38_iG5bC0MYWoluH-jg5f3iyJ3aQ-DPAZexCXxEv65RPF5EDNfhA0fUFcsu79cb89k", "access_token":"7d6c01fb6bfaca22f01d9a24219cce45" }

Using the request URL

  •  To try out request path authentication by sending the access token as a query parameter in the request URL with the WSO2 Playground sample, see Try Request Path Authentication.
  • No labels