This article describes how to use authorization code grant type with OpenAM. Authorization code is the most secured grant when providing Oauth2 connection, as the access token is not stored within your browser.
On openam the authorization code has been made 1H to allot enough time to copy across he authorization code value between the both script demo examples (usually it is a very short time about dozen of seconds)
1) get SSO token
This scripts creates an openam SSO token for user demo :
sh get_demo_ssotoken.sh
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 139 100 139 0 0 38 0 0:00:03 0:00:03 --:--:-- 38
{
"successUrl" : "/openam/console",
"tokenId" : "AQIC5wM2LY4Sfcw8RD1771GxlCOW56m9bW8DsIdzA8iVlqs.*AAJTSQACMDEAAlNLABM2OTE5Mjk1MTg2MDg4MjI2MDEx*"
}
2) Get Authorization code
This scripts takes as input the SSO token, and returns an authorization code :
sh get_access_token_from_autorisation_code.sh AQIC5wM2LY4Sfcw8RD1771GxlCOW56m9bW8DsIdzA8iVlqs.*AAJTSQACMDEAAlNLABM2OTE5Mjk1MTg2MDg4MjI2MDEx* 6a507fe6-bce7-4d9e-9e7b-f92715ff1bc3
curl -i \
--cookie "iplanetDirectoryPro=$1" \
\
--data "realm=%2f&\ grant_type=authorization_code&\ code=$2&\
client_id=myClientID&\
redirect_uri=https://openam.example.com:18080/openid/cb-basic.html&\
decision=Allow"
+ curl -i --cookie iplanetDirectoryPro=AQIC5wM2LY4Sfcw8RD1771GxlCOW56m9bW8DsIdzA8iVlqs.*AAJTSQACMDEAAlNLABM2OTE5Mjk1MTg2MDg4MjI2MDEx*
--data realm=%2f&grant_type=authorization_code&code=6a507fe6-bce7-4d9e-9e7b-f92715ff1bc3&client_id=myClientID&redirect_uri=https://openam.example.com:18080/openid/cb-basic.html&decision=Allow
HTTP/1.1 200 OK
Cache-Control: no-store
Date: Wed, 31 Aug 2016 16:10:46 GMT
Accept-Ranges: bytes
Server: Restlet-Framework/2.1.7
Vary: Accept-Charset, Accept-Encoding, Accept-Language, Accept
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
{"access_token":"7ffa7ca8-192e-4879-b140-284a53704d9d", "refresh_token":"04d1e40f-418f-4d7e-bf8b-b6074068335f", "scope":"mail openid profile", "id_token":"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJjdHkiOiAiSldUIiwgImFsZyI6ICJSUzI1NiIgfQ.eyAiYXRfaGFzaCI6ICJUMV9YVl9iSVNMOVB4MTQtdUlqcUd3IiwgInN1YiI6ICJkZW1vIiwgImlzcyI6ICJodHRwOi8vb3BlbmFtLmV4YW1wbGUuY29tOjE4MDgwL29wZW5hbS9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6IFsgIm15Q2xpZW50SUQiIF0sICJjX2hhc2giOiAiSzdNc1VfM0x3c0wwdEJoUURzcnNSUSIsICJvcHMiOiAiM2E1ODMzM2EtYzc2ZS00ZmI5LTg4OWUtYTMxOTE1ZDlkOGY1IiwgImF6cCI6ICJteUNsaWVudElEIiwgImF1dGhfdGltZSI6IDE0NzI2NTk4NDYsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0NzI2NjM0NDYsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ3MjY1OTg0NiB9.Lf4nHgkO3T74-xBrHQ2YiVLBQeh2xH289JTYDkRoiAztnQH74iGbwHKZsWKRkvK3460AZXWBnRzHjXCrL0dcImc191LIMwbZhkeBTREvZNJQzmJuu4eXudU2JyydOP20gBtqT1tCAPCbRNliZgBJjMlmzko8fXFPcyXoY5NWGi4","token_type":"Bearer","expires_in":3599}
3) Get an access token from authorization code
This script takes as input the authorization code just returned previously. On openam the authorization code has been made 1H to allot enough time to copy across he authorization code value to copied between the both script demo examples. As output is returned an id token and access token
sh get_access_token_from_autorisation_code.sh AQIC5wM2LY4Sfcw8RD1771GxlCOW56m9bW8DsIdzA8iVlqs.*AAJTSQACMDEAAlNLABM2OTE5Mjk1MTg2MDg4MjI2MDEx* 6a507fe6-bce7-4d9e-9e7b-f92715ff1bc3
curl -i \
--cookie "iplanetDirectoryPro=$1" \
\
--data "realm=%2f&\
grant_type=authorization_code&\
code=$2&\
client_id=myClientID&\
redirect_uri=https://openam.example.com:18080/openid/cb-basic.html&\
decision=Allow"
+ curl -i --cookie iplanetDirectoryPro=AQIC5wM2LY4Sfcw8RD1771GxlCOW56m9bW8DsIdzA8iVlqs.*AAJTSQACMDEAAlNLABM2OTE5Mjk1MTg2MDg4MjI2MDEx* --data realm=%2f&grant_type=authorization_code&code=6a507fe6-bce7-4d9e-9e7b-f92715ff1bc3&client_id=myClientID&redirect_uri=https://openam.example.com:18080/openid/cb-basic.html&decision=Allow
HTTP/1.1 200 OK
Cache-Control: no-store
Date: Wed, 31 Aug 2016 16:10:46 GMT
Accept-Ranges: bytes Server: Restlet-Framework/2.1.7 Vary:
Accept-Charset, Accept-Encoding, Accept-Language, Accept
Pragma: no-cache
Content-Type: application/json;charset=UTF-8
Transfer-Encoding: chunked
{"access_token":"7ffa7ca8-192e-4879-b140-284a53704d9d", "refresh_token":"04d1e40f-418f-4d7e-bf8b-b6074068335f", "scope":"mail openid profile", "id_token":"eyAidHlwIjogIkpXVCIsICJraWQiOiAiU3lsTEM2Tmp0MUtHUWt0RDlNdCswemNlUVNVPSIsICJjdHkiOiAiSldUIiwgImFsZyI6ICJSUzI1NiIgfQ.eyAiYXRfaGFzaCI6ICJUMV9YVl9iSVNMOVB4MTQtdUlqcUd3IiwgInN1YiI6ICJkZW1vIiwgImlzcyI6ICJodHRwOi8vb3BlbmFtLmV4YW1wbGUuY29tOjE4MDgwL29wZW5hbS9vYXV0aDIiLCAidG9rZW5OYW1lIjogImlkX3Rva2VuIiwgImF1ZCI6IFsgIm15Q2xpZW50SUQiIF0sICJjX2hhc2giOiAiSzdNc1VfM0x3c0wwdEJoUURzcnNSUSIsICJvcHMiOiAiM2E1ODMzM2EtYzc2ZS00ZmI5LTg4OWUtYTMxOTE1ZDlkOGY1IiwgImF6cCI6ICJteUNsaWVudElEIiwgImF1dGhfdGltZSI6IDE0NzI2NTk4NDYsICJyZWFsbSI6ICIvIiwgImV4cCI6IDE0NzI2NjM0NDYsICJ0b2tlblR5cGUiOiAiSldUVG9rZW4iLCAiaWF0IjogMTQ3MjY1OTg0NiB9.Lf4nHgkO3T74-xBrHQ2YiVLBQeh2xH289JTYDkRoiAztnQH74iGbwHKZsWKRkvK3460AZXWBnRzHjXCrL0dcImc191LIMwbZhkeBTREvZNJQzmJuu4eXudU2JyydOP20gBtqT1tCAPCbRNliZgBJjMlmzko8fXFPcyXoY5NWGi4","token_type":"Bearer","expires_in":3599}
Specialised in IAM (security, access control, identity management) and Open Source integration, settled in 2004 by IAM industry veteran, JANUA offers high value-added products and services to businesses and governements with a concern for Identity Management and Open Source components.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
JANUA provides better security, build relationships, and enable new cloud, mobile, and IoT offerings from any device or connected thing.
Les derniers articles par janua (tout voir)
- New Keycloak online training - 19 janvier 2022
- Sizing Keycloak or Redhat SSO projects - 8 juin 2021
- Keycloak.X Distribution - 28 janvier 2021