This article describes how to investigate Oauth2 Authorization code Request.

As a reminder, the principal of Oauth2 Authorization code Request is two-steps:

  • User Authentication
  • Consent acceptance
  • Get an authorization code , in response of the POST
  • exchange this authorization code against an access token (and optionally a refresh token).

Sometimes, it might useful to digg a little bit within Oauth2 mechanism, as customer may say: « I am not able to get hold of my access token » . It can often occurs that when Oauth2 Authorization code flow is in use the openam server is behaving, but the customer client has not performed the swap to get hold the access token screwing up the entire process.

It is possible very easily using openAM to check exactly the client oauth2 flow.

The oauth2 code flow can be observed in file OAuth2Provider.access

The sequence is:

  • CREATED_AUTHORIZATION_CODE with label OAuth2Provider-7
  • CREATED_REFRESH_TOKEN with label OAuth2Provider-5
  • CREATED_TOKEN with label OAuth2Provider-1
  • UPDATED_AUTHORIZATION_CODE with label OAuth2Provider-17

Example

"2017-10-31 12:22:10"   "CREATED_AUTHORIZATION_CODE|{ ""redirectURI"": [ ""https://vps383894.ovh.net:8080/examples/servlets/servlet/HelloWorldExample"" ], ""clientID"": [ ""poc_client"" ], ""ssoTokenId"": [ ""AQIC5wM2LY4Sfcxhl4F8mcrpTQmtl7Krs1AZMRMzKQedQzs.*AAJTSQACMDIAAlNLABM4NzEzMDgxMjAzMTA2OTk5NzkzAAJTMQACMDE.*"" ], ""auditTrackingId"": [ ""39081afe-aee0-4033-a870-d7863790a657-224"" ], ""tokenName"": [ ""access_code"" ], ""authModules"": [ ""LDAP"" ], ""code_challenge_method"": [  ], ""userName"": [ ""comptedetest@example.org"" ], ""nonce"": [  ], ""authGrantId"": [ ""83f87ee3-e0b6-46d6-805a-d6019fb90af8"" ], ""acr"": [  ], ""expireTime"": [ ""1509448990469"" ], ""scope"": [ ""profile"", ""infotech"" ], ""claims"": [ null ], ""realm"": [ ""/INTERNET"" ], ""id"": [ ""572f6f7e-b968-4e18-a738-94ccdfad856a"" ], ""tokenType"": [ ""Bearer"" ], ""code_challenge"": [  ] }"      "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=example,dc=com"    "Not Available" "Not Available" OAuth2Provider.access   "Not Available" "Not Available" "Not Available" "Not Available" OAuth2Provider-7


"2017-10-31 12:22:22"   poc_client      "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=example,dc=com"    "Not Available" "Not Available" OAuth2Provider.access   "Not Available" "Not Available" "Not Available" "Not Available" OAuth2Provider-15


"2017-10-31 12:22:22"   CREATED_REFRESH_TOKEN|b9894985-61ee-4b47-8159-54158b23dcec      "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=example,dc=com"    "Not Available" "Not Available" OAuth2Provider.access   "Not Available" "Not Available" "Not Available" "Not Available" OAuth2Provider-5

"2017-10-31 12:22:23"   CREATED_TOKEN|8625d259-5fd6-43a8-abec-774375ddbc43      "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=example,dc=com"    "Not Available" "Not Available" OAuth2Provider.access   "Not Available" "Not Available" "Not Available" "Not Available" OAuth2Provider-1

"2017-10-31 12:22:23"   "UPDATED_AUTHORIZATION_CODE|{ ""redirectURI"": [ ""https://vps383894.ovh.net:8080/examples/servlets/servlet/HelloWorldExample"" ], ""clientID"": [ ""poc_client"" ], ""ssoTokenId"": [ ""AQIC5wM2LY4Sfcxhl4F8mcrpTQmtl7Krs1AZMRMzKQedQzs.*AAJTSQACMDIAAlNLABM4NzEzMDgxMjAzMTA2OTk5NzkzAAJTMQACMDE.*"" ], ""auditTrackingId"": [ ""39081afe-aee0-4033-a870-d7863790a657-224"" ], ""tokenName"": [ ""access_code"" ], ""authModules"": [ ""LDAP"" ], ""code_challenge_method"": [  ], ""userName"": [ ""comptedetest@example.org"" ], ""nonce"": [  ], ""authGrantId"": [ ""83f87ee3-e0b6-46d6-805a-d6019fb90af8"" ], ""acr"": [  ], ""expireTime"": [ ""1509448990469"" ], ""scope"": [ ""profile"", ""infotech"" ], ""claims"": [ null ], ""realm"": [ ""/INTERNET"" ], ""id"": [ ""572f6f7e-b968-4e18-a738-94ccdfad856a"" ], ""tokenType"": [ ""Bearer"" ], ""code_challenge"": [  ], ""issued"": [ ""true"" ] }"    "Not Available" "cn=dsameuser,ou=DSAME Users,dc=openam,dc=example,dc=com"    "Not Available" "Not Available" OAuth2Provider.access   "Not Available" "Not Available" "Not Available" "Not Available" OAuth2Provider-17

 

 

 

 

 

janua
Les derniers articles par janua (tout voir)