0

I have set IdentityServer4 which implements oAuth and OpenId Connect, Simple Implementation looks like this

services.AddIdentityServer()
    .AddTemporarySigningCredential()
    .AddInMemoryIdentityResources(Config.GetIdentityResources())
    .AddInMemoryApiResources(Config.GetApiResources())
    .AddInMemoryClients(Config.GetClients())
    .AddTestUsers(Config.GetTestUsers());

We have our Clients setup like so:

new Client
{
    ClientId = "oauthClient",
    ClientName = "Example Client Credentials Client Application",
    AllowedGrantTypes = GrantTypes.ClientCredentials,
    ClientSecrets = new List<Secret> {
        new Secret("superSecretPassword".Sha256())},
           AllowedScopes = new List<string> {"customAPI.read"}
    }

I'm trying to figure out how to create the login request for a user I'm passing this json in a post body to gain access to an authentication token

{
   grant_type:client_credentials,
   scope=customAPI.read,
   client_id=oauthClient
   client_secret=superSecretPassword
}

I'm looking for a way to do this but pass user information assuming I had a

username: admin password: root

What parameters do I have to modify in my json to login as a user? How do I pass the username, password and what is my Grant_Type?

johnny 5
  • 19,893
  • 50
  • 121
  • 195

1 Answers1

0

My Issue was the setup of my client, My client was only accepting grant types of client credentials, I needed to also Include ResourceOwnerPassword.

I need to change my Grant Types in the clients to look like so

new Client
{
    ClientId = "oauthClient",
    ClientName = "Example Client Credentials Client Application",
    AllowedGrantTypes = GrantTypes.ResourceOwnerPasswordAndClientCredentials,
    ClientSecrets = new List<Secret> {
        new Secret("superSecretPassword".Sha256())},
    AllowedScopes = new List<string> {"customAPI.read"}
}

Now we can form out Post Body Json like so

url: localhost/connect/token
Content-Type: application/x-www-form-urlencoded,
data: {
    grant_type: 'password',
    scope: 'customAPI.read',
    client_id: 'oauthClient',
    client_secret:'superSecretPassword',
    username:'admin',
    password: 'root'
}

Edit

Using the ResourceOwnerPassword is not reccomended anymore apparently according to the IdentityServer4 Documentation

The spec recommends using the resource owner password grant only for “trusted” (or legacy) applications. Generally speaking you are typically far better off using one of the interactive OpenID Connect flows when you want to authenticate a user and request access tokens.

johnny 5
  • 19,893
  • 50
  • 121
  • 195
  • So what is the correct way to authenticate an app? I know you're going to say "webview" - but that is a bad use experience, and the OpenID flow requires the consent page - and if I'm the owner of the user info I don't need his consent. Read my question here please: http://stackoverflow.com/questions/43689218/what-is-the-correct-way-to-use-oauth-for-mobile-and-website-consuming-my-own-api – developer82 May 02 '17 at 04:38
  • The consent page is configurable you don't have to require consent – johnny 5 May 02 '17 at 12:37
  • @developer82 the way I was doing things in the example is not proper. Using resource password owner defeats the purpose of even having a token server. If you want to implement just OAuth2 use another framework. If you want to implement OIDC connect then use the javascript flow from the tutorials. – johnny 5 May 02 '17 at 16:00
  • what about from mobile app (I'm the owner of the app) ? – developer82 May 02 '17 at 17:55
  • I'm not sure yet. I'm in the same boat as you. I think there's a way to forward you request. I have found any Cordova plugins to do so – johnny 5 May 02 '17 at 17:59