1

I need to get access token from Identity Server through an API call from react client (fetch). I don't want to load the login UI from Identity Server (implicit flow), enter credentials, redirect to the redirect_uri and then get the access_token from the url. I just want to pass the credentials through an API call (fetch) to Token endpoint and get the access token from react client (similar to http://docs.identityserver.io/en/release/endpoints/token.html).

The endpoint is - http://localhost/identityserver/core/connect/token

What are all the other data should I pass to the fetch call?

Following are the response and grant types supported by ids:

response_types_supported: [ "code", "token", "id_token", "id_token token", "code id_token", "code token", "code id_token token" ], grant_types_supported: [ "authorization_code", "client_credentials", "password", "refresh_token", "implicit" ],

May I know how to achieve this using oidc-client package(https://www.npmjs.com/package/oidc-client)? Please let me know if more details are needed so that I can update the question with more information.

MAK
  • 1,915
  • 4
  • 20
  • 44
  • ReactJs client? I would prefer a different flow to be more secure. Look here: https://leastprivilege.com/2016/01/17/which-openid-connectoauth-2-o-flow-is-the-right-one/ A good resource to start finding a better flow. – Vincenzo Sep 29 '18 at 06:02

1 Answers1

0

You would need to post to the Token Endpoint using the Password grant type:

POST /connect/token

client_id=yourclientid& client_secret=yourclientsecret& grant_type=password& username=yourusername&password=yourusernamespassword

This will return an Access Token not an Identity Token. If you need access to the user's information then you can obtain this from the UserInfo Endpoint.

oidc-client helps authenticating a user via the Authorize Endpoint and therefore can't help with the Token Endpoint

This is what the documentation says about the Password Grant:

The spec recommends using the resource owner password grant only for “trusted” (or legacy) applications. Generally speaking you are typically far better off using one of the interactive OpenID Connect flows when you want to authenticate a user and request access tokens.

Richard
  • 1,534
  • 1
  • 12
  • 16
  • I got - "error": "unauthorized_client" It says the client is not authorized for resource owner flow – MAK Sep 28 '18 at 18:29
  • I changed the grant type of the client to 'password' and it worked. Thank you. – MAK Sep 28 '18 at 18:48
  • Is this a good approach? I understand implicit flow is redirecting the client to the login UI of Identity Server, enter credentials, get it redirected to the client's redirect_uri and obtain both the id_token and access_token. I am not sure about Hybrid flow. How this approach of hitting the token endpoint directly is different from implicit/hybrid flow. Please advise. – MAK Sep 28 '18 at 18:50
  • @MAK I added to my answer what the documentation says about using Password grant. With implicit and hybrid you redirect to a sign-in page in Identity Server to obtain their credentials. Is there a reason why you don't want to do that? – Richard Sep 29 '18 at 06:21
  • For our requirement, the access token should always be available. So, the user should not be prompted to enter credentials to get bearer token. It should be refreshed and available always through backend channel – MAK Sep 29 '18 at 06:41
  • You can still do that with implicit flow via silent renewal in a client side app as long as you have an active session on the IDP. As has been mentioned the resource owner password flow is not recommended and shuts the door on many possibilities like using second factors or new protocols like WenAuthn – mackie Sep 29 '18 at 07:18