0

I've implemented an application that redirects to the wso2 identity server login page. If the login is successfull the user is redirected to a page where he can read his profile details. Based on his role he can perform certain action, like create a new user.

I've implemented an API (http://localhost:8080/add-user) that calls this URL ( https://localhost:9443/t/carbon.super/oauth2/token) to generate the access token with the desired scope (for example internal_user_mgt_create) that I need in order to call the wso2 SCIM2.0 API (https://is.docs.wso2.com/en/latest/apis/scim2-rest-apis/#/Users%20Endpoint/createUser).

Everything works if I use grant_type=password and I use the user credentials to generate the access token to call the wso2 SCIM2.0 API, but I want to use "authorization_code" as grant_type to avoid sending user credentials in my application.

How can I do that? And I know that one of the parameters that I need to use this flow is "code", where can I get its value?

ffff
  • 35
  • 9

2 Answers2

1

You can configure authorization code grant in your application by selecting the Code from the Allowed Grant Types list OAuth/OpenID Connect Configuration in your application. [1]

When using the auth code grant your application needs to wso2 authorize endpoint to obtain the authorization code Using this authorization token and client secret you can obtain the access that is capable of calling the scim endpoint.

Refer to following documents for more information

[1]. https://is.docs.wso2.com/en/latest/guides/access-delegation/authorization-code/ [2]. https://medium.com/identity-beyond-borders/generating-access-tokens-using-wso2-identity-server-4d8c084a3bf5

Buddhima Udaranga
  • 943
  • 7
  • 10
  • After I login i'm redirect to the user profile view (http://localhost:8080/index), I don't get the url with the code parameter specified (like http://localhost:8080/index?code=xxxxxxxxx). So I clicked on "inspect" and in the Network panel there's this url "localhost:8080/login/oauth2/code/wso2?code=9f228764-3e73-329c-96a0-5fe039dd5643&state=..." so I guessed that the code value was "9f228764-3e73-329c-96a0-5fe039dd5643" but when i try to generate the access token to call the SCIM2.0 API i get this error: "Inactive authorization code received from token request" – ffff Oct 28 '22 at 09:33
  • Since, it redirects you to the profile view, I guess, the token is already obtained for the code and if so, this is expected. Can you check the network tabs to see if there is a token call and see if the token has been delivered. If there is a token, you can use that to call scim2 endpoints (make sure you have necessary scopes obtained for the token). – Vivekvinushanth Christopher Oct 28 '22 at 12:52
  • @ffff What kind of application do you have? is it a single-page application written in react/angular? or else is it a java based app? I would like to recommend using one of the suitable SDK https://github.com/search?q=org%3Aasgardeo+sdk . If you are working on an authorization code grant, the authz_code is returned to the callback URL that is configured in the service provider. As per your comment, localhost:8080/login/oauth2/code/wso2 should be your application's callback URL. Once the callback response is received to the application, the application should initiate the token request – Anuradha Karunarathna Oct 28 '22 at 16:26
  • My application is java based (using the spring framework). I get the authz_code in the callback url, but when I use it to generate the access token to call the SCIM2.0 API i get the error: "Inactive authorization code received from token request" – ffff Nov 02 '22 at 09:06
1

It's harder to provide an exact answer to this question without knowing more details about the app and the flow you'd expect your users to go. However, it'd be much easier if you have a better understanding of the OAuth2 code grant type. The following is the basic flow.

enter image description here

  1. The user accesses your application through a web browser.

  2. Your application redirects the user to the identity server, with the following parameters in the request.

    1. client_id=xxx
    2. response_type=code
    3. redirect_uri=yyy - Location in your application where you want to get the authz code. This needs to be registered with the IS service provider beforehand.
    4. scopes

  3. The IS prompts the user to log in.

  4. The IS then redirects the user to the given redirect URI, with the authorization code.

  5. Once the code is received by the client, it makes a back channel call to the token endpoint of the IS (https://localhost:9443/t/carbon.super/oauth2/token) with the following parameters.

    1. grant_type=authorization_code
    2. client_id=xxx
    3. client_secret=zzz
    4. code=ccc

  6. IS validates the code and issues an access token.

Read more on OAuth2 here.

Now, if you're getting the "Inactive authorization code" error, your application might already be calling the token endpoint with the code received, before you call your add-user API.

Ideally, your add-user API shouldn't call the token endpoint at all. You should call the token endpoint from your application, get an access token and pass that to the add-user API if needed. Or you can directly call the SCIM API from your application itself.

I hope this helps!

Vihanga Liyanage
  • 157
  • 8
  • Yes, thank you! My problem was... I thought I had to have two access token, one after the login and one to call the API because the scopes were different (for one AT I needed openid and for the other the one required to call the API), but then I solved the problem sending all the scopes required the first time with the openid one, so that when the user logs in, I can use that access token to call the APIs. Is this correct? – ffff Nov 07 '22 at 08:05
  • 1
    Yes, that is correct. The "openid" scope is only used to request an ID token along with the usual access token, which we call the Open ID Connect flow. You can request the permission scopes along with the openid scope in the same call, which will return an AT with the requested permissions and an ID token with user details. – Vihanga Liyanage Nov 08 '22 at 03:54