Wednesday, 4 December 2019

Token API. Client Credentials Grant.

Token API.
Client Credentials Grant

1. Introduction
2. Client Credentials as an authorization grant.
3. Access Token Request
4. Access Token Response
5. Invoking the Token API to generate the tokens
6. Interaction Diagram


1. Introduction

APIs are group by Applications and protected by access tokens. If a Client needs to get access to an API firstly must to send a request to the Authorization server to get an access token. Authorization grant type groups different ways for ask for an access token. An authorization grant is a credential representing the resource owner's authorization (to access its protected resources) used by the client to obtain an access token.

Authorization grant types:

Kerberos OAuth2 Grant
Refresh Token Grant
Authorization Code Grant
NTLM Grant
Password Grant
SAML Extension Grant
Client Credentials Grant
Implicit Grant
JWT Grant

On this blog I am going to do a PoC for Client Credentials Grant
.

2. Client Credentials as an authorization grant.

On this use case the Client itself is the resource owner, that is because the access token request uses Client Credentials as an authorization grant. Authorization scope: Protected resources under the control of the Client. The Client can request an access token using only its client credentials (or other supported means of authentication) when the client is requesting access to the protected resources under its control, or those of another resource owner that have been previously arranged with the authorization server. The client credentials grant type MUST only be used by confidential clients.







Since the client authentication is used as the authorization grant, no additional authorization request is needed.

3. Access Token Request

The client makes a request to the token endpoint by adding the following parameters using the "application/x-www-form-urlencoded" format:
(Character encoding of UTF-8 in the HTTP request entity-body)

grant_type (REQUIRED): Value MUST be set to "client_credentials"
scope      (OPTIONAL): The scope of the access request.

For example:
POST /token HTTP/1.1
Host: server.example.com
Authorization: Basic dG9tYXM6cmFiYXpv
Content-Type: application/x-www-form-urlencoded

 grant_type=client_credentials

The authorization server MUST authenticate the client.

4. Access Token Response

If the access token request is valid and authorized, the authorization server issues an access token. A refresh token SHOULD NOT be included. If the request failed client authentication or is invalid, the authorization server returns an error response.

For example:
HTTP/1.1 200 OK
Content-Type: application/json;charset=UTF-8
Cache-Control: no-store
Pragma: no-cache
{
    "access_token":"4598yutg4o3ph45ptu3p84up",
    "token_type":"example",
    "expires_in":3600,
    "example_parameter":"example_value"
}

5. Invoking the Token API to generate the tokens

1) Get a valid consumer key and consumer secret pair. Initially, you generate these keys through the API Store by clicking Generate Keys on the Production Keys tab of the application.


















2) Combine the consumer key and consumer secret keys in the format consumer-key:consumer-secret and encode the combined string using base64 (http://base64encode.org).

Consumer Key   : YzQHb9sUQeISS_KjZeuxRNPYhrka
Consumer Secret: k3EIaQrBMTtL9fFZN7OQ3fG15bca7
consumer-key:consumer-secret: YzQHb9sUQeISS_KjZeuxRNPYhrka:k3EIaQrBMTtL9fFZN7OQ3fG15bca
Base64         : WXpRSGI5c1VRZUlTU19LalpldXhSTlBZaHJrYTprM0VJYVFyQk1UdEw5ZkZaTjdPUTNmRzE1YmNh

3) Obtain the access token
Generic curl command:
curl -k -d "grant_type=client_credentials" -H "Authorization: Basic <Base64-encoded-client_key:client_secret>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:<https-port>/token -v

To obtain the access token by specifying the scope:
curl -k -d "grant_type=client_credentials&scope=test" -H "Authorization: Basic <ConsumerKey:ConsumerSecret>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token

To set a validity period for access tokens through a cURL command pass the validity_period parameter:
curl -X POST -k -H "Authorization: Basic <Base64(clientId:clientSecret)>" -d "grant_type=client_credentials&validity_period=<custom_validity_time_in_seconds>" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token -v


Example:
curl -k -d "grant_type=client_credentials" -H "Authorization: Basic WXpRSGI5c1VRZUlTU19LalpldXhSTlBZaHJrYTprM0VJYVFyQk1UdEw5ZkZaTjdPUTNmRzE1YmNh" -H "Content-Type: application/x-www-form-urlencoded"

https://localhost:8243/token -v

Example with SOAPUI:














Response:
HTTP/1.1 200 OK
X-Frame-Options: DENY
Cache-Control: no-store
X-Content-Type-Options: nosniff
Pragma: no-cache
X-XSS-Protection: 1; mode=block
Content-Type: application/json
Date: Wed, 04 Dec 2019 13:52:37 GMT
Transfer-Encoding: chunked
Connection: Keep-Alive

 {"access_token":"89d00c2f-48ef-35b2-a879-97cbe75a0b93",
 "scope":"am_application_scope default",
 "token_type":"Bearer",
 "expires_in":3600}

Request to APIGateway with the access token:




6. Interaction Diagram

On this diagram I summarize all the interactions between components.














Posted by at
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)