IdentityServer 4 Discovery & Token EndPoint

-

This is part 1, part 2 can be found here.


IdentityServer 4 is certified a OIDC/Oauth server.
Endpoints are available using the discovery client, here we try to demystify the discovery and how to get a token process.


  • Clone this Git repo.
  • Navigate to \IdentityServer4.Samples\Quickstarts\1_ClientCredentials
  • Open the solution Quickstart1_ClientCredentials.sln
  • Right click the IdentityServer project >Debug>Start new instance
With IdentityServer Started visit http://localhost:5000/.well-known/openid-configuration


You should see this data
    
            {"issuer":"http://localhost:5000","jwks_uri":"http://localhost:5000/.well-known/openid-configuration/jwks","authorization_endpoint":"http://localhost:5000/connect/authorize","token_endpoint":"http://localhost:5000/connect/token","userinfo_endpoint":"http://localhost:5000/connect/userinfo","end_session_endpoint":"http://localhost:5000/connect/endsession","check_session_iframe":"http://localhost:5000/connect/checksession","revocation_endpoint":"http://localhost:5000/connect/revocation","introspection_endpoint":"http://localhost:5000/connect/introspect","frontchannel_logout_supported":true,"frontchannel_logout_session_supported":true,"backchannel_logout_supported":true,"backchannel_logout_session_supported":true,"scopes_supported":["openid","profile","email","custom.profile","api1","api2.full_access","api2.read_only","offline_access"],"claims_supported":["sub","name","family_name","given_name","middle_name","nickname","preferred_username","profile","picture","website","gender","birthdate","zoneinfo","locale","updated_at","email","email_verified","location"],"grant_types_supported":["authorization_code","client_credentials","refresh_token","implicit","password","custom","custom.nosubject"],"response_types_supported":["code","token","id_token","id_token token","code id_token","code token","code id_token token"],"response_modes_supported":["form_post","query","fragment"],"token_endpoint_auth_methods_supported":["client_secret_basic","client_secret_post","private_key_jwt"],"subject_types_supported":["public"],"id_token_signing_alg_values_supported":["RS256"],"code_challenge_methods_supported":["plain","S256"]}
        
This is discovery data, this tells a discovery client what is available, what methods of authetication are support etc.

Sure we can use a discovery client, but we can also use http.

Note: The console project contains an example with the discovery client, you can try to view the traffic from fiddler you may notice its does not work, more on that later.

Notice: there is token endpoint in our discovery data
The token endpoint is documented here.

To make a request to the token endpoint we need to create post request using fiddler.

Add header
Content-Type: application/x-www-form-urlencoded

The body should contain
grant_type=client_credentials&scope=api1&client_id=client&client_secret=secret

This is what fiddler should look like


If we run the request we get a access token which we can use to query API's using Identity Server as their JWT authority, try a get request against the values controller using the API project using the token as a bearer token, try it without ?



Location: Birmingham, UK

Comments

Post a Comment

Popular posts from this blog

Using HTTP to get a token from IdentityServer 4.

-
Image
This is part 2, part 1 can be found here . IdentityServer's token endpoint expects to receive content as application/x-www-form-urlencoded. Note:  if you wish to view the request and response in fiddler use localhost.fiddler Create a console application select .Net Core as the type. Optionally add a class if you want to deserialize the data to an Object. public class RootObject { public String access_token { get; set; } public String expires_in { get; set; } public String token_type { get; set; } } Example 1 using WebClient Create a NameValueCollection var body = new NameValueCollection() { { "client_id", "client" }, {"client_secret", "secret" }, {"grant_type", "client_credentials" }, {"scope", "api
Read more