IdentityServer v2 supports the OAuth2 “Resource Owner Password Credential Flow” (see the spec for more details).
This flow is for so called “trusted applications”, meaning the user gives his username/password to an application, and this app then requests a token on behalf of that user. This also means that the application could do whatever it wants with those credentials. Hence the term “trusted application”.
Generally this flow is discouraged since it uses the password anti-pattern, but often all what people are looking for is something like “WS-Trust for HTTP”, and this flow in OAuth2 is what comes closest to that.
You (aka the client) basically send two pieces of information to the authorization server:
- Token request (contains the resource identifier and the corresponding resource owner credential)
- Client credential (Basic Authentication header containing the credentials of the client)
…and get back a token in return that you can use to access the resource on behalf of the resource owner (== user).
Step 0: Setup IdentityServer
Watch this video to get started. When you download the source directly from github, you will see that all the following configuration entries a pre-created for you. In the release version, the config DB is empty.
Step 1: Configure OAuth2
First you need to enable OAuth2 and the ‘Resource Owner Password Credential Flow’ in IdSrv.
Step 2: Register a resource
Next you need to register a resource. This consists (at a minimum) of a resource identifier and a symmetric signing key that will be used to sign the token. This signing key becomes the shared secret between IdSrv and the resource server.
Step 3: Register a client
The last configuration step is to register a client. The client id and secret will be used to authenticate the token request. Also check the corresponding flows you want to enable for this client.
Step 4: Request the token
You can use an arbitrary HTTP client to request a token. This is an example using HttpClient:
var form = new FormUrlEncodedContent(
new Dictionary<string, string>
{
{ OAuth2Constants.GrantType, OAuth2Constants.Password },
{ OAuth2Constants.UserName, “alice” },
{ OAuth2Constants.Password, “password” },
{ OAuth2Constants.scope, scope }
});
var client = new HttpClient();
client.DefaultRequestHeaders.Authorization =
new BasicAuthenticationHeaderValue(
Constants.Credentials.ClientId,
Constants.Credentials.ClientSecret);
var result = client.PostAsync(new Uri(baseAddress), form).Result;
..or you can use the OAuth2Client class from Thinktecture.IdentityModel:
var client = new OAuth2Client(
new Uri(baseAddress),
Constants.Credentials.ClientId,
Constants.Credentials.ClientSecret);
var response = client.RequestAccessTokenUserName(
“alice”,
“password”,
scope);
(you can lookup the OAuth endpoint on the Application Integration page in IdSrv – use the token endpoint)
Step 5: Use the token
You then typically put the returned token on an Authorization header and sent it to the resource server. I have examples for this in Thinktecture.IdentityModel.
HTH
I’m using IdentityModel 4.5 With Identity Server v2. When trying to get token with OAuth2Client i recieve following response: Message={ “error”: “invalid_client” }
Client ID and Secret is 100% correct. Certificates too. What might be the reason?
It’s worth to mention, that Basic HTTP Authentication must be enabled in IIS settings for IdentityServer site if you are using username and password to request token.
No. thats not the case.
Please use the issue tracker on github for identity server questions.