Invoke OAuth 2.0 services
A registered OAuth client can:
- Invoke the service authorization endpoint to request an authorization code.
- Invoke the service token endpoint to request an access token.
- Use the access token to request protected web resources.
WebSphere Application Server OAuth 2.0 service supports all four flows:
Authorization code flow
Request an authorization code by invoking an authorization service endpoint:
https://host:port/oauth2/endpoint/provider/authorize
https://host:port/oauth2/declarativeEndpoint/provider/authorizeIn the request header are parameters:
- client id
- client secret
- state
- redirect URI
- optional scopes
Using the authorization code, the client requests an access token from the token endpoint:
https://host:port/oauth2/endpoint/provider/token
In the request header are parameters:
- grant type
- authorization code
- redirect_url
- client_id
Example
String charset = "UTF-8"; String param1 = "code"; if (isAuthorizationCode){ String query = String.format("response_type=%s& client_id=%s& client_secret=%s& state=%s& redirect_uri=%s& scope=%s", URLEncoder.encode(param1, charset), URLEncoder.encode(clientId, charset), URLEncoder.encode(clientSecret, charset), URLEncoder.encode(state, charset), URLEncoder.encode(redirectURI, charset), URLEncoder.encode(scope, charset)); String s = authorizationEndPoint + "?" + query; System.out.println("Visit: " + s + "\nand grant permission"); System.out.print("Now enter the OAuth code we have received in redirect uri :"); BufferedReader br = new BufferedReader(new InputStreamReader(System.in)); String code = br.readLine(); param1 = "authorization_code"; query = String.format("grant_type=%s& code=%s& client_id=%s& client_secret=%s& state=%s& redirect_uri=%s& scope=%s", URLEncoder.encode(param1, charset), URLEncoder.encode(code, charset), URLEncoder.encode(clientId, charset), URLEncoder.encode(clientSecret, charset), URLEncoder.encode(state, charset), URLEncoder.encode(redirectURI, charset), URLEncoder.encode(scope, charset)); URL url = new URL(tokenEndPoint); HttpsURLConnection con = (HttpsURLConnection)url. openConnection(); con.setRequestProperty("Content-Type", "application/x-www-form-urlencoded;charset=" + charset); con.setDoOutput(true); con.setRequestMethod("POST"); OutputStream output = null; try { output = con.getOutputStream(); output.write(query.getBytes(charset)); output.flush(); } finally { if (output != null) try { output.close(); } catch (IOException logOrIgnore) {} } con.connect(); System.out.println("response message is = " + con.getResponseMessage()); // Read the output from the server BufferedReader reader = null; StringBuilder stringBuilder; reader = new BufferedReader(new InputStreamReader(con.getInputStream())); stringBuilder = new StringBuilder(); String line = null; try { while ((line = reader.readLine()) != null) { stringBuilder.append(line + "\n"); } } finally { if (reader != null) try { reader.close(); } catch (IOException logOrIgnore) {} } String tokenResponse = stringBuilder.toString(); System.out.println ("response is = " + tokenResponse); JSONObject json = JSONObject.parse(tokenResponse); if (json.containsKey("access_token")) { accessToken = (String)json.get("access_token"); this.accessToken = accessToken; } if (json.containsKey("refresh_token")) { refreshToken = (String)json.get("refresh_token"); } // sendRequestForAccessToken(query); if (accessToken != null) { String query = String.format("access_token=%s", URLEncoder.encode(accessToken, charset)); URL urlResource = new URL(resourceEndPoint); HttpsURLConnection conn = (HttpsURLConnection) urlResource.openConnection(); conn.setRequestMethod("POST"); conn.setRequestProperty("Content-type", "application/x-www-form-urlencoded"); conn.setDoOutput(true); output = null; try { output = conn.getOutputStream(); output.write(query.getBytes(charset)); output.flush(); } finally { if (output != null) try { output.close(); } catch (IOException logOrIgnore) {} } conn.connect(); System.out.println("response to the resource request is = " + conn.getResponseMessage ()); reader = null; if(conn.getResponseCode()>=200 && conn.getResponseCode() < 400) { reader = new BufferedReader(new InputStreamReader(conn.getInputStream())); stringBuilder = new StringBuilder(); String line = null; try { while ((line = reader.readLine()) != null) { stringBuilder.append(line + "\n"); } } finally { if (reader != null) try { reader.close(); } catch (IOException logOrIgnore) {} } System.out.println ("response message to the request resource is = " + stringBuilder.toString()); } else { isValidResponse = false; } } }Implicit grant flow
The OAuth client requests an access token from the authorization endpoint:https://host:port/oauth2/endpoint/provider/authorize
https://host:port/oauth2/declarativeEndpoint/provider/authorizeIn the request header are parameters:
- token response_type
- redirect_url
- client_id
- scope
- state
The following example shows the construction of the URI when using implicit grant:
if (isImplicit) { param1 = "token"; String query = String.format("response_type=%s& client_id=%s& state=%s& redirect_uri=%s& scope=%s", URLEncoder.encode(param1, charset), URLEncoder.encode(clientId, charset), URLEncoder.encode(state, charset), URLEncoder.encode(redirectURI, charset), URLEncoder.encode(scope, charset)); String s = authorizationEndPoint + "?" + query; System.out.println("Visit: " + s + "\nand grant permission"); System.out.print("Now enter the access token we have received in redirect uri :"); BufferedReader br = new BufferedReader(new InputStreamReader(System.in)); accessToken = br.readLine(); if (accessToken != null) { // Send Resource Request using the access token } }Client credential flow
The OAuth client accesses the token endpoint with the client ID and secret, and exchanges for an access token for future resource requests. In this flow, the client accesses the token endpoint by adding client_credentials grant type, client_id, and client_secret as request parameters.
https://host:port/oauth2/endpoint/provider/token
The following example shows the construction of the URI when using client credential:
if (isClientCredentials){ param1 = "client_credentials"; String query = String.format("grant_type=%s& scope=%s& client_id=%s& client_secret=%s", URLEncoder.encode(param1, charset), URLEncoder.encode(scope, charset), URLEncoder.encode(clientId, charset), URLEncoder.encode(clientSecret, charset)); accessToken = sendRequestForAccessToken(query); if (accessToken != null) { // Send Resource Request using (accessToken); } }Resource owner password flow
The Resource Owner Password Credentials flow passes the user ID and password of the resource owner to the token endpoint directly. In this flow, The OAuth client accesses the token endpoint by adding password grant type, client_id, client_secret, username, password, scope, and state as request parameters.
https://host:port/oauth2/endpoint/provider/token
The following example shows the construction of the URI when using resource owner password:
if (isResourceOwnerCredentials) { param1 = "password"; String query = String.format("grant_type=%s& username=%s& password=%s& scope=%s& client_id=%s& client_secret=%s", URLEncoder.encode(param1, charset), URLEncoder.encode(resOwnerName, charset), URLEncoder.encode(resOwnerPassword, charset), URLEncoder.encode(scope, charset), URLEncoder.encode(clientId, charset), URLEncoder.encode(clientSecret, charset)); accessToken = sendRequestForAccessToken(query); if (accessToken != null) { // Send Resource Request using (accessToken); } }If the access token is expired, then the refresh token can be sent to get a valid access token. The following example shows how to send a refresh token:
if(isAccessToken) { if (this.accessToken != null) { if (!sendResourceRequest(this.accessToken)) { // Resource request failed. Get refresh token param1 = "refresh_token"; String query = String.format("grant_type=%s& client_id=%s& client_secret=%s& refresh_token=%s& scope=%s", URLEncoder.encode(param1, charset), URLEncoder.encode(clientId, charset), URLEncoder.encode(clientSecret, charset), URLEncoder.encode(this.refreshToken, charset), URLEncoder.encode(scope, charset)); accessToken = sendRequestForAccessToken(query); if (accessToken != null) { sendResourceRequest(accessToken); } } } }