Thursday, February 20, 2014

OAuth Authorization grant type behaviour with WSO2 API Manager (APIM)

For more information on OAUTH2 refer this presentation.

Authorization Grant types :

There are 4 Authorization grant types in OAuth.

How is this interpreted in APIM?

    * Authorization code
    * Implicit
    * Resource owner password credentials
    * Client credentials



(Resource :  WSO2 OAuth 2.0 The Path to Heaven from Hell presentation)


In the following types Resource owner does not grant the authorization.
    * Resource owner password credentials 
    * Client credentials

There for Step B and C (Authorization grant) will be omitted when there is a high degree of trust between client and resource owner. So the user will be able to receive the access token without the Authorization grant.

But Authorization grant is being used during the other 2 types which are,
  * Authorization code
  * Implicit.

If you use CURL or Advance rest cient, this step will not be visible since the authorization server must return a 302 redirection back to the client with an Location header pointing to the URL of user consent page. So you have to use an app which will return 302 redirection.

That is whay when we use a command like below, we just get the access token at once.

E.g.,

curl -v -k -X POST -H "Authorization: Basic MmdTYmc5NlBIc3hQcWZHT2lZWW1oSm9va2k4YTo0bEREM2M3TmNSWWZtaEZDZGlhVVdoQ3NEbE1h" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -d "grant_type=password&username=admin&password=admin" http://localhost:8280/token/


This is explained in [1] and [2]

[1] http://charithaka.blogspot.com/2013/07/oauth-20-grant-types-with-wso2-api.html
[2] http://charithaka.blogspot.com/2013/07/oauth-20-grant-types-with-wso2-api_16.html