Configuring an OpenID Connect Provider to enable 2-legged OAuth requests
The typical OAuth flow consists of three legs
, or
stages of interaction between a client and an authorization server.
In 2-legged OAuth scenarios, the client uses pre-authorized scopes
so that no interaction with the user is necessary, removing the need
to perform one of the legs in the typical flow. Specifically, the
user does not need to authenticate to the authorization server or
give consent for sharing the information that is specified by the
requested scopes. Instead, all requested scope parameters are considered
pre-authorized and are automatically added to the request token, which
is then sent to the authorization server.
Before you begin
About this task
In scenarios with two legs or stages, an Open ID Connect
client can send a 2-legged HTTP request with a grant type of client_credential
or resource
owner password
. These requests do not go through the authorization
endpoint, so there is no scope consent form for users to confirm and
approve the requested scopes; however the OpenID Connect Provider
still needs to deal with the authorized scopes in its access_token
content.
Liberty servers that are configured as OpenID Connect Providers that are equipped to handle 2-legged OAuth requests approve the pre-authorized scopes by using the following criteria:
- If the grant_type parameter value of a request
is
client_credential
orresource owner password
and the request is an OAuth 2.0 request, then all the scopes that are defined in the request are approved and are copied into the content of the access token. This is the existing behavior of the OAuth 2.0 feature. - If the request is an OpenID Connect request or a JWT Token OAuth,
or OpenID Connect request, the following criteria is used:
- If there is no scope parameter that is specified in the request, the OpenID Connect Provider will not accept the request.
- The requested scopes must be present in the list of scopes that
are defined by the
scope
attribute of the client configuration and must also be specified in thepreAuthorizedScope
list of the client configuration.
This task demonstrates how to configure a Liberty server that is acting as an OpenID Connect Provider to enable 2-legged OAuth requests.
Procedure
scope
and preAuthorizedScope
attributes
of the client configuration within the appropriate <oauthProvider>
element
in your server.xml file. In the example that
is shown, the scopes profile
and email
are
qualified to be specified in the scope list of an access token that
is returned by the OpenID Connect Provider. The phone
scope
is not considered a pre-authorized scope because it is missing from
the preAuthorizedScope
list. <oauthProvider id="OAuthConfigSample" ...>
....
<localStore>
<client name="client01" secret="{xor}..."
displayname="client01"
scope="profile email phone"
preAuthorizedScope="profile email"
enabled="true"/>
....
</localStore>
</oauthProvider>
scope
attribute of the client configuration,
it is omitted from the scope of the access token that is returned.
If a requested scope is listed in the scope
attribute
of the client configuration but is not included in the preAuthorizedScope
list
of the client configuration, it triggers an invalid_grant
error
in the response from the OpenID Connect Provider.