Red Hat SSO v7.1 OAuth2 Resource Owner Password Credential Grant Support

Patterns / New Media Consortium

In this post, we will look at an example of the OAuth2 Resource Owner Password Credential Grant using Red Hat SSO v7.1. In previous posts, I described the Red Hat SSO setup for OpenID Connect authentication and OAuth2. We have also looked at examples of:

The theoretical treatment of the Resource Owner Password Credential Grant was done in an earlier post.

This post will once again be using the OAuth2 + OIDC Debugger application to demonstrate this OAuth2 functionality.

It is important to understand that Red Hat has implemented OpenID Connect (that runs on top of OAuth2) to provide a comprehensive authentication and SSO solution. In most cases, using an appropriate OIDC Authentication Flow is advisable rather than using any of the OAuth2 Authorization Grants (including the Resource Owner Password Credential Grant that is demonstrated here). This example is provided for completeness.

The Resource Owner Password Credential Grant provides a single-call mechanism that authenticates a user and a optionally a client. It is up to the application to prompt the user for credentials. There is no equivalent of the this Authorization Grant in the OIDC spec. All Authentication Flows defined by OIDC use interactive logins (ie, the IdP serves up the authentication workflow).

  • Configure Red Hat SSO v7.1 as described here.
  • Follow the instructions here to setup the OAuth2 + OIDC Debugger app on your local machine. This is a simple test application that simulates the interaction between a real app and an IdP using the OAuth2 or OIDC protocols.
  • Open a browser tab and go to http://localhost:3000
  • Choose Resource Owner Password Credential Grant from the Authorization Grant drop down menu.


  • Enter the Client ID for the client you created with the instructions from the previous blog (use “blog-post-demo-client-001”, if you followed the instructions in the last blog post verbatim).
  • Enter the Client Secret for the client you created with the instructions from the previous blog. This is unique for every client.
  • Enter the Rediect URL (use “http://localhost:3000/callback” if you followed the instructions up to this point and are running the OAuth2 + OIDC Debugger locally).
  • Enter the scope of “User”.
  • Enter the Username of the test user that you created per the last blog post (User1 if you followed the instructions verbatim).
  • Enter the user’s password.
  • Click the “Get Token” button.


An access token, refresh token, and id_token are returned (assuming the password and client secret are correct.

The contents of the ID token payload looks like:

{
"jti": "246eea83-96e8-4f72-a7b3-59be88fa4861",
"exp": 1510589930,
"nbf": 0,
"iat": 1510586330,
"iss": "https://idp.levvel.io:8443/auth/realms/blog_demo",
"aud": "blog-post-demo-client-001",
"sub": "71c904f1-e978-4542-80de-fa98ebb241e5",
"typ": "ID",
"azp": "blog-post-demo-client-001",
"auth_time": 0,
"session_state": "8feefb58-124b-4a4c-976c-18a2d1ff6111",
"acr": "1",
"name": "",
"preferred_username": "user1"
}

The contents of the access token looks like:

{
"jti": "1008e6e4-f77a-45ce-9be6-ceea7f749066",
"exp": 1510589930,
"nbf": 0,
"iat": 1510586330,
"iss": "https://idp.levvel.io:8443/auth/realms/blog_demo",
"aud": "blog-post-demo-client-001",
"sub": "71c904f1-e978-4542-80de-fa98ebb241e5",
"typ": "Bearer",
"azp": "blog-post-demo-client-001",
"auth_time": 0,
"session_state": "8feefb58-124b-4a4c-976c-18a2d1ff6111",
"acr": "1",
"client_session": "52b9c508-5b7a-49d8-a9b6-1f64d636e182",
"allowed-origins": [
"*",
"http://localhost:3000"
],
"resource_access": {
"blog-post-demo-client-001": {
"roles": [
"User"
]
}
},
"name": "",
"preferred_username": "user1"
}

The contents of the refresh token looks like:

{
"jti": "bbb9504a-5f51-4682-bfad-2b657597cb23",
"exp": 1510588130,
"nbf": 0,
"iat": 1510586330,
"iss": "https://idp.levvel.io:8443/auth/realms/blog_demo",
"aud": "blog-post-demo-client-001",
"sub": "71c904f1-e978-4542-80de-fa98ebb241e5",
"typ": "Refresh",
"azp": "blog-post-demo-client-001",
"auth_time": 0,
"session_state": "8feefb58-124b-4a4c-976c-18a2d1ff6111",
"client_session": "52b9c508-5b7a-49d8-a9b6-1f64d636e182",
"resource_access": {
"blog-post-demo-client-001": {
"roles": [
"User"
]
}
}
}

In the next post, we will look at the OAuth2 Client Credential Grant.

Image: Patterns / New Media Consortium