Skip to content
Copyright © 2022- basebox GmbH, all rights reserved.
Licensed to be used in conjunction with basebox, only.

Testing and Checking Your Identity Provider (IdP)

In order to test your IdP, two tools that might be useful to get an access token is curl and Postman.

Getting configuration information from your IdP

OAuth 2 describes a mechanism to get configuration and other important information from your IdP (e.g. Auth0 and KeyCloak). You can generally get this information by going to the .well-known/openid-configuration endpoint on your IdP. For KeyCloak this would be something like <server-address>/realms/<realm>/.well-known/openid-configuration while in Auth0 it would be <https://<domain>/.well-known/openid-configuration. This will provide you with useful information about your setup, including the authorization_endpoint and token_endpoint which can be used (depending on the authentication flows that you have setup) to get an access token.

Using curl to get an access token

Client Secret

This command assumes that you have setup and have access to the client secret for your client/application. If this is not the case, we suggest you use Postman instructions in order to get an access token using the PKCE-enhanced Authorization Code Flow.

You can get an access token using curl (assuming you have curl installed) and running the following command:

curl -k -v -X POST -H 'Content-type: application/x-www-form-urlencoded' \
  -d "scope=openid%20email" \
  -d "grant_type=password" \
  -d "username=<username>" \
  -d "password=<password>" \
  -d "client_id=<client id>" \
  -d "client_secret=<client secret>" \
  <token_endpoint>
You can get the token endpoint (i.e. .well-known/openid-configuration) described above. The usernameand password is of a registered user in your IdP. The client id and client secret can be found in Auth0 on the Application -> Settings page of your application. In KeyCloak, the client id can be found on the Settings tab of your client and the client secret can be found on the Credentials page of the client. Note that the Credentials page is only visible if Client authentication is turned on.

Once you have run this successfully, you will get an access token as part of the json structure returned. You can copy this to JWT decoding site (e.g jwt.io) to look at the contents of the access token.

Alternatively, if you want to decode the access token from the command line (this assumes you have jq installed), you could use the following command:

curl -k -v -X POST -H 'Content-type: application/x-www-form-urlencoded' \
  -d "scope=openid%20email" \
  -d "grant_type=password" \
  -d "username=<username>" \
  -d "password=<password>" \
  -d "client_id=<client id>" \
  -d "client_secret=<client secret>" \
  <token_endpoint>
  | jq -R 'split(".") | .[1] | @base64d | fromjson' <<< "$JWT"

Using Postman to get an access token

The curl command above uses the password grant type, but you might not have enabled this on your IdP or possibly do not have a client secret. You can still get an access token using the Authorization Code Flow, this requires a callback endpoint (i.e. the IdP needs to be able to call an endpoint that you provide it with) and Postman has created a mechanism to do this.

  1. Once you have installed Postman, create a new Collection (on the Collections you can usually find a + sign on the upper left hand side).
  2. Select your new collection and click on the Authorization tab.
  3. Select OAuth 2.0 as the Type.
  4. Name your token and set the Grant type to Authorization Code (with PKCE).
  5. Tick Authorize using browser.
  6. The Auth URL and Access Token URL correspond to the authorization_endpoint and token_endpoint respectively, these can be found using the .well-known/openid-configuration endpoint described above.
  7. The Client ID must be set to the Client ID found in your IdP. The client id can be found in Auth0 on the Application -> Settings page of your application. In KeyCloak, the client id can be found on the Settings tab of your client. You do not have to provide the Client Secret here.
  8. Once you have added all the above details, click on Get New Access Token on the bottom of this page. If all goes well, you should be redirected to your browser to enter the username and password of your user.
  9. If successful, you should see a pop-up window come up on Postman. Click on proceed and you should then see your access token. Click on Use token and you will now be able to use the token in requests to basebox.

Redirect not working

Note that the redirect back to the endpoint created by Postman might not work. This is because both Auth0 and KeyCloak require that you specify what callbacks are allowed by your application. In order to set the callback, you will find, on the Postman page for your Collection, a field called Callback URL. Copy the value of this field. In KeyCloak, go to your client and find Valid redirect URIs on the Settings tab. Click on Add valid redirect URIs and paste the URL there. In Auth0, go to your application and paste the URL in the Allowed Callback URLs in the Settings tab and save the changes. You can then try getting your access token again.