Licensed to be used in conjunction with basebox, only.
Testing and Checking Your Identity Provider (IdP)
Getting configuration information from your IdP
OAuth 2 describes a mechanism to get configuration and other important information from your IdP (e.g. Auth0 and KeyCloak). You can generally get this information by going to the
.well-known/openid-configuration endpoint on your IdP. For KeyCloak this would be something like
<server-address>/realms/<realm>/.well-known/openid-configuration while in Auth0 it would be
<https://<domain>/.well-known/openid-configuration. This will provide you with useful information about your setup, including the
token_endpoint which can be used (depending on the authentication flows that you have setup) to get an access token.
curl to get an access token
This command assumes that you have setup and have access to the client secret for your client/application. If this is not the case, we suggest you use Postman instructions in order to get an access token using the PKCE-enhanced Authorization Code Flow.
You can get an access token using
curl (assuming you have
curl installed) and running the following command:
.well-known/openid-configuration) described above. The
password is of a registered user in your IdP. The
client id and
client secret can be found in Auth0 on the Application -> Settings page of your application. In KeyCloak, the
client id can be found on the
Settings tab of your client and the
client secret can be found on the
Credentials page of the client. Note that the
Credentials page is only visible if
Client authentication is turned on.
Once you have run this successfully, you will get an access token as part of the json structure returned. You can copy this to JWT decoding site (e.g jwt.io) to look at the contents of the access token.
Alternatively, if you want to decode the access token from the command line (this assumes you have jq installed), you could use the following command:
curl -k -v -X POST -H 'Content-type: application/x-www-form-urlencoded' \
-d "scope=openid%20email" \
-d "grant_type=password" \
-d "username=<username>" \
-d "password=<password>" \
-d "client_id=<client id>" \
-d "client_secret=<client secret>" \
| jq -R 'split(".") | . | @base64d | fromjson' <<< "$JWT"
Postman to get an access token
curl command above uses the
password grant type, but you might not have enabled this on your IdP or possibly do not have a client secret. You can still get an access token using the
Authorization Code Flow, this requires a callback endpoint (i.e. the IdP needs to be able to call an endpoint that you provide it with) and Postman has created a mechanism to do this.
- Once you have installed Postman, create a new Collection (on the Collections you can usually find a
+sign on the upper left hand side).
- Select your new collection and click on the Authorization tab.
OAuth 2.0as the Type.
- Name your token and set the Grant type to
Authorization Code (with PKCE).
- Tick Authorize using browser.
- The Auth URL and Access Token URL correspond to the
token_endpointrespectively, these can be found using the
.well-known/openid-configurationendpoint described above.
- The Client ID must be set to the Client ID found in your IdP. The
client idcan be found in Auth0 on the Application -> Settings page of your application. In KeyCloak, the
client idcan be found on the
Settingstab of your client. You do not have to provide the Client Secret here.
- Once you have added all the above details, click on Get New Access Token on the bottom of this page. If all goes well, you should be redirected to your browser to enter the username and password of your user.
- If successful, you should see a pop-up window come up on Postman. Click on proceed and you should then see your access token. Click on Use token and you will now be able to use the token in requests to basebox.
Redirect not working
Note that the redirect back to the endpoint created by Postman might not work. This is because both Auth0 and KeyCloak require that you specify what callbacks are allowed by your application. In order to set the callback, you will find, on the Postman page for your Collection, a field called
Callback URL. Copy the value of this field. In KeyCloak, go to your client and find Valid redirect URIs on the Settings tab. Click on Add valid redirect URIs and paste the URL there. In Auth0, go to your application and paste the URL in the Allowed Callback URLs in the Settings tab and save the changes. You can then try getting your access token again.