CODEWITHSUNDEEP
asp.net-core-1.0openid-connectidentityserver4
codeninja.sj
codeninja.sj

Reputation: 4129

How to get access_token, id_token from authorize endpoint of IdentityServer4?

This question is actually a continuous question of this SO question of mine. I am trying to get access_token and id_token from Identityserver4 by using Authorization code flow.

But, If I try to access "Authorize" endpoint, I got 405 (method not allowed) HTTP error.

HTTP GET Request

http://localhost:2000/connect/authorize?
client_id=client  
&client_secret=secret
&grant_type=authorization_code
&username=admin
&password=admin
&response_type=id_token+token
&scope=openid+profile+offline_access

Client:

new Client
{
  ClientId = "client", 
  ClientSecrets = { new Secret("secret".Sha256())},                   
  AllowedGrantTypes = new List<string> { "authorization_code" },
  AccessTokenType = AccessTokenType.Jwt,
  AllowedScopes = { StandardScopes.OpenId.Name, "api1" }
}

User:

  new InMemoryUser
  {
    Subject = "1",
    Username = "admin",
    Password = "admin"
  }

My question is, How to call authorize endpoint to get access_token and id_token? What's wrong in my "client" and "user" configuration?

Upvotes: 1

Views: 1773

Answers (2)

Rob L
Rob L

Reputation: 3304

You have several issues. You are mixing up multiple flows.

1) If you want to get an id_token back from the Authorize endpoint (and not the Token endpoint) you need to use Hybrid flow... not authorization code flow. See here. So you'd need to change your response type accordingly. If your client was a SPA you could use implicit flow and get an id_token and access_token from the Authorize endpoint - but not authorization code flow.

2) client_secret is not a parameter for the Authorize endpoint. Neither is grant_type. See here for the valid parameters.

3) you don't send username and password to the Authorize endpoint under any circumstances. If you are using resource owner flow you'd send them to the Token endpoint - but never Authorize. See the above link with the description of valid parameters.

So you can switch to hybrid flow and change your code to this:

http://localhost:2000/connect/authorize?
client_id=client  
&redirect_uri=<add redirect uri>
&response_type=code+id_token+token
&scope=openid+profile+api1
&state=...

The response from this call will include id_token and access_token.

new Client
{
    ClientId = "client",
    ClientName = "Your Client",
    AllowedGrantTypes = GrantTypes.Hybrid,

    ClientSecrets =
    {
        new Secret("secret".Sha256())
    },

        RedirectUris           = { "<add redirect uri>" },
        PostLogoutRedirectUris = { "<add post logout redirect uri>" },

    AllowedScopes =
    {
        IdentityServerConstants.StandardScopes.OpenId,
        IdentityServerConstants.StandardScopes.Profile,
        "api1"
    }
};

Upvotes: 1

Shaun Luttin
Shaun Luttin

Reputation: 141672

Two ideas:

  1. The HTTP 405 error can be due to the web browser's same origin policy. Your client looks like a confidential client not a browser-based client, though, and that means the same origin policy does not apply, unless you are mistakenly making that request through a web browser.

  2. That HTTP 405 error can also happen when you use an HTTP verb that is not allowed. For instance, if you use a POST when the URL allows only a GET. Make 100% sure that you are making a GET request.

Upvotes: 1

Related Questions