Token Based Security, OAuth , OIDC and IdentityServer4 – Part 3

Client Credentials and Resource Owner Password Flow

Introduction

In the previous post in this series, we discussed token based security, OAuth and OIDC. We also configured IdentityServer4 with some configurations.

In this post, we will continue configuring IdentityServer4 and will also learn some of the client/server communication following OIDC flows.

If you are new to OAuth, IdentityServer or Token based security in general, then I will suggest to read the earlier posts in this series and then it will be easier to follow the concepts we will discuss today.

Setting up Test Users

Let’s setup couple of test users in IdentityServer for our testing purposes:

These are temporary users to help us debug/test identity server.

Setting up Test Clients

We talked about different type of client applications in previous posts. We also talked about the OAuth2.1 recommended flows.

In config.cs file, I created the following client:

Update ASP .NET Core Middleware with Test Users and Client

Then, we can use these in the identity-server middleware in startup.cs file:

We are still using InMemory persistence for various configurations, which is OK for these demos and once we are done with our testing, we will replace these with database persistence.

Client Credentials Flow

As we’ve previously learned that this flow is useful for server to server communication (or machine to machine). With the configurations in place, lets test if we can get the token from IDP. Start the application and for the client app, we can use postman for now:

As you can see that post request was successful and we get a access-token from IDP as expected.

If are curious to know that see what’s inside this access token, We can decode this token using jwti.io website:

Now, for testing purposes, if I use the wrong information for the post request, following results shows up:

This is the basics of client credentials flow. We will see more real world examples later in the series.

Let’s try a slightly different flow next:

Resource Owner Password and Client Credentials

I created a client with the following configurations:

and here is how the postman request is setup:

As you can see, we are using /connect/token endpoint to retrieve the token from the server. For parameters, we provide client_id, client_secret, password as a grant_type because we want to exchange user credentials for the token, and username and password. 

Summary

In this post, we configured IdentityServer with some test users and simple clients and then used Postman for the demo purposes. The journey is not yet over and will resume our learning in the next post. Let me know if you have some comments or questions. You can get the demo code for this github repository. Till next time, Happy Coding.

My Recent Books