Configuring an OpenID Connect Provider to enable 2-legged OAuth requests
The typical OAuth flow consists of three "legs", or stages of interaction between a client and an authorization server. In 2-legged OAuth scenarios, the client uses pre-authorized scopes so that no interaction with the user is necessary, removing the need to perform one of the legs in the typical flow. Specifically, the user does not need to authenticate to the authorization server or give consent for sharing the information that is specified by the requested scopes. Instead, all requested scope parameters are considered pre-authorized and are automatically added to the request token, which is then sent to the authorization server.
Before you begin
About this task
In scenarios with two legs or stages, an Open ID Connect client can send a 2-legged HTTP request with a grant type of client_credential or resource owner password. These requests do not go through the authorization endpoint, so there is no scope consent form for users to confirm and approve the requested scopes; however the OpenID Connect Provider still needs to deal with the authorized scopes in its access_token content.
Liberty servers that are configured as OpenID Connect Providers that are equipped to handle 2-legged OAuth requests approve the pre-authorized scopes by using the following criteria:
- If the grant_type parameter value of a request is client_credential or resource owner password and the request is an OAuth 2.0 request, then all the scopes that are defined in the request are approved and are copied into the content of the access token. This is the existing behavior of the OAuth 2.0 feature.
- If the request is an OpenID Connect request or a JWT Token OAuth,
or OpenID Connect request, the following criteria is used:
- If there is no scope parameter that is specified in the request, the OpenID Connect Provider will not accept the request.
- The requested scopes must be present in the list of scopes that are defined by the scope attribute of the client configuration and must also be specified in the preAuthorizedScope list of the client configuration.
This task demonstrates how to configure a Liberty server that is acting as an OpenID Connect Provider to enable 2-legged OAuth requests.
Procedure
<oauthProvider id="OAuthConfigSample" ...>
....
<localStore>
<client name="client01" secret="{xor}..."
displayname="client01"
scope="profile email phone"
preAuthorizedScope="profile email"
enabled="true"/>
....
</localStore>
</oauthProvider>