How to get Authorization Code using Identity Server 4 Authorization Code Grant Type Flow

2
votes

I am using dotnet core (.NET Core) 3.1 with the IdentityServer4 package. I have an SPA that I wish to integrate with Identity Server 4 so I am going down the path of using the Authorization Code grant type using PKCE. I understand the basic idea of this grant type however I don't understand how to exchange the username/password for an Authorization Code. Here is how I understand it.

  1. The SPA makes a GET request to /authorize endpoint that looks something like http://localhost:5000/connect/authorize?client_id=js&redirect_uri=http://localhost:5003/callback.html&response_type=code&scope=openid profile api1&state=8636d5233f77413584799be6cafe03a7&code_challenge=FbNm1tMkaRMzcSBv4_d5Rpq4VNaqyINVkCAcHsZkKV0&code_challenge_method=S256&response_mode=query
  2. This returns a 302 redirect to http://localhost:5000/Account/Login that I assume should be a login screen hosted by the auth server.
  3. The user submits their credentials, the auth server validates the credentials and returns another 302 redirect to the given redirect_url, http://localhost:5003/callback.html in this case. The redirect url should include the generated Authorization Code and provided State in the query string.
  4. The SPA validates the State and then makes a request to the /token endpoint that includes in the header: authorization=Basic Y2xpZW50OnNlY3JldA== and in the query string: grant_type=authorization_code, code=Authorization Code, redirect_uri=http://localhost/redirect
  5. The auth server returns a valid token.

I've done steps 1 and 2 (no UI yet but that's not important yet). Calling the /authorize is working. I'm getting a valid 302 response. Where I'm stuck is steps 3 and 4. Am I required to write an endpoint that generates an Authorization Code and returns the 302 redirect containing it or is this something that is already built into Identity Server 4 (like the /authorize and /token endpoints)?

I have mashed a number of examples I've found online including this one https://identityserver4.readthedocs.io/en/latest/quickstarts/4_javascript_client.html. There doesn't seem to be any complete examples using this type of grant type. I have also included in my startup a few test resources, clients and users.

services.AddIdentityServer()
    .AddDeveloperSigningCredential()
    .AddInMemoryApiResources(Config.GetAllApiResources())
    .AddInMemoryClients(Config.GetClients())
    .AddTestUsers(Config.GetUsers());

Thanks for any help you can provide to at least push me in the right direction.

2
.net-coreoauth-2.0identityserver4openid-connect

2 Answers

1
votes

Take a look at this quickstart. In particular, the login action in Account controller that validates credentials.

There are 2 important steps:

  1. Sign in to Identity Server (throught cookie by default)
  2. Redirect to view that loads this javascript for better experience in case of PKCE. The url contains query parameters code and state that are generated and managed by Identity server.
0
votes

for step number 3, you do need to come out with ui/endpoint for user login

The IdentityServer4 team make this easy by creating a template that you can just import here is the link of the template - https://github.com/IdentityServer/IdentityServer4.Templates

in you case, i think you need is4ui template