Skip to main content

Introducing OAuth2c: A Powerful Command-Line Tool for OAuth2

OAUTH2

By Mateusz Bilski | Published: Jan 02 2023

SecureAuth has recently introduced OAuth2c, a command-line tool for OAuth2. OAuth2 is an open standard for authorization that allows users to grant third-party access to their web resources without sharing their passwords. OAuth2c makes it easy for developers to learn how all the grant types and client authentication methods work in OAuth2.

OAuth2c: The Command-Line Tool for OAuth 2.0

demo

OAuth2c provides a simple and intuitive interface that allows developers to quickly and easily experiment with different grant types and client authentication methods. With OAuth2c, developers can quickly learn how to use the various grant types supported by OAuth2, including authorization code, implicit, password, client credentials, jwt-bearer, and refresh token grants.

Using OAuth2c, developers can also experiment with the different client authentication methods supported by OAuth2, such as client secret basic, client secret post, client secret jwt, private key jwt and tls client auth. With OAuth2c, developers can quickly learn how to use these authentication methods to securely authenticate their clients and access protected resources.

In addition to its user-friendly interface and extensive documentation, one of the great features of OAuth2c is that all of the examples included in the documentation work out of the box. This means that developers can quickly and easily try out the different grant types and client authentication methods without having to spend time configuring their own OAuth2 server or setting up test users and clients.

Quick Demo

To install OAuth2c, simply run the following command:

brew install cloudentity/tap/oauth2c

Here is an example of how to use OAuth2c to experiment with the authorization code grant type:

oauth2c https://oauth2c.us.connect.secureauth.com/oauth2c/demo \
  --client-id cauktionbud6q8ftlqq0 \
  --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
  --response-types code \
  --response-mode query \
  --grant-type authorization_code \
  --auth-method client_secret_basic \
  --scopes openid,email,offline_access

This will launch a browser, which will prompt you to login in.

┌───────────────────────────────────────────────────────────────────────┐
| Issuer URL     | https://oauth2c.us.connect.secureauth.com/oauth2c/demo |
| Grant type     | authorization_code                                   |
| Auth method    | client_secret_basic                                  |
| Scopes         | openid, email, offline_access                        |
| Response types | code                                                 |
| Response mode  | query                                                |
| PKCE           | false                                                |
| Client ID      | cauktionbud6q8ftlqq0                                 |
| Client secret  | HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc          |
└───────────────────────────────────────────────────────────────────────┘


                            Authorization Code Flow


# Request authorization

GET https://oauth2c.us.connect.secureauth.com/oauth2c/demo/oauth2/authorize
Query params:
  response_mode: query
  response_type: code
  scope: openid email offline_access
  state: Lcd2qdzvK7LF8crcFKMu6Z
  client_id: cauktionbud6q8ftlqq0
  nonce: DQoSt3ZpbPJyRdezr53hah
  redirect_uri: http://localhost:9876/callback

Open the following URL:

https://oauth2c.us.connect.secureauth.com/oauth2c/demo/oauth2/authorize?client_id=cauktionbud6q8ftlqq0&nonce=DQoSt3ZpbPJyRdezr53hah&redirect_uri=http%3A%2F%2Flocalhost%3A9876%2Fcallback&response_mode=query&response_type=code&scope=openid+email+offline_access&state=Lcd2qdzvK7LF8crcFKMu6Z


GET /callback
Query params:
  code: ISTuf41Md7UPlaSGLLIRPArqdEV1lb0nAjNDgFnOgUo.jnSNyW2L_WcQ3CpkDhmDgzMVMOtGW8ZIvhfanmQx2Zo
  scope: openid email offline_access
  state: Lcd2qdzvK7LF8crcFKMu6Z

 SUCCESS  Obtained authorization code

# Exchange authorization code for token

┌─ Client Secret Basic ──────────────────────────────────────┐
| Authorization = Basic BASE64-ENCODE(ClientID:ClientSecret) |
└────────────────────────────────────────────────────────────┘

POST https://oauth2c.us.connect.secureauth.com/oauth2c/demo/oauth2/token
Headers:
  Authorization: Basic Y2F1a3Rpb25idWQ2cThmdGxxcTA6SEN3UTV1dVVXQlJIZDA0aXZqWDVLbDBSejh6eE1PZWtlTHRxemtpMEdQYw==
  Content-Type: application/x-www-form-urlencoded
Form post:
  code: ISTuf41Md7UPlaSGLLIRPArqdEV1lb0nAjNDgFnOgUo.jnSNyW2L_WcQ3CpkDhmDgzMVMOtGW8ZIvhfanmQx2Zo
  grant_type: authorization_code
  redirect_uri: http://localhost:9876/callback
Response:
{
  "access_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IjQ1NDA3MTEyNzQ5Mjk3MTgwNzI0MTE1ODQ0OTMxODU2OTA0MDk0IiwidHlwIjoiSldUIn0.eyJhY3IiOiIxIiwiYWlkIjoiZGVtbyIsImFtciI6WyJwd2QiXSwiYXVkIjpbImNhdWt0aW9uYnVkNnE4ZnRscXEwIiwic3BpZmZlOi8vb2F1dGgyYy51cy5hdXRoei5jbG91ZGVudGl0eS5pby9vYXV0aDJjL2RlbW8vZGVtby1wcm9maWxlIl0sImVtYWlsIjoiamRvZUBleGFtcGxlLmNvbSIsImV4cCI6MTY3MDU5MDE4NywiaWF0IjoxNjcwNTg2NTg3LCJpZHAiOiJzYW5kYm94IiwiaXNzIjoiaHR0cHM6Ly9vYXV0aDJjLnVzLmF1dGh6LmNsb3VkZW50aXR5LmlvL29hdXRoMmMvZGVtbyIsImp0aSI6Ijk3YTcwNjJlLTVhMWQtNGIzMC05YTMzLWU2NmFlMjZmZWFlZSIsIm5iZiI6MTY3MDU4NjU4Nywic2NwIjpbIm9wZW5pZCIsImVtYWlsIiwib2ZmbGluZV9hY2Nlc3MiXSwic3QiOiJwdWJsaWMiLCJzdWIiOiIxMWYxZWIzNmUyNDk2NjQ0OTMwMmNjZGVjYjM5NTBiMmQxMzIwNmYwYmQ0NmFhZWE3MDNmYmM4NjY2OWRkMDczIiwidGlkIjoib2F1dGgyYyJ9.gHyuTfl4ViNe40PlpMc3SPBTSWjUeYA8a4UWZSIyaIaoxxkCHmdluoKvumqfYlDsi9KFT_mKwzhThIjqeAeTHw",
  "expires_in": 3599,
  "id_token": "eyJhbGciOiJFUzI1NiIsImtpZCI6IjQ1NDA3MTEyNzQ5Mjk3MTgwNzI0MTE1ODQ0OTMxODU2OTA0MDk0IiwidHlwIjoiSldUIn0.eyJhY3IiOiIxIiwiYW1yIjpbInB3ZCJdLCJhdF9oYXNoIjoiWUp3S1hFdDJHeDBubVBNdTJ3aFQxUSIsImF1ZCI6ImNhdWt0aW9uYnVkNnE4ZnRscXEwIiwiYXV0aF90aW1lIjoxNjcwNTg2NTg1LCJleHAiOjE2NzA1OTAxODcsImlhdCI6MTY3MDU4NjU4NywiaWRwIjoic2FuZGJveCIsImlkcG0iOiJzdGF0aWMiLCJpc3MiOiJodHRwczovL29hdXRoMmMudXMuYXV0aHouY2xvdWRlbnRpdHkuaW8vb2F1dGgyYy9kZW1vIiwianRpIjoiYjliNTc3ZDItNjYxOS00MTJmLWEzMmMtMTRkYmM1ZjVlNWVkIiwibm9uY2UiOiJEUW9TdDNacGJQSnlSZGV6cjUzaGFoIiwicmF0IjoxNjcwNTg2NTg3LCJyZWZyZXNoX3Rva2VuX2V4cGlyZXNfYXQiOjE2NzMxNzg1ODcsInN1YiI6IjExZjFlYjM2ZTI0OTY2NDQ5MzAyY2NkZWNiMzk1MGIyZDEzMjA2ZjBiZDQ2YWFlYTcwM2ZiYzg2NjY5ZGQwNzMifQ.dEfCP9pYplhmbrauFITA3_2TDkXrxFJWGTlCsUe9EehE4B4-dzObIkAEtPJn7UF_IV10LgioHFyocaaCBWrIiA",
  "refresh_token": "6udGQ3bN5F5_MpcXSsj2T1QM63K-ARileZj40R1U9IY.ifxOeZ3SWOAXuPBnSClJBtEy2jDQy0EcgnzjqM3g3Pw",
  "scope": "openid email offline_access",
  "token_type": "bearer"
}
Access token:
{
  "acr": "1",
  "aid": "demo",
  "amr": ["pwd"],
  "aud": [
    "cauktionbud6q8ftlqq0",
    "spiffe://oauth2c.us.connect.secureauth.com/oauth2c/demo/demo-profile"
  ],
  "email": "jdoe@example.com",
  "exp": 1670590187,
  "iat": 1670586587,
  "idp": "sandbox",
  "iss": "https://oauth2c.us.connect.secureauth.com/oauth2c/demo",
  "jti": "97a7062e-5a1d-4b30-9a33-e66ae26feaee",
  "nbf": 1670586587,
  "scp": ["openid", "email", "offline_access"],
  "st": "public",
  "sub": "11f1eb36e24966449302ccdecb3950b2d13206f0bd46aaea703fbc86669dd073",
  "tid": "oauth2c"
}
ID token:
{
  "acr": "1",
  "amr": ["pwd"],
  "at_hash": "YJwKXEt2Gx0nmPMu2whT1Q",
  "aud": "cauktionbud6q8ftlqq0",
  "auth_time": 1670586585,
  "exp": 1670590187,
  "iat": 1670586587,
  "idp": "sandbox",
  "idpm": "static",
  "iss": "https://oauth2c.us.connect.secureauth.com/oauth2c/demo",
  "jti": "b9b577d2-6619-412f-a32c-14dbc5f5e5ed",
  "nonce": "DQoSt3ZpbPJyRdezr53hah",
  "rat": 1670586587,
  "refresh_token_expires_at": 1673178587,
  "sub": "11f1eb36e24966449302ccdecb3950b2d13206f0bd46aaea703fbc86669dd073"
}

 SUCCESS  Exchanged authorization code for access token

Once you have logged in, OAuth2c will complete the grant flow and display the resulting access token. You can then use this access token to access protected resources on the authorization server.

If you want to see more examples of how to use OAuth2c to experiment with different grant types and client authentication methods, you can check out the examples included in the OAuth2c README.

Conclusion

OAuth2c is a powerful new command-line tool for working with OAuth 2.0. It makes it easy to learn and understand how OAuth 2.0 works, and to experiment with the different grant types and client authentication methods defined by the specification. We encourage you to try out OAuth2c, and see how it can help you work with OAuth2.

{{< cta >}} Now that you have had a chance to try out OAuth2c and learn about the different grant types and client authentication methods supported by OAuth2, we encourage you to take the next step and try out SecureAuth's Authorization Platform. With the SecureAuth platform, you can take your knowledge of OAuth2 to the next level and begin implementing it in a real-world setting.

The SecureAuth platform is specifically designed to address the complex authorization and access control challenges that companies face today. It is built for use cases like Open Banking and B2B/partner relationships, and it delivers powerful features like authorization for distributed applications, user consent, and data sharing over APIs. In addition to supporting all OAuth authorization grant types, SecureAuth also supports a number of OAuth extensions like PKCE, CIBA, or PAR, giving you even more flexibility and control over your authorization process.

We believe that you will find the SecureAuth Authorization Platform to be a valuable tool for managing access to your resources and protecting sensitive data. We encourage you to give it a try and see for yourself the benefits it can bring to your organization. {{< /cta >}}

In this section: