oauth2c is a command-line tool that simplifies the process of experimenting with different grant types and client authentication methods for OAuth 2.0.
- Simple and intuitive interface for quickly experimenting with different OAuth 2.0 grant types and client authentication methods
- Supports all modern OAuth 2.0 grant types: authorization code, implicit, password, client credentials, refresh token, JWT bearer
- Supports all client authentication methods: client secret basic, client secret post, client secret JWT, private key JWT, TLS client auth
To install oauth2c, simply run the following command:
curl -sSfL https://raw.githubusercontent.com/cloudentity/oauth2c/master/install.sh | \
sudo sh -s -- -b /usr/local/bin latestAlternatively, you can download a pre-built binary from the releases page.
To use oauth2c, run the following command and follow the prompts:
oauth2c [issuer url] [flags]You will be asked to provide the necessary information, such as the grant type, client authentication method, and any other relevant details.
Once authenticated, you will be able to use the access token to access the OAuth2 provider's API.
Note: To make browser flows work add
http://localhost:9876/callbackas a redirect URL to your client.
For more information on the available options and arguments for each grant type, run oauth2c --help.
Here are a few examples of using oauth2c with different grant types and client authentication methods:
This grant type involves a two-step process where the user first grants permission to access their data, and then the client exchanges the authorization code for an access token. This grant type is typically used in server-side applications.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauktionbud6q8ftlqq0 \
--client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
--response-types code \
--response-mode query \
--grant-type authorization_code \
--auth-method client_secret_basic \
--scopes openid,email,offline_access \
--no-pkceLearn more about authorization code flow
The Proof Key for Code Exchange (PKCE) is an extension to the OAuth2 authorization code grant flow that provides additional security when authenticating with an OAuth2 provider. In the PKCE flow, the client generates a code verifier and a code challenge, which are then sent to the OAuth2 provider during the authorization request. The provider returns an authorization code, which the client then exchanges for an access token along with the code verifier. The provider verifies the code verifier to ensure that the request is coming from the same client that initiated the authorization request.
This additional step helps to prevent attackers from intercepting the authorization code and using it to obtain an access token. PKCE is recommended for all public clients, such as single-page or mobile applications, where the client secret cannot be securely stored. oauth2c supports PKCE as an optional parameter when using the authorization code grant type.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauktionbud6q8ftlqq0 \
--client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
--response-types code \
--response-mode query \
--grant-type authorization_code \
--auth-method client_secret_basic \
--scopes openid,email,offline_access \
--pkceLearn more about authorization code flow with pkce
This grant type is similar to the authorization code grant, but the access token is returned directly to the client without an intermediate authorization code. This grant type is typically used in single-page or mobile applications.
Note: The implicit flow is not recommended for use in modern OAuth2 applications. It does not provide a secure method for obtaining new access tokens. Instead, it is recommended to use the authorization code flow with PKCE (Proof Key for Code Exchange) for added security.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauktionbud6q8ftlqq0 \
--response-types token \
--response-mode form_post \
--grant-type implicit \
--scopes openid,email,offline_accessLearn more about implicit flow
To use the OAuth2 hybrid flow to obtain an authorization code and an ID token, the client first sends an authorization request to the OAuth2 provider. The request should include the code and id_token response types.
The OAuth2 provider will then return an authorization code and an ID token to the client, either in the response body or as fragment parameters in the redirect URL, depending on the response mode specified in the request. The client can then use the authorization code to obtain an access token by sending a token request to the OAuth2 provider.
The ID token can be used to verify the identity of the authenticated user, as it contains information such as the user's name and email address. The ID token is typically signed by the OAuth2 provider, so the client can verify its authenticity using the provider's public key.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauktionbud6q8ftlqq0 \
--client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
--response-types code,id_token \
--response-mode form_post \
--grant-type authorization_code \
--auth-method client_secret_basic \
--scopes openid,email,offline_access \
--no-pkceLearn more about the hybrid flow
This grant type involves the client providing its own credentials (i.e. client ID and client secret) to the OAuth2 server, which then returns an access token. This grant type is typically used for server-to-server communication, where the client is a trusted server rather than a user.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauktionbud6q8ftlqq0 \
--client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
--grant-type client_credentials \
--auth-method client_secret_basic \
--scopes introspect_tokens,revoke_tokensLearn more about the client credentials flow
This grant type involves the client providing a refresh token to the OAuth2 server, which then returns a new access token. This grant type is used to obtain new access tokens when the original access token has expired.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauktionbud6q8ftlqq0 \
--client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
--grant-type refresh_token\
--auth-method client_secret_basic \
--refresh-token 1X1IvWR8p5rgKnH2YNmHGd4pZp8Dq-85xzUQuJejT_g.O_DS8Y4eiTS5jZ47_eBv3VbwP4zQUyxjNVW93AyU82kLearn more about the refresh token flow
This grant type involves the client providing the user's username and password to the OAuth2 server, which then returns an access token. This grant type should only be used in secure environments, as it involves sending the user's credentials to the OAuth2 server.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauktionbud6q8ftlqq0 \
--client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
--grant-type password --username demo --password demo \
--auth-method client_secret_basic \
--scopes openidLearn more about the password flow
This grant type involves the client providing a JSON Web Token (JWT) to the OAuth2 server, which then returns an access token. This grant type is typically used when the client is a trusted third-party, such as a JWT issuer.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauktionbud6q8ftlqq0 \
--client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
--grant-type urn:ietf:params:oauth:grant-type:jwt-bearer \
--auth-method client_secret_basic \
--scopes email \
--signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json \
--assertion '{"sub":"jdoe@example.com"}'Learn more about the jwt bearer flow
This client authentication method involves the client sending its client ID and client secret as part of the HTTP Basic authentication header in the request to the OAuth2 server. This method is simple and widely supported, but it is less secure than other methods because the client secret is sent in the clear.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauktionbud6q8ftlqq0 \
--client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \
--grant-type client_credentials \
--auth-method client_secret_basic \
--scopes introspect_tokens,revoke_tokensLearn more about client secret basic
This client authentication method involves the client sending its client ID and client secret as part of the request body in the request to the OAuth2 server. This method provides more security than the basic authentication method, but it requires the request to be sent via HTTPS to prevent the client secret from being intercepted.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id cauosoo2omc4fr8ai1fg \
--client-secret ipFkA1lMomOMI_d2HcGGQ7j8oxeHFqKw3kli76g92VM \
--grant-type client_credentials \
--auth-method client_secret_post \
--scopes introspect_tokens,revoke_tokensLearn more about client secret post
This client authentication method involves the client signing a JSON Web Token (JWT) using its client secret, and then sending the JWT to the OAuth2 server. This method provides a higher level of security than the basic or post methods, as the client secret is never sent in the clear.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id ab966ce4f2ac4f4aa641582b099c32d3 \
--client-secret 578-WfFYfBheWb8gJpHYXMRRqR5HN0qv7d7xIolJnIE \
--grant-type client_credentials \
--auth-method client_secret_jwt \
--scopes introspect_tokens,revoke_tokensLearn more about client secret jwt
This client authentication method involves the client signing a JSON Web Token (JWT) using its private key, and then sending the JWT to the OAuth2 server. This method provides a higher level of security than the JWT methods using a client secret, as the private key is never shared with the OAuth2 server.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id 582af0afb0d74554aa7af47849edb222 \
--signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.json \
--grant-type client_credentials \
--auth-method private_key_jwt \
--scopes introspect_tokens,revoke_tokensLearn more about private key jwt
This client authentication method involves the client providing its own certificate as part of the TLS handshake when connecting to the OAuth2 server. This method provides a high level of security, as the client's identity is verified using a trusted certificate authority. However, it requires the OAuth2 server to support TLS client authentication, which may not be supported by all OAuth2 providers.
oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \
--client-id 3f07a8c2adea4c1ab353f3ca8e16b8fd \
--tls-cert https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/cert.pem \
--tls-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.pem \
--grant-type client_credentials \
--auth-method tls_client_auth \
--scopes introspect_tokens,revoke_tokensLearn more about tls client auth
oauth2c is released under the Apache v2.0.
We welcome contributions! If you have an idea for a new feature or have found a bug, please open an issue on GitHub.