1. Administering Oracle Cloud Identity Management
  2. Securing Authorizations in Oracle Cloud
  3. Using REST API Calls for the Resource Owner Password Credentials Grant
  4. Obtaining an Access Token by Using the User Credentials Without a Client Assertion

Obtaining an Access Token by Using the User Credentials Without a Client Assertion

Using the resource owner password credentials workflow, the OAuth client can obtain an access token by providing the user’s credentials (that is the user name and password).

This workflow has a resource owner request that uses the user identifier and password of the resource owner.

Obtaining an Access Token by Using the User Credentials

The resource owner password credentials grant workflow, allows you to obtain an access token by using the user’s credentials.

Parameters used in the access token request:
  • X-USER-IDENTITY-DOMAIN-NAME: The name of the identity domain.
  • Authorization: Basic: The basic authorization header. The client identifier and client secret of the client application is base64–encoded and sent in the header. For example, the Authorization header has the value of base64encoded(client_id:client_secret).
  • Content-Type: The type of content that’s sent in the request. It’s a URL-encoded application.
  • Request: The type of request that’s sent. Here, it’s a POST request to obtain an access token. This is followed by the authorization server URL which provides tokens.
  • grant_type: The grant type used to obtain the token. In the example that follows, it’s resource owner password credentials grant. The value of password is given for this grant type.
  • username: The name of the user.
  • password: The name of the password.
  • scope: The limit of a particular scope for an access token.

The client identifier and client secret of the client application is base64–encoded and sent in the header. This is sent along with the user’s credentials to obtain an access token.

To obtain an access token that contains the user and client credentials, use the following cURL command: 

curl -i -H 'X-USER-IDENTITY-DOMAIN-NAME: OAuthTestTenant125' 
-H 'Authorization: Basic MzAzYTI0OTItZDY0Zi00ZTA0LWI3OGYtYjQzMzAwNDczMTJiOll5Sk5NSkdFc0ZqUkxWZVZsdVMz' 
-H 'Content-Type: application/x-www-form-urlencoded;charset=UTF-8'
--request POST https://<idm-domain>.identity.<data-center>.oraclecloud.com/oauth/tokens 
-d 'grant_type=password
&username=tenantAdminUser
&password=Fusionapps1
&scope=http://www.example.com'
The output of the cURL command is:
{
"expires_in":3600,
"token_type":"Bearer",
"access_token":"eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsIng1dCI6Ild3cmVwdTJkYXNhSXBHUi1BbFZwSGtVQjZKZyIsIm
tpZCI6Ik9BdXRoVGVzdFRlbmFudDEyNS5jZXJ0In0.eyJzdWIiOiJ0ZW5hbnRBZG1pblVzZXIiLCJvcmFjbGUub2F1dGgudXNlcl9v
cmlnaW5faWRfdHlwZSI6IkxEQVBfVUlEIiwib3JhY2xlLm9hdXRoLnVzZXJfb3JpZ2luX2lkIjoidGVuYW50QWRtaW5Vc2VyIiwiaX
NzIjoiT0F1dGhUZXN0VGVuYW50MTI1Iiwib3JhY2xlLm9hdXRoLnN2Y19wX24iOiJPQXV0aFRlc3RUZW5hbnQxMjVTZXJ2aWNlUHJv
ZmlsZSIsImlhdCI6MTQyNTQyMzYxOTAwMCwib3JhY2xlLm9hdXRoLnBybi5pZF90eXBlIjoiTERBUF9VSUQiLCJvcmFjbGUub2F1dG
gudGtfY29udGV4dCI6InJlc291cmNlX2FjY2Vzc190ayIsImV4cCI6MTQyNTQyNzIxOTAwMCwiYXVkIjpbImh0dHA6Ly93d3cuZXhh
bXBsZS5jb20iXSwicHJuIjoidGVuYW50QWRtaW5Vc2VyIiwianRpIjoiZmE0NmNjNzktOTFhYi00NTUzLTk2ZDQtYTRhZWYxYzhmZm
M3Iiwib3JhY2xlLm9hdXRoLmNsaWVudF9vcmlnaW5faWQiOiIzMDNhMjQ5Mi1kNjRmLTRlMDQtYjc4Zi1iNDMzMDA0NzMxMmIiLCJv
cmFjbGUub2F1dGguc2NvcGUiOiJodHRwOi8vd3d3LmV4YW1wbGUuY29tIiwidXNlci50ZW5hbnQubmFtZSI6Ik9BdXRoVGVzdFRlbm
FudDEyNSIsIm9yYWNsZS5vYXV0aC5pZF9kX2lkIjoiMTM0NjM2NzUxMzgzMDI1NjYifQ.XP4cprA98Zx_k2UaGx5bYn_GDVJkzfvYo
BnXLZVWYdMB_Sgkf8sS2i-lOHFuMqqwFvpYu4EccppQ8nWZYoMIJ_ZBnA3kvwosn1j-_DGYr2aukuBrlM53mfkQlQ0kwd_zrVfJNVH
jaaw3grs0rX52NCRwWhxgE30OOahjj4ErWE64L9tDE0kz7YyKFAcPp6tPgQFO8eikVnlhgJAgexq5vABXa_QSFyRhcsmk0kyNi9FtX
AKu4GEh_e0waQ9KGjeqzgwCSfRzriJ9otZjofbXca6dZpCxEWhfL06VHFiW-33GQpenpYCA-x8XWmQtUR6c_jkE6TlMPp7AzR32Qud
nAA"}

The JavaScript Object Notation web token (JWT) obtained can be decoded and the claims in the access token can be viewed as follows:

Access Token:
{
 alg: "RS256",
 typ: "JWT",
 x5t: "Wwrepu2dasaIpGR-AlVpHkUB6Jg",
 kid: "OAuthTestTenant125.cert"
}.
{
 sub: "tenantAdminUser",
 oracle.oauth.user_origin_id_type: "LDAP_UID",
 oracle.oauth.user_origin_id: "tenantAdminUser",
 iss: "OAuthTestTenant125",
 oracle.oauth.svc_p_n: "OAuthTestTenant125ServiceProfile",
 iat: 1425423619000,
 oracle.oauth.prn.id_type: "LDAP_UID",
 oracle.oauth.tk_context: "resource_access_tk",
 exp: 1425427219000,
 aud: [
  "http://www.example.com"
 ],
 prn: "tenantAdminUser",
 jti: "fa46cc79-91ab-4553-96d4-a4aef1c8ffc7",
 oracle.oauth.client_origin_id: "303a2492-d64f-4e04-b78f-b4330047312b",
 oracle.oauth.scope: "http://www.example.com",
 user.tenant.name: "OAuthTestTenant125",
 oracle.oauth.id_d_id: "13463675138302566"
}.
[signature]

Audience and scope claims in the output:

The audience claim in an access token always contains the API path of the resource. The oracle.oauth.scope claim contains the valid API path with the scope in the response. In the example above, the incoming request has a scope of http://www.example.com. The client audience configuration also has a value of http://www.example.com. The OAuth token service validates the incoming request scope with the value in the client audience configuration values. If this is a valid request, then the OAuth token service sends a valid access token response. In this case, both the audience claim and scope have the same value of http://www.example.com.