### Install oauth2c on Linux using installation script Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Use this command to install oauth2c on Linux systems by piping the installation script to sudo sh. It installs the 'latest' version to /usr/local/bin. ```sh curl -sSfL https://raw.githubusercontent.com/cloudentity/oauth2c/master/install.sh | \ sudo sh -s -- -b /usr/local/bin latest ``` -------------------------------- ### Install OAuth2c Source: https://context7.com/cloudentity/oauth2c/llms.txt Install OAuth2c on macOS using Homebrew, on Linux via a script, or compile from source. Verify the installation with the 'version' command. ```sh # macOS brew install cloudentity/tap/oauth2c ``` ```sh # Linux curl -sSfL https://raw.githubusercontent.com/cloudentity/oauth2c/master/install.sh | \ sudo sh -s -- -b /usr/local/bin latest ``` ```sh # From source (requires Go) go install github.com/cloudentity/oauth2c@latest ``` ```sh # Verify installation oauth2c version # oauth2c version v1.x.x (commit abc1234, built at 2024-01-01T00:00:00Z) ``` -------------------------------- ### Compile oauth2c from source using Go Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Compile and install the oauth2c tool from its Go source code using the 'go install' command. This ensures you have the latest version directly from the repository. ```go go install github.com/cloudentity/oauth2c@latest ``` -------------------------------- ### Install oauth2c on Mac using Homebrew Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Use this command to install oauth2c on macOS via Homebrew. ```sh brew install cloudentity/tap/oauth2c ``` -------------------------------- ### Implicit Grant Flow Example Source: https://context7.com/cloudentity/oauth2c/llms.txt Demonstrates the implicit grant flow, which is deprecated. It returns the access token directly in the redirect URL fragment. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --response-types token \ --response-mode form_post \ --grant-type implicit \ --scopes openid,email,offline_access ``` -------------------------------- ### Rich Authorization Request (RAR) Example Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Use the --rar flag with a JSON string to specify fine-grained authorization requirements. This enables richer authorization details beyond standard scopes. ```json { "type": "payment_initiation", "locations": [ "https://example.com/payments" ], "instructedAmount": { "currency": "EUR", "amount": "123.50" }, "creditorName": "Merchant A", "creditorAccount": { "bic":"ABCIDEFFXXX", "iban": "DE02100100109307118603" }, "remittanceInformationUnstructured": "Ref Number Merchant" } ``` ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --rar '[{"type":"payment_initiation","locations":["https://example.com/payments"],"instructedAmount":{"currency":"EUR","amount":"123.50"},"creditorName":"Merchant A","creditorAccount":{"bic":"ABCIDEFFXXX","iban":"DE02100100109307118603"},"remittanceInformationUnstructured":"Ref Number Merchant"}]' ``` -------------------------------- ### Set REFRESH_TOKEN Environment Variable Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Example of how to obtain a refresh token using the authorization code grant and set it as an environment variable. ```sh export REFRESH_TOKEN=`oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access \ --silent | jq -r .refresh_token` ``` -------------------------------- ### Get Access Token using Client Credentials Grant Source: https://context7.com/cloudentity/oauth2c/llms.txt Use the client credentials grant for machine-to-machine authentication. The --silent flag ensures clean JSON output, suitable for CI/CD pipelines. ```sh TOKEN_JSON=$(oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type client_credentials \ --auth-method client_secret_basic \ --scopes introspect_tokens,revoke_tokens \ --silent) echo $TOKEN_JSON | jq .access_token ``` -------------------------------- ### Run oauth2c CLI Source: https://github.com/cloudentity/oauth2c/blob/master/README.md To use oauth2c, run the command with the issuer URL and any desired flags. Follow the prompts for interactive authentication. ```sh oauth2c [issuer url] [flags] ``` -------------------------------- ### HTTPS Callback with TLS Source: https://context7.com/cloudentity/oauth2c/llms.txt Configure the callback server to use HTTPS by providing certificate and key files with `--callback-tls-cert` and `--callback-tls-key`. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --redirect-url https://localhost:9876/callback \ --callback-tls-cert ./data/cert.pem \ --callback-tls-key ./data/key.pem ``` -------------------------------- ### Manual Endpoint Configuration with Flags Source: https://context7.com/cloudentity/oauth2c/llms.txt Use these flags when the authorization server does not support OIDC Discovery. All necessary endpoint URLs are specified directly. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --token-endpoint https://oauth2c.us.authz.cloudentity.io/oauth2c/demo/oauth2/token \ --authorization-endpoint https://oauth2c.us.authz.cloudentity.io/oauth2c/demo/oauth2/authorize \ --device-authorization-endpoint https://example.com/oauth2/device_authorization \ --pushed-authorization-request-endpoint https://example.com/oauth2/par \ --mtls-token-endpoint https://mtls.example.com/oauth2/token \ --mtls-pushed-authorization-request-endpoint https://mtls.example.com/oauth2/par ``` -------------------------------- ### DPoP (Demonstration of Proof of Possession) Source: https://context7.com/cloudentity/oauth2c/llms.txt Enables DPoP, which cryptographically binds issued access tokens to a client's key pair to prevent token replay. Requires a signing key in JWKS format. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access \ --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/ps/key.json \ --dpop ``` -------------------------------- ### JSON Config File Input for OAuth2c Source: https://context7.com/cloudentity/oauth2c/llms.txt Provide a JSON file as the first argument to pre-populate client credentials and discovery endpoints. Remaining flags can override or extend these values. ```json # config.json: # { # "client_id": "cauktionbud6q8ftlqq0", # "client_secret": "HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc", # "openid_discovery_endpoint": "https://oauth2c.us.authz.cloudentity.io/oauth2c/demo/.well-known/openid-configuration" # } ``` ```sh oauth2c config.json \ --grant-type client_credentials \ --auth-method client_secret_basic \ --scopes introspect_tokens,revoke_tokens \ --silent ``` -------------------------------- ### Callback Behind TLS-Terminating Proxy Source: https://context7.com/cloudentity/oauth2c/llms.txt When running behind a TLS-terminating proxy, use `--callback-addr` to specify the local bind address and `--redirect-url` for the public-facing URL. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --redirect-url https://example.com/callback \ --callback-addr 0.0.0.0:8080 ``` -------------------------------- ### Rich Authorization Requests (RAR) Source: https://context7.com/cloudentity/oauth2c/llms.txt Utilize the `--rar` flag with a JSON array of `authorization_details` objects to specify fine-grained permissions, such as for payment initiation. This works with both authorization and token endpoint flows. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --rar '[{ "type": "payment_initiation", "locations": ["https://example.com/payments"], "instructedAmount": {"currency": "EUR", "amount": "123.50"}, "creditorName": "Merchant A", "creditorAccount": { "bic": "ABCIDEFFXXX", "iban": "DE02100100109307118603" }, "remittanceInformationUnstructured": "Ref Number Merchant" }]' ``` -------------------------------- ### Set ACTOR_TOKEN environment variable Source: https://github.com/cloudentity/oauth2c/blob/master/README.md This command demonstrates how to obtain and set the ACTOR_TOKEN environment variable using the client credentials grant type. ```sh export ACTOR_TOKEN=`oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type client_credentials \ --auth-method client_secret_basic \ --scopes introspect_tokens,revoke_tokens \ --silent | jq -r .access_token` ``` -------------------------------- ### Authorization Code Flow with PKCE Source: https://context7.com/cloudentity/oauth2c/llms.txt Implements the authorization code flow with PKCE for public clients. OAuth2c automatically generates the `code_verifier` and `code_challenge` when the `--pkce` flag is used. The tool will display these generated values. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id db5e375e7b634095b24bbb683fcb955b \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method none \ --scopes openid,email \ --pkce # oauth2c will display the generated code_verifier and code_challenge, e.g.: # ╭──────────────────────────────────────────────────────────────────╮ # │ PKCE │ # │ code_verifier = dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk │ # │ code_challenge = BASE64URL-ENCODE(SHA256(ASCII(code_verifier))) │ # ╰──────────────────────────────────────────────────────────────────╯ ``` -------------------------------- ### OAuth2c Miscellaneous Flags for Automation and Debugging Source: https://context7.com/cloudentity/oauth2c/llms.txt Utilize flags like --silent for CI/CD, --insecure for development, and others to control browser interaction and timeouts. ```sh # --silent: suppress all interactive output; only JSON token is written to stdout (for CI/CD) oauth2c https://issuer.example.com \ --client-id myapp \ --client-secret mysecret \ --grant-type client_credentials \ --auth-method client_secret_basic \ --silent ``` ```sh # --insecure: skip TLS certificate verification (development only) oauth2c https://localhost:8443 \ --client-id myapp \ --client-secret mysecret \ --grant-type client_credentials \ --auth-method client_secret_basic \ --insecure ``` ```sh # --no-browser: print the authorization URL instead of opening it automatically # --http-timeout: set HTTP client timeout (default: 1m) # --browser-timeout: how long to wait for browser callback (default: 10m) # --no-prompt: disable interactive prompts (useful in non-TTY environments) oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type authorization_code \ --auth-method client_secret_basic \ --response-types code \ --response-mode query \ --scopes openid \ --no-browser \ --no-prompt \ --http-timeout 30s \ --browser-timeout 5m ``` -------------------------------- ### HTTPS Callback URL with Custom TLS Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Configure custom TLS certificates and keys for HTTPS callback URLs using --callback-tls-cert and --callback-tls-key. This is for securing the redirect endpoint. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --redirect-url https://localhost:9876/callback \ --callback-tls-cert https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/cert.pem \ --callback-tls-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.pem ``` -------------------------------- ### Signed and Encrypted Request Object Source: https://context7.com/cloudentity/oauth2c/llms.txt To create a signed and encrypted request object, use the `--request-object`, `--encrypted-request-object`, `--signing-key`, and `--encryption-key` flags. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access \ --request-object \ --encrypted-request-object \ --signing-key /path/to/private_key.json \ --encryption-key /path/to/server_encryption_key.json ``` -------------------------------- ### Specify Authorization Server Endpoint Manually Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Use this command when your authorization server does not support OIDC. It requires manual specification of token and authorization endpoints. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --token-endpoint https://oauth2c.us.authz.cloudentity.io/oauth2c/demo/oauth2/token \ --authorization-endpoint https://oauth2c.us.authz.cloudentity.io/oauth2c/demo/oauth2/authorize ``` -------------------------------- ### Pushed Authorization Requests (PAR) Source: https://context7.com/cloudentity/oauth2c/llms.txt Demonstrates Pushed Authorization Requests (PAR), which pushes the authorization request payload to the server before redirecting. This prevents tampering with authorization parameters. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access \ --par ``` -------------------------------- ### Set SUBJECT_TOKEN environment variable Source: https://github.com/cloudentity/oauth2c/blob/master/README.md This command demonstrates how to obtain and set the SUBJECT_TOKEN environment variable using the authorization code grant type. ```sh export SUBJECT_TOKEN=`oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access \ --silent | jq -r .access_token` ``` -------------------------------- ### OAuth2c Authorization Code Grant with PKCE Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Use this command for public clients like mobile apps that cannot securely store a client secret. PKCE adds a layer of security to prevent authorization code interception. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id db5e375e7b634095b24bbb683fcb955b \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method none \ --scopes openid,email \ --pkce ``` -------------------------------- ### Refresh Token Grant with Client Secret Basic Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Obtain a new access token using a refresh token. Requires the REFRESH_TOKEN environment variable to be set. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type refresh_token\ --auth-method client_secret_basic \ --refresh-token $REFRESH_TOKEN ``` -------------------------------- ### Authorization Code Grant Flow Source: https://context7.com/cloudentity/oauth2c/llms.txt Performs a two-step browser-based authorization code grant flow. Ensure http://localhost:9876/callback is registered as a redirect URL. The output is JSON, which can be parsed with tools like jq. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access # Expected stdout (JSON token response): # { # "access_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", # "expires_in": 3600, # "id_token": "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...", # "refresh_token": "7FhKLzUdkmFGhlST...", # "scope": "openid email offline_access", # "token_type": "Bearer" # } ``` ```sh # Extract only the access token using jq: ACCESS_TOKEN=$(oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access \ --silent | jq -r .access_token) ``` -------------------------------- ### Hybrid Grant with Client Secret Basic Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Obtain an authorization code and ID token. Requires client ID, secret, and specifies response types and modes. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code,id_token \ --response-mode form_post \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access ``` -------------------------------- ### oauth2c CLI Flags Source: https://github.com/cloudentity/oauth2c/blob/master/README.md A comprehensive list of flags available for the oauth2c CLI. These flags control various aspects of the OAuth2 flow, authentication, and client behavior. ```sh --acr-values strings ACR values ``` ```sh --actor-token string acting party token ``` ```sh --actor-token-type string acting party token type ``` ```sh --assertion string claims for jwt bearer assertion ``` ```sh --audience strings requested audience ``` ```sh --auth-method string token endpoint authentication method ``` ```sh --authentication-code string authentication code used for passwordless authentication ``` ```sh --authorization-endpoint string server's authorization endpoint ``` ```sh --browser-timeout duration browser timeout (default 10m0s) ``` ```sh --callback-addr string callback server bind address (e.g., 0.0.0.0:8080) ``` ```sh --callback-tls-cert string path to callback tls cert pem file ``` ```sh --callback-tls-key string path to callback tls key pem file ``` ```sh --claims string use claims ``` ```sh --client-id string client identifier ``` ```sh --client-secret string client secret ``` ```sh --device-authorization-endpoint string server's device authorization endpoint ``` ```sh --dpop use DPoP ``` ```sh --encrypted-request-object pass request parameters as encrypted jwt ``` ```sh --encryption-key string path or url to encryption key in jwks format ``` ```sh --grant-type string grant type ``` ```sh -h, --help help for oauth2c ``` ```sh --http-timeout duration http client timeout (default 1m0s) ``` ```sh --id-token-hint string id token hint ``` ```sh --idp-hint string identity provider hint ``` ```sh --insecure allow insecure connections ``` ```sh --login-hint string user identifier hint ``` ```sh --max-age string maximum authentication age in seconds ``` ```sh --mtls-pushed-authorization-request-endpoint string server's mtls pushed authorization request endpoint ``` ```sh --mtls-token-endpoint string server's mtls token endpoint ``` ```sh --no-browser do not open browser ``` ```sh --no-prompt disable prompt ``` ```sh --par enable pushed authorization requests (PAR) ``` ```sh --password string resource owner password credentials grant flow password ``` ```sh --pkce enable proof key for code exchange (PKCE) ``` ```sh --prompt strings end-user authorization purpose ``` ```sh --purpose string string describing the purpose for obtaining End-User authorization ``` ```sh --pushed-authorization-request-endpoint string server's pushed authorization request endpoint ``` ```sh --rar string use rich authorization request (RAR) ``` ```sh --redirect-url string client redirect url (default "http://localhost:9876/callback") ``` ```sh --refresh-token string refresh token ``` ```sh --request-object pass request parameters as jwt ``` ```sh --resource strings requested resource ``` ```sh --response-mode string response mode ``` ```sh --response-types strings response type ``` ```sh --scopes strings requested scopes ``` ```sh --signing-key string path or url to signing key in jwks format ``` ```sh -s, --silent silent mode ``` ```sh --subject-token string third party token ``` ```sh --subject-token-type string third party token type ``` ```sh --tls-cert string path to tls cert pem file ``` ```sh --tls-key string path to tls key pem file ``` ```sh --tls-root-ca string path to tls root ca pem file ``` ```sh --token-endpoint string server's token endpoint ``` -------------------------------- ### Claims Request Parameter Source: https://context7.com/cloudentity/oauth2c/llms.txt Request specific user attributes in the ID token or userinfo response using the `--claims` flag with a JSON object defining the desired claims. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,offline_access \ --claims '{"id_token":{"email":{"essential":true}}}' ``` -------------------------------- ### Device Authorization Grant Flow Source: https://context7.com/cloudentity/oauth2c/llms.txt Initiates the device authorization grant flow for input-constrained devices. oauth2c will poll for authorization status after displaying a verification URL and user code. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type urn:ietf:params:oauth:grant-type:device_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access ``` -------------------------------- ### Use Token Exchange Grant Type with oauth2c Source: https://github.com/cloudentity/oauth2c/blob/master/README.md This command facilitates the token exchange grant type, allowing a client to exchange an existing access token for a new one. Requires SUBJECT_TOKEN and ACTOR_TOKEN environment variables to be set. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type urn:ietf:params:oauth:grant-type:token-exchange \ --auth-method client_secret_basic \ --scopes email \ --subject-token $SUBJECT_TOKEN \ --subject-token-type urn:ietf:params:oauth:token-type:access_token \ --actor-token $ACTOR_TOKEN \ --actor-token-type urn:ietf:params:oauth:token-type:access_token ``` -------------------------------- ### TLS Client Authentication Source: https://context7.com/cloudentity/oauth2c/llms.txt Uses tls_client_auth for mutual TLS certificate authentication. This is for the client credentials grant type. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id 3f07a8c2adea4c1ab353f3ca8e16b8fd \ --tls-cert https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/cert.pem \ --tls-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/key.pem \ --grant-type client_credentials \ --auth-method tls_client_auth \ --scopes introspect_tokens,revoke_tokens ``` -------------------------------- ### Client Credentials Grant Flow Source: https://context7.com/cloudentity/oauth2c/llms.txt Utilizes the client credentials grant flow for server-to-server authentication. The client authenticates directly with its credentials to obtain an access token, suitable for machine authentication where no user interaction is involved. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type client_credentials \ --auth-method client_secret_basic \ --scopes introspect_tokens,revoke_tokens ``` -------------------------------- ### JARM (JWT Secured Authorization Response Mode) Source: https://context7.com/cloudentity/oauth2c/llms.txt Configures JARM with response_mode=query.jwt, wrapping the authorization response in a signed JWT to prevent tampering with the returned authorization code. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query.jwt \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access ``` -------------------------------- ### Client Secret Post Authentication Source: https://context7.com/cloudentity/oauth2c/llms.txt Uses client_secret_post for client authentication, sending credentials in the request body. This is for the client credentials grant type. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauosoo2omc4fr8ai1fg \ --client-secret ipFkA1lMomOMI_d2HcGGQ7j8oxeHFqKw3kli76g92VM \ --grant-type client_credentials \ --auth-method client_secret_post \ --scopes introspect_tokens,revoke_tokens ``` -------------------------------- ### Authorization Code Grant with Client Secret Basic Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Use for server-side applications. Requires client ID, secret, and specifies response types and modes. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic ``` -------------------------------- ### Password Grant Flow Source: https://context7.com/cloudentity/oauth2c/llms.txt Uses the resource owner password credentials flow. This method sends username and password directly and should only be used in highly secure and trusted environments. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type password \ --username demo \ --password demo \ --auth-method client_secret_basic \ --scopes openid ``` -------------------------------- ### Signed Request Object Source: https://context7.com/cloudentity/oauth2c/llms.txt Enable signed request objects using the `--request-object` flag. This ensures that the authorization parameters cannot be modified in transit. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access \ --request-object ``` -------------------------------- ### Private Key JWT Authentication Source: https://context7.com/cloudentity/oauth2c/llms.txt Uses private_key_jwt for client authentication, employing asymmetric private key signed JWTs for the highest security. This is for the client credentials grant type. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id 582af0afb0d74554aa7af47849edb222 \ --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/rsa/key.json \ --grant-type client_credentials \ --auth-method private_key_jwt \ --scopes introspect_tokens,revoke_tokens ``` -------------------------------- ### Use JWT Bearer Grant Type with oauth2c Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Use this command for the JWT bearer grant type, typically for trusted third-party clients. It requires a signing key and an assertion. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type urn:ietf:params:oauth:grant-type:jwt-bearer \ --auth-method client_secret_basic \ --scopes email \ --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/rsa/key.json \ --assertion '{"sub":"jdoe@example.com"}' ``` -------------------------------- ### Refresh Token Grant Flow Source: https://context7.com/cloudentity/oauth2c/llms.txt Exchanges a refresh token for a new access token. Ensure the refresh token is obtained first, typically via the authorization code flow. ```sh # First obtain a refresh token via authorization code flow: export REFRESH_TOKEN=$(oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access \ --silent | jq -r .refresh_token) # Then use it to get a new access token: oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type refresh_token \ --auth-method client_secret_basic \ --refresh-token $REFRESH_TOKEN ``` -------------------------------- ### Token Exchange Grant Flow Source: https://context7.com/cloudentity/oauth2c/llms.txt Facilitates token exchange (RFC 8693) for delegation and impersonation. This involves obtaining both a subject token and an actor token before performing the exchange. ```sh # Obtain subject token (the token to be exchanged): export SUBJECT_TOKEN=$(oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,email,offline_access --silent | jq -r .access_token) # Obtain actor token (the token representing the acting party): export ACTOR_TOKEN=$(oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type client_credentials \ --auth-method client_secret_basic \ --scopes introspect_tokens,revoke_tokens --silent | jq -r .access_token) # Perform token exchange: oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type urn:ietf:params:oauth:grant-type:token-exchange \ --auth-method client_secret_basic \ --scopes email \ --subject-token $SUBJECT_TOKEN \ --subject-token-type urn:ietf:params:oauth:token-type:access_token \ --actor-token $ACTOR_TOKEN \ --actor-token-type urn:ietf:params:oauth:token-type:access_token ``` -------------------------------- ### Signed and Encrypted JARM Response Source: https://context7.com/cloudentity/oauth2c/llms.txt Use the `--response-mode query.jwt` and `--encryption-key` flags to generate a JARM response that is both signed and encrypted. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauosoo2omc4fr8ai1fg \ --client-secret ipFkA1lMomOMI_d2HcGGQ7j8oxeHFqKw3kli76g92VM \ --response-types code \ --response-mode query.jwt \ --grant-type authorization_code \ --auth-method client_secret_post \ --scopes openid,email,offline_access \ --encryption-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/rsa/key.json ``` -------------------------------- ### Client Secret JWT Authentication Source: https://context7.com/cloudentity/oauth2c/llms.txt Uses client_secret_jwt for client authentication, where the client secret is signed as a JWT. This is for the client credentials grant type. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id ab966ce4f2ac4f4aa641582b099c32d3 \ --client-secret 578-WfFYfBheWb8gJpHYXMRRqR5HN0qv7d7xIolJnIE \ --grant-type client_credentials \ --auth-method client_secret_jwt \ --scopes introspect_tokens,revoke_tokens ``` -------------------------------- ### OAuth2c Authorization Code Grant with Request Claims Source: https://github.com/cloudentity/oauth2c/blob/master/README.md Request specific user attributes using the 'claims' parameter. This enhances efficiency and security by specifying required claims like email in the ID token. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --response-types code \ --response-mode query \ --grant-type authorization_code \ --auth-method client_secret_basic \ --scopes openid,offline_access \ --claims '{"id_token":{"email": {"essential": true}}}' ``` -------------------------------- ### JWT Bearer Grant Flow Source: https://context7.com/cloudentity/oauth2c/llms.txt Employs the JWT bearer grant flow for trusted third-party JWT issuers. Requires a private signing key in JWKS format, which can be a local file path or a URL. ```sh oauth2c https://oauth2c.us.authz.cloudentity.io/oauth2c/demo \ --client-id cauktionbud6q8ftlqq0 \ --client-secret HCwQ5uuUWBRHd04ivjX5Kl0Rz8zxMOekeLtqzki0GPc \ --grant-type urn:ietf:params:oauth:grant-type:jwt-bearer \ --auth-method client_secret_basic \ --scopes email \ --signing-key https://raw.githubusercontent.com/cloudentity/oauth2c/master/data/rsa/key.json \ --assertion '{"sub":"jdoe@example.com"}' # --assertion accepts any JSON object to merge into the JWT claims. # --signing-key accepts a local file path or a URL pointing to a JWKS. ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.