Authorization code grant type

OAuth allows using different authorization types for different use case scenarios:

  • Authorization code.
  • PKCE.
  • Client credentials,
  • Device code,
  • Refresh token.

As an example, the authorization code grant type will be configured in this document.

To get user attributes in id_token on Authorization Code grant type (like email, address, etc.), perform the next steps.

  1. Set groovy script for required scope (for example, an email). Go to webconsole > Access control > Resource. Apply OAuth scope filter and select the required scope by clicking on Edit.

Scope

Groovy

  1. In the scope configuration window opened find the Groovy Script field and set the /oauth/EmailScopeResolver.groovy script. The example of the cope code is given below.

Groovy code

  1. In authorization requests scope use openid. Below, a Postman example is given.

Authorization request scope

  1. You will get a response, similar to the following.

Response

Response token coded/encoded

There are several scopes that must work without a groovy script, for example the following.

  • given_name
  • family_name
  • middle_name
  • nickname
  • user_name
  • preferred_username
  • picture
  • gender
  • birthdate
  • locale
  • updated_at
  • phone_number_verified
  • email_verified

Hence, you can get a response for them without an additional groovy script, as shown below.

Response without groovy

Response no groovy

Note that in OpenIAM version 4.2.1.10 we have a limit for Scope field, comprising 100 characters.

Characters limit