Obtain Bearer token, using only Client ID and Secret. Is it possible

Question

I have WSO2 API Manager on a standalone machine. I have a java client (Assume PSVM) with necessary Client Id and Secret of the registered application on APIM. Can we obtain the Bearer Token using only Client Id and Secret in Java.

Help appreciated, please.

I have following code but, it requires username and password.

public Token getToken(String username, String password, String scopes){

    String submitUrl = GenarateAccessTokenConfiguration.getInstance().getLoginURL();
    String consumerKey = GenarateAccessTokenConfiguration.getInstance().getConsumerKey();
    String consumerSecret = GenarateAccessTokenConfiguration.getInstance().getConsumerSecret();

    try {
        String applicationToken = consumerKey + ":" + consumerSecret;
        BASE64Encoder base64Encoder = new BASE64Encoder();
        applicationToken = "Basic " + base64Encoder.encode(applicationToken.getBytes()).trim();

        String payload = "grant_type=password&username="+username+"&password="+password+"&scope="+scopes;
        HttpResponse httpResponse = httpClient.doPost(submitUrl,applicationToken,
                payload,"application/x-www-form-urlencoded");
        if (httpResponse.getStatusLine().getStatusCode() != 200) {
            return null;
        }
        String response = httpClient.getResponsePayload(httpResponse);


        System.out.println("JSON Response : "+response);


        return JSONClient.getAccessToken(response);
    } catch (IOException e) {
        e.printStackTrace();
        return null;
    }
}

public Token getTokenWithScopes(String username, String password, String scopes){
    String submitUrl = GenarateAccessTokenConfiguration.getInstance().getLoginURL();
    String consumerKey = GenarateAccessTokenConfiguration.getInstance().getConsumerKey();
    String consumerSecret = GenarateAccessTokenConfiguration.getInstance().getConsumerSecret();
    try {
        String applicationToken = consumerKey + ":" + consumerSecret;
        BASE64Encoder base64Encoder = new BASE64Encoder();
        applicationToken = "Basic " + base64Encoder.encode(applicationToken.getBytes()).trim();

        String payload = "grant_type=password&username="+username+"&password="+password+"&scope="+scopes;
        HttpResponse httpResponse = httpClient.doPost(submitUrl,applicationToken,
                payload,"application/x-www-form-urlencoded");
        if (httpResponse.getStatusLine().getStatusCode() != 200) {
            return null;
        }
        String response = httpClient.getResponsePayload(httpResponse);
        return JSONClient.getAccessToken(response);
    } catch (IOException e) {
        e.printStackTrace();
        return null;
    }
}

Answer 1

You may look into its token API:

Users need access tokens to invoke APIs subscribed under an application. Access tokens are passed in the HTTP header when invoking APIs. The API Manager provides a Token API that you can use to generate and renew user and application access tokens. The response of the Token API is a JSON message. You extract the token from the JSON and pass it with an HTTP Authorization header to access the API.

The following topic explain how to generate/renew access tokens and authorize them. WSO2 API Manager supports the four most common authorization grant types and you can also define additional types.

• Exchanging SAML2 Bearer Tokens with OAuth2 - SAML Extension Grant Type
• Generating Access Tokens with Authorization Code - Authorization Code Grant Type
• Generating Access Tokens with NT LAN Manager - NTLM Grant Type
• Generating Access Tokens with User Credentials - Password Grant Type

Answer 2

If you check the Oauth2 grant types, you could find an answer for this. WSO2 API manager supports all grant types (Authorization Code, Implicit, Resource Owner Password Credentials, Client Credentials mentioned in OAuth 2.0 spec). Each grant type has different flow to generate access token.

Resource Owner Password Credentials grant type (or password grant type) which you are using now needs username and password to generate the token. If you want to use client secret and client id, then you can use client credential grant type. see client credential grant type section

Answer 3

Yes, it's Possible.

Reference :

1. Access Keycloak REST Admin API using a service account (client credential grant)

2. https://www.keycloak.org/docs/latest/server_admin/index.html#_service_accounts

Steps to do in Keycloak :
Step 1: Click Clients in the menu

• Click the Settings tab
  
• Select your client
  
• Enable Service Account to On.
  

Step 2 : Click the Scope tab,

• Verify that you have roles or toggle Full Scope Allowed to ON.
  
  

Code:

    public AuthenticationResponse getAccessTokenByClientIdAndClientSecret(AuthorizationRequest authorizationRequest) {
    try {
        log.trace("Generating authentication token using client credentials");
        RestTemplate restTemplate = restTemplateBuilder.build();
        HttpHeaders headers = new HttpHeaders();
        headers.setContentType(MediaType.APPLICATION_FORM_URLENCODED);

        MultiValueMap<String, String> body = new LinkedMultiValueMap<>();
        body.add(GRANT_TYPE, CLIENT_CREDENTIALS);
        body.add(CLIENT_ID, authorizationRequest.getClientId());
        body.add(CLIENT_SECRET, authorizationRequest.getClientSecret());

        HttpEntity<MultiValueMap<String, String>> request = new HttpEntity<>(body, headers);

        ResponseEntity<String> response = restTemplate.postForEntity(keycloakUrl + REALMS + keycloakRealm + PROTOCOL_OPENID_CONNECT_TOKEN,
                request, String.class);

        ObjectMapper mapper = new ObjectMapper().disable(DeserializationFeature.FAIL_ON_UNKNOWN_PROPERTIES);
        AuthenticationResponse authenticationResponse = mapper.readValue(response.getBody(), AuthenticationResponse.class);
        log.trace("Token generated successfully, now returning to calling function");
        return authenticationResponse;
    } catch (Exception ex) {
        log.error("Exception occurred while generating access token: {}", ex.getMessage());
        throw ex;
    }
}