Identity Server: How to retrieve access code and access token

Shahar Shokrani
2 min readJul 21, 2021

This demonstration for identity server is using https://demo.identityserver.io/ (code flow with public client):

client id: interactive.public
grant type: authorization code with PKCE and client credentials
access token lifetime: 60 minutues
allowed scopes: openid profile email api offline_access

Get the access code:

In order to get the access code you should first refer to the authorize endpoint by copying this address to chrome:

https://demo.identityserver.io/connect/authorize?client_id=interactive.public&response_type=code&redirect_uri=http://localhost:4200/signin-callback&response_mode=query&scope=openid profile email api offline_access&code_challenge=fZOP0qLFcXxmiNIvah4pczdgXHrVC_g1N4S-VANevBw&code_challenge_method=S256

Keep in mind:

  1. client_id should be the same as the IDP config (interactive.public).
  2. redirect_uri should be the same as the IDP config (just arbitrary local url: http://localhost:4200/signin-callback).
  3. scope should be the same as within the config (openid profile email api offline_access).
  4. code_challenge should be correlated for code_verifier later (use this code to reproduced a new one)
code_verifier: XwxHq8ydAODPVoUCJYjnmkZC1fq44RXv8Acw9nMsuic code_challenge: fZOP0qLFcXxmiNIvah4pczdgXHrVC_g1N4S-VANevBw

Once inside the login page:

  1. Enter your credentials (bob + bob) don’t press Login yet.
  2. Open chrome DevTool in order to sniff the access code.
  3. Press Preserve Log.
  4. Press Login.
  5. then you be redirected into your given redirect_uri address.
  6. Via network tab sniff the code, it should be in the format of:
  7. http://localhost:4200/signin-callback?code=E50C8551491C9120BEB8A573CF24F1FCF3C532B6628B8A967B1989B92464E5B1&scope=openid%20profile%20email%20api%20offline_access&session_state=_eCI_WdwNAI5R92wyuhQJh3SDkaHjH93-6FCO6eytsI.E5153EF662752A44C7E0D4D951965F74
  8. In this case the code is E50C8551491C9120BEB8A573CF24F1FCF3C532B6628B8A967B1989B92464E5B1

Get the access token:

After you have the access code you should refer to the token endpoint, using Postman make this request:

Post https://demo.identityserver.io/connect/token

client_id:interactive.public

scope:openid profile email api offline_access

redirect_uri:http://localhost:4200/signin-callback

grant_type:authorization_code

code:E50C8551491C9120BEB8A573CF24F1FCF3C532B6628B8A967B1989B92464E5B1

code_verifier:XwxHq8ydAODPVoUCJYjnmkZC1fq44RXv8Acw9nMsuic

You will get this result:

{
"id_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg5QkVCRDE0MkI4M0U4RUEyNjQ3Q0U2MkNGRTQxMENFIiwidHlwIjoiSldUIn0.eyJuYmYiOjE2MjY4NTE5MjQsImV4cCI6MTYyNjg1MjIyNCwiaXNzIjoiaHR0cHM6Ly9kZW1vLmlkZW50aXR5c2VydmVyLmlvIiwiYXVkIjoiaW50ZXJhY3RpdmUucHVibGljIiwiaWF0IjoxNjI2ODUxOTI0LCJhdF9oYXNoIjoibW9ZQTQ1dlUtTnh1d0NLeFJqMTJmQSIsInNpZCI6IkVBMTZEMjAzNkM5MTRBRTA5NjU1Qzk0RDhBOUYwNzAzIiwic3ViIjoiMTEiLCJhdXRoX3RpbWUiOjE2MjY4NTAzMTgsImlkcCI6ImxvY2FsIiwiYW1yIjpbInB3ZCJdfQ.KGFsOjHwKe4X2TwqjhnXIgAgKM7uoHzogvjGX-jmw4mQv7jkgywILkX4WtT3twgbygV8J44x9TjJ7hYlIhM_GRxK7ZCeio2S1BDsWpcroqyjCA-9ov7LWv22-ugIP4GT5tjCPO6tSNaInNKQF2q97gXiIEWJyWz4K6GcM-HktXIb9O5fseVBKLiIFKSxW5pP4GubC5gK_p4EJrW8PimYPj7trK_z_VRyXpaJOOf3b5mP36X2W3-ic60BBADZbNi4-if1czkIcPfvj39QgYp02Wb0t217-mSD3571-t5ntHX69b0Rh9iqVbpcVgXquH3J2rfhmTfbaTM4mMA2M77n_A",
"access_token": "eyJhbGciOiJSUzI1NiIsImtpZCI6Ijg5QkVCRDE0MkI4M0U4RUEyNjQ3Q0U2MkNGRTQxMENFIiwidHlwIjoiYXQrand0In0.eyJuYmYiOjE2MjY4NTE5MjQsImV4cCI6MTYyNjg1NTUyNCwiaXNzIjoiaHR0cHM6Ly9kZW1vLmlkZW50aXR5c2VydmVyLmlvIiwiYXVkIjoiYXBpIiwiY2xpZW50X2lkIjoiaW50ZXJhY3RpdmUucHVibGljIiwic3ViIjoiMTEiLCJhdXRoX3RpbWUiOjE2MjY4NTAzMTgsImlkcCI6ImxvY2FsIiwianRpIjoiRENDNUQ3MjA5QThCNDI3QjkyOEVGRjlEODJBQ0Q4MjMiLCJzaWQiOiJFQTE2RDIwMzZDOTE0QUUwOTY1NUM5NEQ4QTlGMDcwMyIsImlhdCI6MTYyNjg1MTkyNCwic2NvcGUiOlsib3BlbmlkIiwicHJvZmlsZSIsImVtYWlsIiwiYXBpIiwib2ZmbGluZV9hY2Nlc3MiXSwiYW1yIjpbInB3ZCJdfQ.eVMPbgseB5ZmqJOaeoeQZuCrlOr6H5wb1j8FyYnpgAGR0yONuztekpxCqD_5_ZVZrAs6Y6SlVFsFL66Lsgr-L5Pix3VZk7eIOghOEV9GSo4DlUtgUzKE9X9aDGz433-fus-oBtcXu1ijdj_NSPSIe5iHBk3K_XKy-hjX2ay6yumtLgn8EwrYCsZh02TpSQKsmatzpVgIbIkYsrbtk3J4Fztl77htC0gU_nlUSPQbHjCicRMduJnr7BiBdCBAaUhhHVIhYpr90pgkv2zMEX4VW9YAKx0Rm-5DN4Y8PxtOXOvFn3y8O-fDmDQJIHbLUEPOT-y1kO10NzDeSrwjpgubXQ",
"expires_in": 3600,
"token_type": "Bearer",
"refresh_token": "F3E88740AD7CA640D329E1C48EA0921644AAB89C0BC893258262DB5ADD201CEB",
"scope": "openid profile email api offline_access"
}

Now you can use the access token to make authorized request to the secured api.

Or get additional info for the client by parsing the JWT id_token here: https://jwt.io/.

--

--