Part of story #14714: be an OpenID Connect provider To test you need an access token with the 'openid' scope, the 'profile' scope and optionally also the 'email' scope (if the usage of PKCE is forced, add the mandatory parameters): 1. In the project admin create an OAuth2 app (note the ID and the given secret) 2. Access the authorize page at the URL https://tuleap.example.com/oauth2/authorize?client_id=<client_id>&scope=openid%20profile&response_type=code&redirect_uri=<redirect_uri> 3. Quickly retrieve (it is valid only 1 minute) the authorization code from the URL 4. Exchange the authorization code for an access token and an ID token: shell> curl -X POST -H 'Content-Type: application/x-www-form-urlencoded' \ --user '<client_id>:<client_secret>' \ --data 'grant_type=authorization_code&redirect_uri=<redirect_uri>&code=<authorization_code>' \ https://tuleap.example.com/oauth2/token 5. Access the UserInfo endpoint with the given Access token: shell> curl -H 'Authorization: Bearer <access_token>' https://tuleap.example.com/oauth2/userinfo 6. The response will be a JSON object containing the "sub" claim and the other claims for user profile [0]. If the 'email' scope was used, it will also list "email" and "email_verified" claims. [0] https://openid.net/specs/openid-connect-core-1_0.html#ScopeClaims Change-Id: I6b2898754e93d7f26799ab998056bab0e5b5330d

+345 −102

Author

Joris MASSON (jmasson) 2020-04-10 12:50

Committer

Joris MASSON (jmasson) 2020-04-10 17:19

Hash 75d921d6f7b0de299b42f5fb7858afd53f6d1be9

Parent 14ebe258bec3d0cf5cd37b51676d54841786096c

Reference git #tuleap/stable/75d921d6f7b0de299b42f5fb7858afd53f6d1be9