Skip to main content

Common OAuth2 flows in the Ory Network

Ory OAuth2 & OpenID Connect (based on the Ory Hydra Federation Server) is available in the Ory Network out of the box. This means that you can use OIDC, Authorization Code Grant, Client Credentials Grant, and more, without additional configuration or extra charge.

Following this guide allows you to experience the most commonly used OAuth2 flows and see how they work in Ory Network. The examples will take you through the following steps:

  • Creating OAuth2 clients in the Ory Network with the Ory CLI
  • Using the Authorization Code Grant with federation to Ory Identities for user authentication and UI views (login page, consent page) supplied by the Ory Account Experience
  • Using the Client Credentials Grant
  • Performing token introspection using the Ory CLI

Prerequisites

Before you start, prepare your environment:

tip

Make sure you're using the latest version of the CLI. Run:

brew upgrade ory/tap/cli

Authorization Code Grant

The Authorization Code Grant is most commonly used in scenarios where applications need to perform actions on behalf of users. For example, when an online marketplace allows users to add photos from their Google Photos album to listings.

To achieve that, the online marketplace must access the user's Google Photos library on their behalf. If the user accepts the access scope requested by the app (online marketplace), the app's client gets an id_token and access_token pair which is then used to interact with Google Photos.

This is what using the grant with UI views supplied by the Ory Account Experience looks like:

To try the Authorization Code Grant, follow these steps:

  1. Create an Ory Network project using the Ory CLI and export the project ID:

    ory create project --name "Ory OAuth2 Example"
    project_id="{set to the project ID from output}"
  2. Create an OAuth2 client:

    ory create oauth2-client --project $project_id \
    --name "Authorization Code Grant with OpenID Connect Demo" \
    --grant-type authorization_code,refresh_token \
    --response-type code \
    --redirect-uri http://127.0.0.1:4446/callback
    info

    You can also create OAuth2 clients by calling the administrative API. To learn more, read the API specification.

    curl -X POST 'SDK_CONFIGURATION_URL/admin/clients' \ # Get it from the Ory Console → Access & APIs
    -H 'Content-Type: application/json' \
    -H 'Authorization: Bearer ORY_PAT' \ # Ory Network personal access token
    -d '{
    "client_name": "YOUR_CLIENT_NAME",
    "grant_types": [
    "authorization_code"
    ],
    "redirect_uris": [
    "http://127.0.0.1:4446/callback"
    ],
    "response_types": [
    "code",
    "id_token",
    "refresh_token"
    ],
    "scope": "openid offline"
    }'
  3. Export the ID and secret of the created client:

    code_client_id="{set to CLIENT ID from output}"
    code_client_secret="{set to CLIENT SECRET from output}"
  4. Start the Authorization Code Grant flow:

    ory perform authorization-code \
    --project $project_id \
    --client-id $code_client_id \
    --client-secret $code_client_secret
    note

    This opens a sample OAuth2 consumer app in your default browser.

  5. In the browser, use the UI to register a new user and allow the client to get the requested scopes to get an access_token, a refresh_token, and an id_token. This information is also printed in the terminal used to run the commands.

  6. Perform token introspection to get the access_token details:

    # Export 'access_token'
    code_access_token="{set to ACCESS TOKEN from output}"

    # Perform token introspection
    ory introspect token $code_access_token --project $project_id

Client Credentials Grant

The Client Credentials Grant is commonly used in machine-to-machine communications. This allows web services, applications, or devices to call each other without the context of human users. Activity that uses this grant often runs in the background and doesn't require any user interaction.

Follow these steps to try this grant in Ory Network:

  1. Create an Ory Network project using the Ory CLI and export the project ID:

    ory create project --name "Ory OAuth2 Example"
    project_id="{set to the project ID from output}"
  2. Create an OAuth2 client:

    ory create oauth2-client --project $project_id \
    --name "Client Credentials Demo" \
    --grant-type client_credentials
  3. Export the ID and secret of the created client:

    client_id="{set to CLIENT ID from output}"
    client_secret="{set to CLIENT SECRET from output}"
  4. Start the Client Credentials Grant:

    ory perform client-credentials \
    --client-id=$client_id \
    --client-secret=$client_secret \
    --project $project_id
  5. Perform token introspection to get the access_token details:

    # Export 'access_token'
    access_token="{set to ACCESS TOKEN from output}"

    # Perform token introspection
    ory introspect token $access_token --project $project_id