'How can I see SSO (OpenID/OAuth) authorization token from the client side?
I know how to view a SAML request/response from the HTTP requests in the browser, which I frequently do to troubleshoot SSO configurations (such as viewing the actual claims sent in the assertion)
Is there a way to see the JWT sent during SSO using OAuth/OIDC?
Asking this from the side of the IdP administrator, not as a developer/relying party administrator, and preferably without any browser extensions
Solution 1:[1]
By default the identity token is delivered in the backchannel using what is called an Authorization Code flow. There's no easy way to get it into the browser. However:
a) if you have access to the Client ID and Client Secret you may compose a POSTman call that exchanges the authorization code for an identity token by hand, see: How can Postman get the OAuth 2.0 auth token in the authorization code flow?.
b) if you're able to change the so called "grant type" that the Client uses, you can use the Implicit grant type that will exchange tokens in the front channel thus accessible from a browser; you should note that this grant type is deprecated
Solution 2:[2]
It's in the body of the response to the 'token' endpoint.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | Hans Z. |
| Solution 2 | Evert |