HttpContext.Request.IsHttps:	True
HttpContext.Request.Host.Value:	auth-int.narrpr.com
Loaded Identity Resources:	openid,email,rpr_contact,rpr_current_user,rpr_permissions,rpr_roles,rpr_mobile_device (7)
Loaded API Resources:	mobile_api,web_api,auth_api,main_api (4)

1. OpenID Configuration: https://auth-int.narrpr.com/.well-known/openid-configuration

{
  "issuer": "https://auth-int.narrpr.com",
  "jwks_uri": "https://auth-int.narrpr.com/.well-known/openid-configuration/jwks",
  "authorization_endpoint": "https://auth-int.narrpr.com/connect/authorize",
  "token_endpoint": "https://auth-int.narrpr.com/connect/token",
  "userinfo_endpoint": "https://auth-int.narrpr.com/connect/userinfo",
  "end_session_endpoint": "https://auth-int.narrpr.com/connect/endsession",
  "check_session_iframe": "https://auth-int.narrpr.com/connect/checksession",
  "revocation_endpoint": "https://auth-int.narrpr.com/connect/revocation",
  "introspection_endpoint": "https://auth-int.narrpr.com/connect/introspect",
  "device_authorization_endpoint": "https://auth-int.narrpr.com/connect/deviceauthorization",
  "backchannel_authentication_endpoint": "https://auth-int.narrpr.com/connect/ciba",
  "pushed_authorization_request_endpoint": "https://auth-int.narrpr.com/connect/par",
  "require_pushed_authorization_requests": false,
  "frontchannel_logout_supported": true,
  "frontchannel_logout_session_supported": true,
  "backchannel_logout_supported": true,
  "backchannel_logout_session_supported": true,
  "scopes_supported": [
    "openid",
    "email",
    "rpr_contact",
    "rpr_current_user",
    "rpr_permissions",
    "rpr_roles",
    "rpr_mobile_device",
    "mobile_api_access",
    "web_api_access",
    "auth_api_access",
    "main_api_access",
    "web_api_content_sharing_access",
    "offline_access"
  ],
  "claims_supported": [
    "sub",
    "email",
    "given_name",
    "family_name",
    "name",
    "security_stamp",
    "user_type_id",
    "user_expiration_date",
    "is_password_change_required",
    "impersonator_sub",
    "impersonator_email",
    "impersonator_name",
    "assistant_sub",
    "assistant_email",
    "assistant_name",
    "rpr_permission_ids",
    "rpr_role_ids",
    "rpr_mobile_device_id",
    "has_mobile_api_full_access",
    "has_web_api_full_access",
    "has_auth_api_full_access",
    "has_main_api_full_access",
    "has_web_api_content_sharing_access"
  ],
  "grant_types_supported": [
    "authorization_code",
    "client_credentials",
    "refresh_token",
    "implicit",
    "password",
    "urn:ietf:params:oauth:grant-type:device_code",
    "urn:openid:params:grant-type:ciba",
    "device_password"
  ],
  "response_types_supported": [
    "code",
    "token",
    "id_token",
    "id_token token",
    "code id_token",
    "code token",
    "code id_token token"
  ],
  "response_modes_supported": [
    "form_post",
    "query",
    "fragment"
  ],
  "token_endpoint_auth_methods_supported": [
    "client_secret_basic",
    "client_secret_post"
  ],
  "id_token_signing_alg_values_supported": [
    "RS256"
  ],
  "subject_types_supported": [
    "public"
  ],
  "code_challenge_methods_supported": [
    "plain",
    "S256"
  ],
  "request_parameter_supported": true,
  "request_object_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "ES256",
    "ES384",
    "ES512",
    "HS256",
    "HS384",
    "HS512"
  ],
  "prompt_values_supported": [
    "none",
    "login",
    "consent",
    "select_account"
  ],
  "authorization_response_iss_parameter_supported": true,
  "backchannel_token_delivery_modes_supported": [
    "poll"
  ],
  "backchannel_user_code_parameter_supported": true,
  "dpop_signing_alg_values_supported": [
    "RS256",
    "RS384",
    "RS512",
    "PS256",
    "PS384",
    "PS512",
    "ES256",
    "ES384",
    "ES512"
  ]
}

2. Creation of Basic Authorization Header for Client:

In Postman, click the Authorization tab below the URL entry textbox.  Set the Type dropdown to Basic Auth, and enter the appropriate client ID and client secret.

To create a Basic authorization header value from scratch, use this code:
Convert.ToBase64String(Encoding.UTF8.GetBytes($"{clientId}:{clientSecret}"));

3. Creation of Bearer Authorization Header for Client:

In Postman, click the Authorization tab below the URL entry textbox.  Set the Type dropdown to Bearer Token, and enter the appropriate token.

4. Creation of OAuth 2.0 Authorization Header for Client:

In Postman, click the Authorization tab below the URL entry textbox.  Set the Type dropdown to OAuth 2.0, ensure that Request Headers is selected in the Add authorization data to dropdown, and enter the appropriate access token, select it from the Available Tokens dropdown, or press the Get New Access Token button to request one (see example below).

5. Setting the content type for POST requests:

For POST requests, in Postman, add a header with the key set to Content-Type and the value set to application/x-www-form-urlencoded.

6. Request Client Credentials Access Token Endpoint Example: http://docs.identityserver.io/en/latest/endpoints/token.html

Set the authorization header to basic (as described in the first example) to
Client ID: test_api_client_without_user_identity, Client Secret: 7115BAA1-8A4B-44B9-959A-BB26B679DC0E.

POST https://auth-int.narrpr.com/connect/token
	grant_type:client_credentials
	scope:web_api_full_api_access (optional -- if not supplied, all scopes are returned; for specifying multiple scopes, space separate them)

7. Introspect Endpoint Example: http://docs.identityserver.io/en/latest/endpoints/introspection.html

Set the authorization header to basic (as described in the first example) to
(for web API resource tokens) Client ID: web_api, Client Secret: 8401D514-CB49-4818-881F-B82DBF487502
(for mobile API resource tokens) Client ID: mobile_api, Client Secret: 0A30F0C4-6025-46B2-9F30-E8233B65F4D9

POST https://auth-int.narrpr.com/connect/introspect
	token:{access token}

8. Request Resource Owner Password Access Token Endpoint Example: http://docs.identityserver.io/en/latest/endpoints/token.html

Set the authorization header to basic (as described in the first example) to
Client ID: test_client_with_username_password, Client Secret: A0D0A4AE-3953-42B1-894E-EAC49129D137.

POST https://auth-int.narrpr.com/connect/token
	grant_type:password
	username:{real RPR login e-mail}
	password:{real RPR password}
	scope:web_api_full_api_access openid (optional -- if not supplied, all scopes are returned; for specifying multiple scopes, space separate them)

9. Request Implicit Access Token Endpoint Example: http://docs.identityserver.io/en/latest/endpoints/authorize.html

Optionally, set the authorization header to basic (as described in the first example) to
Client ID: test_website_client, Client Secret: DD190F4E-FA96-4D57-A47E-4B61B322CDA7.

GET https://auth-int.narrpr.com/connect/authorize
	redirect_uri:https://www.getpostman.com/oauth2/callback
	response_type:id_token token (either or both)
	nonce:{value} (echoed into id_token to prevent replay)
	scope:web_api_full_api_access openid (optional? (confirm!) -- if not supplied, all scopes are returned; for specifying multiple scopes, space separate them)
	state:{some client state} (optional)

10. Request Authorize (w/o PKCE) Access Token Endpoint Example: http://docs.identityserver.io/en/latest/endpoints/authorize.html

Set the authorization header to basic (as described in the first example) to
Client ID: test_mobile_client_without_pkce, Client Secret: E7E01A5A-A235-4888-824F-79B128F478D7.

GET https://auth-int.narrpr.com/connect/authorize
	redirect_uri:https://www.getpostman.com/oauth2/callback
	response_type:code
	scope:mobile_api_full_api_access openid (optional? (confirm!) -- if not supplied, all scopes are returned; for specifying multiple scopes, space separate them)
	state:{some client state} (optional)


Set the authorization header to basic (as described in the first example) to
Client ID: test_mobile_client_without_pkce, Client Secret: E7E01A5A-A235-4888-824F-79B128F478D7.

POST https://auth-int.narrpr.com/connect/token
	client_id:test_mobile_client_without_pkce
	grant_type:authorization_code
	code:{code received in previous HTTP GET call}
	redirect_uri:https://www.getpostman.com/oauth2/callback

11. Request Authorize (w/ PKCE) Access Token Endpoint Example: http://docs.identityserver.io/en/latest/endpoints/authorize.html

Set the authorization header to basic (as described in the first example) to
Client ID: test_mobile_client_with_pkce, Client Secret: 96881327-AA3C-4200-856A-944107A020B8.

GET https://auth-int.narrpr.com/connect/authorize
	redirect_uri:https://www.getpostman.com/oauth2/callback
	response_type:code
	code_challenge:{(code_verifier: random URL proof code at least 43 chars long), that has been SHA-256 hashed and then base64 URL-encoded}
	code_challenge_method:S256
	scope:mobile_api_full_api_access openid (optional? (confirm!) -- if not supplied, all scopes are returned; for specifying multiple scopes, space separate them)
	state:{some client state} (optional)


Set the authorization header to basic (as described in the first example) to
Client ID: test_mobile_client_without_pkce, Client Secret: E7E01A5A-A235-4888-824F-79B128F478D7.

POST https://auth-int.narrpr.com/connect/token
	client_id:test_mobile_client_without_pkce
	grant_type:authorization_code
	code:{code received in previous HTTP GET call}
	redirect_uri:https://www.getpostman.com/oauth2/callback
	code_verifier:{code_verifier used above}

12. Request Authorize (w/o PKCE) Access Token Endpoint Example (Using Postman): http://docs.identityserver.io/en/latest/endpoints/authorize.html

In Postman, click the Authorization tab below the URL entry textbox.  Set the Type dropdown to OAuth 2.0 and click the orange Get New Access Token button.  On the modal form that pops up, enter the following parameters and click the orange Request Token button:

Token Name:		{TokenName} (name of token in PostMan)
Grant Type:		Authorization Code (dropdown selection)
Callback URL:		https://www.getpostman.com/oauth2/callback
Auth URL:		https://auth-int.narrpr.com/connect/authorize?response_type=code&prompt=login
Access Token URL:	https://auth-int.narrpr.com/connect/token
Client ID:		test_mobile_client_without_pkce
Client Secret:		96881327-AA3C-4200-856A-944107A020B8
Scope:			openid
State:			1234 (we need to use this argument to prevent CSRF attacks)
Client Authentication:	Send as Basic Auth header (dropdown selection)

Once the login is completed successfully, Postman's browser should close and give way to a new screen that contains an ID token and an access token, which are automatically saved for reuse.  Note that you can view this entire process in Visual Studio's Output window, and intercept the authorization code.

13. UserInfo Endpoint Example: http://docs.identityserver.io/en/latest/endpoints/userinfo.html

Set the authorization header to bearer (as described in the second example) to the access token (or identity token?)

GET https://auth-int.narrpr.com/connect/userinfo

The access (or identity?) token comes as a result of a resource owner password flow, implicit flow, or authorization code flow (see above examples).  This call will return user detail in JSON.

14. Request Access Token for Mobile Client: http://docs.identityserver.io/en/latest/endpoints/token.html

To request an access token for the mobile client, do the following in Postman:

POST https://auth-int.narrpr.com/connect/token
	grant_type:device_password
	scope:openid email rpr_contact rpr_current_user rpr_permissions rpr_roles rpr_mobile_device mobile_api_access auth_api_access offline_access
	username:{real RPR login e-mail}
	password:{real RPR password}
	device_name:{device name}
	increment_all_device_expiration_dates:{true/false}
	is_device_secure:{true/false}
	device_id:{device ID}
	client_id:mobile_client
	client_secret:99E2A960-CFAC-4F01-B548-0B555AB1EAAA

15. Request a New Access Token via a Refresh Token for Mobile Client: http://docs.identityserver.io/en/latest/endpoints/token.html

To request a new access token via a refresh token for the mobile client, do the following in Postman:

POST https://auth-int.narrpr.com/connect/token
	grant_type:refresh_token
	scope:openid offline_access mobile_api_full_api_access
	refresh_token:{refresh token}
	client_id:mobile_client
	client_secret:99E2A960-CFAC-4F01-B548-0B555AB1EAAA

16. Test Basic Authorization in Mobile API:

To test Basic authorization in Mobile API, do the following in Postman:

GET https://mobileapi-dev.narrpr.com/v1/tests/auth/basic

Set the Authorization header to the following:
Basic {token in the base-64 form of userName:password}

17. Test Bearer Authorization in Mobile API:

To test Bearer authorization in Mobile API, do the following in Postman:

GET https://mobileapi-dev.narrpr.com/v1/tests/auth/bearer

Set the Authorization header to the following:
Bearer {access token}