This section provides instructions on how to get the user claims of the authorized user as a JWT token with the validation response.
<IS_HOME>/repository/conf/identity/identity.xmlfile and set the
<Enabled>element (found under the
<OAuth>,<AuthorizationContextTokenGeneration>elements) to true as shown in the code block below.
Note: By default, the user claims are retrieved as an array. To retrieve the claims as a string instead of an array, add the following property under the
<AuthorizationContextTokenGeneration>tag in the
Add the following property under <OAUTH> section to use the JWT Token Builder instead of the default Token Builder.
If you need to use a self-contained access token generator, make sure you change the above values accordingly.
The following configurations are optional and can be configured as needed.
See the Extension Points for OAuth topic for more details about the usage of the '
TokenGeneratorImplClass' and '
ConsumerDialectURI: Defines the URI for the claim dialect under which the user attributes need to be retrieved.
SignatureAlgorithm: Defines the algorithm to be used in signing the payload that carries user claims. If you want to disable signing of the JWT token, set this element to "NONE".
AuthorizationContextTTL: Defines the expiry time for JWT token in minutes.
Calling the OAuth2ValidationService with a valid token
After configuring the elements mentioned above, see the OAuth2 Token Validation and Introspection topic to call the
OAuth2ValidationService. The following screenshot is the request and response of the
OAuth2ValidationService from the SOAP UI. Additionally, it shows the required claims of the user as required claim URIs. In the response, you can see the received JWT token under the
If there are no requested claim URIs defined, all the claims that carry values for the user are returned.
The header contains the metadata for the token as seen below.
The signature verification can be done similar to the ID token signature verification.
The portions of each token are separated by the full stop. To see the exact JSON values, do a Base64 decode for
If the unsigned ID token contains only 2 portions:
If the signed ID token contains 3 portions:
Validating the ID token signature
The following code segment is a simple Java program that can be used to validate the ID token signature against the default
wso2carbon.jks public key in WSO2 products.