This documentation is for WSO2 Identity Server 5.7.0 . View documentation for the latest release.

All docs This doc
Skip to end of metadata
Go to start of metadata

Authentication Data API provides REST services that are used to retrieve endpoint parameters provided by the authentication framework or related services. 

These parameters may not be passed in the redirect URL due to one or many of the following reasons. 

  • Sensitivity of the values passed.
  • Complexity of the values passed.
  • Length of the parameters exceeding, or has the possibility of exceeding the allowed limits.
  • Compliance to certain business policies.

To use this feature, apply the 3524 WUM update for WSO2 IS 5.7.0 using the WSO2 Update Manager (WUM).

To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.

Configuring Authentication Data API

To make these parameters available via the Authentication Data API, we need to configure the Identity Server as follows.

  1. Configure the following parameters in the application-authentication.xml file in <IS_HOME>/repository/conf/identity as per the descriptions provided below.

    <AuthenticationEndpointRedirectParams action="include" 
    <AuthenticationEndpointRedirectParam name="sessionDataKey"/> 
    Field NameDescription
    actionValue is either include or exclude. An include indicates a allowlist, whereas an exclude indicates a denylist.
    removeOnConsumeFromAPIThe decides whether to remove the parameters on a read. If set to true, parameters are deleted upon read and won’t be available for subsequent API requests, unless they are repopulated at the backend.
    AuthenticationEndpointRedirectParamThe list of parameters to be allowlisted/denylisted. The name attribute is used to specify the parameter name.

    This is an identifier used by the Identity Server to maintain state information related to this particular request by the service provider.

    Note: The 'sessionDataKey' query parameter is used to coordinate the request state across components participating in the request flow. It does not correlate with the user session. Furthermore, the request state maintained against the 'sessionDataKey' parameter value is cleared by each participating component at the end of request flow. This means that even if an external party grabs the 'sessionDataKey' they will not be able to get into the authentication sequence, as the user session is not associated with that key.

  2. Restart the server.

Using the API

The data can be accessible at https://<IS_HOST>:<PORT>/api/identity/auth/v1.1/data/<Type>/<Key>.

  • <Type> - This refers to the key type that should be used. The value is AuthRequestKey for pages which directly communicate with the authentication framework using sessionDataKey, and OauthConsentKey for the Oauth consent page which uses sessionDataKeyConsent as the correlation key.
  • <Key> - The correlation key whose value is either sessionDataKey or sessionDataKeyConsent.

Authenticating the API

This API can be authenticated by following the steps given here

Following are the sample requests and responses using cURL.

curl -k -X GET "https://localhost:9443/api/identity/auth/v1.1/data/AuthRequestKey/7a6886ab -b02f-424f-9cd4-adf5e92f0798" -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "accept: application/json"
{"paramKey1": "paramValue1","paramKey2": "paramValue2"}
curl -k -X GET "https://localhost:9443/api/identity/auth/v1.1/data/OauthConsentKey/7a6886a b-b02f-424f-9cd4-adf5e92f0798" -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "accept: application/json"

  • No labels