This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Download Private Key JWT Client Authenticator 1.0.1

  2. Copy the downloaded org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt-1.0.1.jar to the <IS_HOME>/repository/component/dropins directory.
  3. To register the JWT grant type, edit the <IS_HOME>/repository/conf/identity/identity.xml file and do the following:

    • Add the following configuration under the <OAuth><ClientAuthHandlers> element:

      Code Block
      languagexml
      <ClientAuthHandler Class="org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthHandler">
              <Property Name="RejectBeforePeriodInMinutes">60</Property>
      </ClientAuthHandler>
    • Under <SupportedGrantTypes>, update the authorization_code grant type configuration as follows to include the <GrantTypeValidatorImplClass>:

      Code Block
      <SupportedGrantType>
                      <GrantTypeName>authorization_code</GrantTypeName>
      <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
      <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.grant.JWTAuthorizationCodeGrantValidator</GrantTypeValidatorImplClass>
      </SupportedGrantType>
    • Under <SupportedGrantTypes>, update the client_credentials grant type configuration as follows to include the <GrantTypeValidatorImplClass>:

      Code Block
      <SupportedGrantType>
                      <GrantTypeName>client_credentials</GrantTypeName>
      <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
      <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.validator.grant.JWTClientCredentialGrantValidator</GrantTypeValidatorImplClass>
      </SupportedGrantType>
  4. Create a new table in identity datasource configured in the <IS_HOME>/repository/conf/identity/identity.xml file. Click the appropriate tab depending on your database to see the command to create the new table.

    Localtab Group
    Localtab
    activetrue
    titleh2.sql
    Code Block
    CREATE TABLE IF NOT EXISTS IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP DEFAULT 0,
    TIME_CREATED TIMESTAMP DEFAULT 0, PRIMARY KEY (JWT_ID));
    Localtab
    titlemysql.sql, mysql-5.7.sql, postgres.sql
    Code Block
    CREATE TABLE IF NOT EXISTS IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP DEFAULT 0,
    TIME_CREATED TIMESTAMP DEFAULT 0, PRIMARY KEY (JWT_ID));
    Localtab
    titledb2.sql
    Code Block
    CREATE TABLE IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP,
    TIME_CREATED TIMESTAMP, PRIMARY KEY (JWT_ID))
    Localtab
    titleoracle.sql, oracle-rac.sql
    Code Block
    CREATE TABLE IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME TIMESTAMP,
    TIME_CREATED TIMESTAMP, PRIMARY KEY (JWT_ID))
    Localtab
    titlemssql
    Code Block
    IF NOT  EXISTS (SELECT * FROM SYS.OBJECTS WHERE OBJECT_ID = OBJECT_ID(N'[DBO].[IDN_JWT_PRIVATE_KEY]') AND TYPE IN (N'U')) CREATE TABLE IDN_JWT_PRIVATE_KEY (JWT_ID VARCHAR(255), EXP_TIME DATETIME DEFAULT 0,
    TIME_CREATED DATETIME DEFAULT 0, PRIMARY KEY (JWT_ID));
  5.   Edit the <IS_HOME>/repository/conf/identity/identity.xml file and add the following cache name under <CacheManager name="IdentityApplicationManagementCacheManager"> in the <CacheConfig> section:

    Code Block
    <Cache name="PrivateKeyJWT" enable="true" timeout="10" capacity="5000" isDistributed="false"/>
  6. Start WSO2 Identity Server and access the management console via https://localhost:9443/carbon/.
  7. Follow the steps below to add a service provider:

    1. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
    2. Specify the Service Provider Name and provide a brief Description of the service provider.
    3. Expand the OAuth/OpenID Connect Configuration under the Inbound Authentication Configuration section, and then click Configure
    4. Enter a callback url (For example, http://localhost:8080/playground2/oauth2client) and click Add. This displays the OAuth Client Key and OAuth Client Secret.
  8. Follow the steps below to import the public key of the private_key_jwt issuer:

    1. Rename the public key certificate file of the private_key_jwt issuer with the OAuth Client Key that you obtained. Now when you view the keystore via the management console, there you should be see a certificate with the your OAuth Client Key.

    2. Restart the WSO2 Identity Server and log in to the Server management console using admin/admin credentials.
    3. Navigate to the Manage menu and click List under Keystores.
    4. Import the certificate file to the default keystore in the <IS_HOME>/repository/conf/carbon.xml file.

      Note

      In a default WSO2 Identity Server distribution the keystore name is wso2carbon.jks.

  9. Use the following curl command to retrieve the access token and refresh token using a JWT.

    Note

    Be sure to replace <authorization-code> and <private_key_jwt> with appropriate values in the following curl command.

    Code Block
    curl -v POST -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d 'client_id=<clientid>&grant_type=authorization_code&code=<authorization-code>&client_assertion_type=urn%3Aietf%3Aparams%3Aoauth%3Aclient-assertion-type%3Ajwt-bearer&client_assertion=<private_key_jwt>&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token