This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Open the <IS_HOME>/repository/conf/identity/identity.xml file and set the <Enabled> element (found under the <OAuth>,<AuthorizationContextTokenGeneration> elements) to true as shown in the code block below. 

    Code Block
    languagexml
    <AuthorizationContextTokenGeneration>
                <Enabled>true</Enabled>
                <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
                <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
                <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
                <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
                <AuthorizationContextTTL>15</AuthorizationContextTTL>
     </AuthorizationContextTokenGeneration> 
    Tip

    Note: By default, the user claims are retrieved as an array. To retrieve the claims as a string instead of an array, add the following property under the <AuthorizationContextTokenGeneration> tag in the identity.xml file.

    Code Block
    <UseMultiValueSeparator>false</UseMultiValueSeparator>
  2. The following configurations are optional and can be configured as needed.

    • See the Extension Points for OAuth topic for more details about the usage of the TokenGeneratorImplClass and ClaimsRetrieverImplClass

    • ConsumerDialectURI: Defines the URI for the claim dialect under which the user attributes need to be retrieved. 

    • SignatureAlgorithm: Defines the algorithm to be used in signing the payload that carries user claims. If you want to disable signing of the JWT token, set this element to NONE

      Code Block
      languagexml
      <SignatureAlgorithm>NONE</SignatureAlgorithm>
    • AuthorizationContextTTL: Defines the expiry time for JWT token in minutes.

Calling the OAuth2ValidationService with a valid token

After configuring the elements mentioned above, see the OAuth2 Token Validation and Introspection topic to call the OAuth2ValidationService. The following screenshot is the request and response of the OAuth2ValidationService from the SOAP UI. Additionally, it shows the required claims of the user as required claim URIs. In the response, you can see the received JWT token under the <tokenString> element. 

Note

If there are no requested claim URIs defined, all the claims that carry values for the user are returned.

Image Removed

Header Metadata: 
The header contains the metadata for the token as seen below. 

Code Block
<header>.<payload>.<signature>
eyJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXpabFlqTTJaRFJoTlRabFlUQTFZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQSJ9.eyJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvYXBwbGljYXRpb25uYW1lIjoiT2F1dGg3IiwiZXhwIjoxNDUyNTk0ODkyLCJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvc3Vic2NyaWJlciI6ImFkbWluQGNhcmJvbi5zdXBlciIsImlzcyI6Imh0dHA6XC9cL3dzbzIub3JnXC9nYXRld2F5IiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL2VuZHVzZXIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9yb2xlIjoiYWRtaW4sQXBwbGljYXRpb25cL2Rld3ZkZXcsQXBwbGljYXRpb25cL09hdXRoNyxJbnRlcm5hbFwvZXZlcnlvbmUiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9lbWFpbGFkZHJlc3MiOiJhZG1pbkB3c28yLmNvbSIsImlhdCI6MTQ1MjU5MzI1NCwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvb3JnYW5pemF0aW9uIjoiV1NPMiJ9.WRo2p92f-pt1vH9xfLgmrPWNKJfmST2QSPYcth7gXKz64LdP9zAMUtfAk9DVRdHTIQR3gX0jF4Ohb4UbNN4Oo97a35oTL1iRxIRTKUkh8L1dpt3H03Z0Ze7Q2giHGZikMIQv3gavHRYKjNMoU_1MuB90jiK7

Decoded Header: 

Code Block
{"alg":"RS256","x5t":"NmJmOGUxMzZlYjM2ZDRhNTZlYTA1YzdhZTRiOWE0NWI2M2JmOTc1ZA"}
x5t : This header provides a base64url encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate that can be used to match a certificate to validate the signature.

...

languagegroovy
themeEclipse

...

Retrieving user claims with the JWT 

User claims can be retrieved using the ID token or the userinfo endpoint. For more information, see Basic Client Profile with Playground.

You can access the userinfo endpoint with the received access token using the following curl command. As per the specification, the received bearer token is sent using the HTTP Authorization header.

Code Block
curl -k -H "Authorization: Bearer 4164157d677a6cd3a22e26e24c30135d" https://localhost:9443/oauth2/userinfo?schema=openid

As the response, WSO2 Identity Server returns a JSON with user claims.

Code Block
{"sub":"PRIMARY\/alex","email":"alex@mymail.com","name":"Alex Anderson","family_name":"Anderson","preferred_username":"alexanders","given_name":"Alex"}

Signature verification

The signature verification can be done similar to the ID token signature verification. 

...