This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.

Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Note

Identity Server 5.4.0 provides more control over issuing id tokens and user claims for client-credential grant type. To facilitate this, the following configurations should be added to identity.xml in order to register new ScopeHandlers and ScopeValidators.

Code Block
languagexml
<OAuth>
....
    <ScopeHandlers>
        <ScopeHandler class="org.fully.qualified.class.name.CustomScopeHandler">
           <Property name="foo">foo-value</Property>
        </ScopeHandler>    
    </ScopeHandlers>

    <ScopeValidators>
        <ScopeValidator class="org.fully.qualified.class.name.ExtendedScopeValidator" scopesToSkip="scope1 scope2">
            <Property name="foo-property">foo-value</Property>
        </ScopeValidator>
    <ScopeValidators>

By making <IdTokenAllowed> 'true' or 'false' along with the above configuration, you can turn the issuing id tokens on/off for the grant types with 'openid' scope. (By default IdTokenAllowed is set to 'true', you can allow it to issue id_tokens for all grant types with 'openid' scope). By making this false, you can stop issuing id tokens. Anyway for authorization_code, you cannot turn off issuing id tokens.

By making <IsRefreshTokenAllowed> 'true' or 'false' along with the above configuration, you can turn the issuing refresh tokens on/off. (By default IsRefreshTokenAllowed is set to 'true', you can allow it to issue refresh tokens for all grant types). By making this false, you can stop issuing refresh tokens.

Code Block
languagexml
<SupportedGrantType>
    <GrantTypeName>client_credentials</GrantTypeName>
    <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
<IdTokenAllowed>false<IdTokenAllowed>
    <IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
    <IdTokenAllowed>false</IdTokenAllowed>
</SupportedGrantType>
Note

Note that issuing id token is disabled for client_credentials grant type by default.