This documentation is for WSO2 Identity Server 5.4.1 . View documentation for the latest release.
Identity Server 5.4.1

All docs This doc
Expand all   Collapse all

Versions Compared

Old Version 2

changes.mady.by.user Sherene Mahanama

Saved on

compared with

New Version Current

changes.mady.by.user Shiraz Azad

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

  1. Open the <IS_HOME>/repository/conf/identity/identity.xml file and set the <Enabled> element (found under the <OAuth>,<AuthorizationContextTokenGeneration> elements) to true as seen shown in the code block below. 

    Code Block
    languagexml
    <AuthorizationContextTokenGeneration>
            <Enabled>true</Enabled>
            <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
            <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
            <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
            <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
            <AuthorizationContextTTL>15</AuthorizationContextTTL>
 </AuthorizationContextTokenGeneration> 
    Tip

    Note: By default, the user claims are retrieved as an array. To retrieve the claims as a string instead of an array, add the following property under the <AuthorizationContextTokenGeneration> tag in the identity.xml file.

    Code Block
    <UseMultiValueSeparator>false</UseMultiValueSeparator>

  2. Add the following property under <OAUTH> section to use the JWT Token Builder instead of the default Token Builder.

    Code Block
    <IdentityOAuthTokenGenerator>org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer</IdentityOAuthTokenGenerator>
    Note

    If you need to use a self-contained access token generator, make sure you change the above values accordingly.

  3. The following configurations are optional and can be configured as needed.

    1. See the Extension Points for OAuth topic for more details about the usage of the 'TokenGeneratorImplClass' and 'ClaimsRetrieverImplClass'. 

    2. ConsumerDialectURI: Defines the URI for the claim dialect under which the user attributes need to be retrieved. 

    3. SignatureAlgorithm: Defines the algorithm to be used in signing the payload that carries user claims. If you want to disable signing of the JWT token, set this element to "NONE". 

      Code Block
      languagexml
      <SignatureAlgorithm>NONE</SignatureAlgorithm>

    4. AuthorizationContextTTL: Defines the expiry time for JWT token in minutes.

...

After configuring the elements mentioned above, see the OAuth2 Token Validation and Introspection topic to call the OAuth2ValidationService. The following screenshot is the request and response of the OAuth2ValidationService from the SOAP UI. Additionally, it shows the required claims of the user as required claim URIs. In the response, you can see the recieved received JWT token under the <tokenString> element. 

...

The signature verification can be done similiar similar to the ID token signature verification. 

...