Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 22 Next »

Note: This is a draft version of this document.

This topic provides instructions on how to configure the JWT grant type. See the following sections for more information.

Deploying artifacts 

  • Place the  org.wso2.carbon.identity.oauth2.grant.jwt-1.0.0.jar downloaded from store in the <IS_HOME>/repository/component/dropins directory.
  • To register the JWT grant type, configure the <IS_HOME>/repository/conf/identity/identity.xml file by adding a new entry under the <OAuth><SupportedGrantTypes> element. Add a unique identifier between the <GrantTypeName> tags as seen in the code block below.

    <SupportedGrantType>
        <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
        <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
        <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
    </SupportedGrantType>
  • Restart the server.

Configure the JWT grant type

  1. Sign in to the WSO2 Identity Server. Enter your username and password to log on to the Management Console
  2. In the Identity Providers section under the Main tab of the management console, click Add.
  3. Provide the following values to configure the IDP:
    • Identity Provider Name: Enter a issuer name(which is used to generate the JWT assertion) as the IDP  name.
    • Identity Provider Public Certificate:   The certificate used to sign the JWT assertion. 

    • Alias: Give the name of the alias if the Identity Provider identifies this token endpoint by an alias. E.g., https://localhost:9443/oauth2/token
    See  Adding a new identity provider for more information.
  4. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
  5. Fill in the Service Provider Name and provide a brief Description of the service provider. See Adding a Service Provider for more information.
  6. Expand the OAuth/OpenID Connect Configuration and click Configure.
  7. Enter a callback url for example http://localhost:8080/playground2/oauth2client and click Add.
  8. The OAuth Client Key and OAuth Client Secret will now be visible.

The flow

The cURL commands below can be used to retrieve access token and refresh token using a JWT.

Request
curl -i -X POST -u <clientid>:<clientsecret> -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<JWT>' -H 'Content-Type: application/x-www-form-urlencoded' https://localhost:9443/oauth2/token

The -u flag should specify the “<Client Id>:<Client Secret>” value. The assertion parameter value is the signed base64 encoded JWT. The value of the assertion parameter  MUST contain a  single JWT. You can refer JWT Bearer Grant  to more information about assertion.

If you have configured the service provider and identity provider in a tenant, you have to add the tenant domain as a query parameter to the access token endpoint.

If the tenant domain is wso2.com, access token endpoint will be as follows.

Sample request
curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -u bBhEoE2wIpU1zB8HA3GfvZz8xxAa:RKgXUC3pTRQg9xPpNwyuTPGtnSQa -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0NTgxNjY5ODUsInN1YiI6ImFkbWluIiwibmJmIjoxNDU4MTA2OTg1LCJhdWQiOlsiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwid3NvMi1JUyJdLCJpc3MiOiJqd3RJRFAiLCJqdGkiOiJUb2tlbjU2NzU2IiwiaWF0IjoxNDU4MTA2OTg1fQ.ZcxdoTVEsWoil80ne42QzmsfelMWyjRZJEjUK1c2vMZJjjtrZnsWExyCA5tN6iXYFAXC_7rkFuuNSgOlBi51MNLPZw3WcgGI52j6apGEW92V2tib9zRRWOeLQLAdo8ae8KzLp7kuKZ2XunfQ2WYU9TvvLDm_vp5ruuYz3ZZrJOc' https://localhost:9443/oauth2/token

You would have now received the response from the token endpoint. The response would contain the access token, refresh token, expiry time and token type

Response
{"token_type":"Bearer","expires_in":3600,"refresh_token":"b1b4b78e2b0ef4956acb90f2e38a8833","access_token":"615ebcc943be052cf6dc27c6ec578816"} 

 

JWT Bearer Grant

JWT consists of three parts separated by dots (.), 

  • HeaderBase64Url encoded header, which declares the algorithms that will be used to hash and sign the JWT.
  • PayloadBase64Url encoded payload, which contains the claims. There are two types of claims: mandatory, optional:
    • Mandatory Values
      • iss (issuer) - The issuer(iss) value is a unique identifier that identifies the Identity Provider that issued the JWT uniquely.
      • sub (subject) - The subject(sub) value identifies the entity that the identity provider or the entity that issued the JWT vouches for
      • aud (audience) - The aud (audience) claim containing a value that identifies the authorization server as an intended audience. This value should be registered as token endpoint in the Identity Provider.
      • exp (expiration time) - The exp (expiration) claim limits the time window during which the JWT can be used.
    • Optional Values
      • nbf (not before) - The nbf (not before time) value forces a JWT to be used only after a specified time.
      • iat (issued at) - The iat (issued at) claim that identifies the time at which the JWT was issued.
      • jti (json web token Id) - The  jti (JWT ID) claim that provides a unique identifier for the token.
      • other custom claims - JWT may contain claims other than the above mentioned ones. This is the extension point of the JWT specification.
  • Signature: Create the signature by concatenating the base64 encoded header and the base64 encoded payload and signing it.

 

 

  • No labels