This documentation is for WSO2 Identity Server 5.4.0 . View documentation for the latest release.
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 16 Next »

Grant types are used to authorize access to protected resources in different ways. This section lists out the main OAuth2 grant types supported by WSO2 Identity Server.


Identity Server 5.4.0 provides more control over issuing id tokens and user claims for client-credential grant type. To facilitate this, the following configurations should be added to identity.xml in order to register new ScopeHandlers and ScopeValidators.

<OAuth>
....
    <ScopeHandlers>
        <ScopeHandler class="org.fully.qualified.class.name.CustomScopeHandler">
           <Property name="foo">foo-value</Property>
        </ScopeHandler>    
    </ScopeHandlers>

    <ScopeValidators>
        <ScopeValidator class="org.fully.qualified.class.name.ExtendedScopeValidator" scopesToSkip="scope1 scope2">
            <Property name="foo-property">foo-value</Property>
        </ScopeValidator>
    <ScopeValidators>

By making <IdTokenAllowed> 'true' or 'false' along with the above configuration, you can turn the issuing id tokens on/off for the grant types with 'openid' scope. (By default IdTokenAllowed is set to 'true', you can allow it to issue id_tokens for all grant types with 'openid' scope). By making this false, you can stop issuing id tokens. Anyway for authorization_code, you cannot turn off issuing id tokens.

By making <IsRefreshTokenAllowed> 'true' or 'false' along with the above configuration, you can turn the issuing refresh tokens on/off. (By default IsRefreshTokenAllowed is set to 'true', you can allow it to issue refresh tokens for all grant types). By making this false, you can stop issuing refresh tokens.

<SupportedGrantType>
    <GrantTypeName>client_credentials</GrantTypeName>
    <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
    <IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
    <IdTokenAllowed>false</IdTokenAllowed>
</SupportedGrantType>

Note that issuing id token is disabled for client_credentials grant type by default.

  • No labels