This documentation is for WSO2 Identity Server 5.3.0 . View documentation for the latest release.
||
Skip to end of metadata
Go to start of metadata

This page provides information and instructions on how to enable OAuth2 token encryption in order to protect the OAuth2 access tokens, refresh tokens, consumer secrets, and authorization codes. Follow the instructions given below to set this up. 

  • This functionality is available with the WSO2 WUM Update released on 15/02/2018. For more information on how to update your pack using WUM, see Updating WSO2 Products
  • Note that you can only deploy a WUM update into production if you have a paid subscription.
  • This update has been tested internally. However, we recommend that you test it your own development/test environment as well before applying it to the production setup.
  1. Change the TokenPersistenceProcessor as shown below in the <IS_HOME>/repository/conf/identity/identity.xml file under the <OAuth> tag to enable token encryption. 

    <TokenPersistenceProcessor>org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor</TokenPersistenceProcessor>
  2. Add a carbon.properties file (if it does not already exist) to the <IS_HOME>/repository/conf folder, and add the following property to it to configure the RSA algorithm with OAEP as custom cipher transformation.

    org.wso2.CipherTransformation=RSA/ECB/OAEPwithSHA1andMGF1Padding
  3. Run the following commands against the database to enable OAuth token hashing and encryption.

    1. Add hash columns.

      H2 / MySQL / Oracle / PostGreSQL / DB2 / MSSQL
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ADD ACCESS_TOKEN_HASH VARCHAR(255);
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ADD REFRESH_TOKEN_HASH VARCHAR(255);
      ALTER TABLE IDN_OAUTH2_AUTHORIZATION_CODE ADD AUTHORIZATION_CODE_HASH VARCHAR(255);
      ALTER TABLE IDN_OAUTH_CONSUMER_APPS ADD CONSUMER_SECRET_HASH VARCHAR(255);
    2. Create indexes.

      H2 / MySQL / DB2 / PostgreSQL / MSSQL / Oracle
      CREATE INDEX IDX_ATH ON IDN_OAUTH2_ACCESS_TOKEN(ACCESS_TOKEN_HASH);
      CREATE INDEX IDX_AUTHORIZATION_CODE_HASH ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHORIZATION_CODE_HASH,CONSUMER_KEY_ID);
    3. Increase the column size.

      Note: If you have already configured the column size to a value greater than the one configured below, skip this step.

      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN MODIFY REFRESH_TOKEN VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN MODIFY ACCESS_TOKEN VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_AUTHORIZATION_CODE MODIFY AUTHORIZATION_CODE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH_CONSUMER_APPS MODIFY CONSUMER_SECRET VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ALTER COLUMN REFRESH_TOKEN TYPE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ALTER COLUMN ACCESS_TOKEN TYPE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_AUTHORIZATION_CODE ALTER COLUMN AUTHORIZATION_CODE TYPE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH_CONSUMER_APPS ALTER COLUMN CONSUMER_SECRET TYPE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ALTER COLUMN REFRESH_TOKEN SET DATA TYPE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ALTER COLUMN ACCESS_TOKEN SET DATA TYPE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_AUTHORIZATION_CODE ALTER COLUMN AUTHORIZATION_CODE SET DATA TYPE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH_CONSUMER_APPS ALTER COLUMN CONSUMER_SECRET SET DATA TYPE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ALTER COLUMN REFRESH_TOKEN VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ALTER COLUMN ACCESS_TOKEN VARCHAR(2048);
      ALTER TABLE IDN_OAUTH2_AUTHORIZATION_CODE ALTER COLUMN AUTHORIZATION_CODE VARCHAR(2048);
      ALTER TABLE IDN_OAUTH_CONSUMER_APPS ALTER COLUMN CONSUMER_SECRET VARCHAR(2048);

Note: With this WUM update, WSO2 Identity Server also hashes access tokens,refresh tokens, authorization codes, and client secrets. By default it uses SHA-256 algorithm for hashing. To use a different hashing algorithm, do the following:

Enable the following configuration within the <OAuth> root tag in the <IS_HOME>/repository/conf/identity/identity.xml file and configure it accordingly. WSO2 Identity Server supports hashing algorithms supported by MessageDigest. For more information about supported hashing algorithms, see MessageDigest Algorithms.

<HashAlgorithm>SHA-256</HashAlgorithm>
  • No labels