This page provides information and instructions on how to enable OAuth2 token encryption in order to protect the OAuth2 access tokens, refresh tokens, consumer secrets, and authorization codes. Follow the instructions given below to set this up.
- This functionality is available with the WSO2 WUM Update released on 15/02/2018. For more information on how to update your pack using WUM, see Updating WSO2 Products.
- Note that you can only deploy a WUM update into production if you have a paid subscription.
- This update has been tested internally. However, we recommend that you test it your own development/test environment as well before applying it to the production setup.
TokenPersistenceProcessoras shown below in the
<IS_HOME>/repository/conf/identity/identity.xmlfile under the
<OAuth>tag to enable token encryption.
carbon.propertiesfile (if it does not already exist) to the
<IS_HOME>/repository/conffolder, and add the following property to it to configure the RSA algorithm with OAEP as custom cipher transformation.
Run the following commands against the database to enable OAuth token hashing and encryption.
Add hash columns.
Increase the column size.
Note: If you have already configured the column size to a value greater than the one configured below, skip this step.
Note: With this WUM update, WSO2 Identity Server also hashes access tokens,refresh tokens, authorization codes, and client secrets. By default it uses SHA-256 algorithm for hashing. To use a different hashing algorithm, do the following:
Enable the following configuration within the
<OAuth> root tag in the
<IS_HOME>/repository/conf/identity/identity.xml file and configure it accordingly. WSO2 Identity Server supports hashing algorithms supported by MessageDigest. For more information about supported hashing algorithms, see MessageDigest Algorithms.