WSO2 Identity Server (WSO2 IS) supports passing OIDC authentication request parameters in a self contained JWT, instead of passing plain request parameters. For more information on OIDC request object support in WSO2 IS, see Request Object Support in WSO2 Identity Server.
A JWT that contains a set of request parameters as its claims is known as a request object.
This tutorial includes the following sections that walk you through the procedure you need to follow to pass OIDC authentication request parameters in a request object via WSO2 IS:
- Download and install WSO2 Identity Server. For detailed information on how to install WSO2 IS, see Installing the Product.
- Download and install Apache Tomcat 7.x.
- Set up the playground sample. For instructions on how to set up the playground sample, see Basic Client Profile with Playground.
- Follow the steps below to configure a public certificate for the service provider:
Execute the following command from the
<IS_HOME>/repository/resources/securitydirectory to create a new keystore:
Execute the following command to export the public key of the new keystore to a file, named with the client-id of the OAuth application.
This prompts for the keystore password.
wso2carbonas the password.
Execute the following command to retrieve the certificate in X509 format:
You will see the public certificate in X509 format on the terminal.
Copy the content of the certificate.
- On the Management Console, go to Service Providers -> List, and Edit the service provider that you created when setting up the playground sample.
- Paste the certificate content that you copied as the Application Certificate of the service provider.
- Click Update.
- Follow the steps below to configure claims:
Add two new external claims as follows for the
http://wso2.org/oidc/claimdialect. For detailed instructions on how to add a new claim mapping to a claim dialect, see Adding Claim Mapping.
customClaim2are selected as claim URIs because those are not configured as requested claims in the OIDC scope. For the purpose of testing, these claims are mapped to existing http://wso2.org/claims/challengeQuestion1 and http://wso2.org/claims/challengeQuestion2 local claims. If necessary you can create two new local claims for this purpose.
- Edit the service provider that you created above, expand Claim Configuration, and add the following as Requested Claims:
- Click Update.
- Create a new user with the name
tom, and enter values for the email, country, challenge Question1 as well as challenge Question 2 in the user profile. For detailed instructions on creating a user and customizing a user's profile, see Configuring Users.
https://jwt.io/ for this)Create a JWT with the following payload and sign(RSA256) it with the private key of the keystore created in step 2. (You can use
This creates a signed request object.
Testing the flow
- To test the flow without a signed request object, specify the
authorization_codegrant type for the user, and use the OIDC scope from the playground application to obtain an
id_token. Then retrieve user information using the access token.
To test the flow with a signed request object, use the
authorization_codegrant for the user, and specify the authentication endpoint as
https://localhost:9443/oauth2/authorize?request=<JWT>. Next, obtain the
id_tokenand retrieve user information.
The JWT used here is the signed JWT created in step 5 of the procedure given above.
Analyzing the response
When you analyze the responses of the two tests, you will observe that together with
customClaim2 retrieved in the userinfo response, an additional claim
customClaim1 is retrieved via the
id_token when you configure the authorization code flow with a signed request object.