Versions Compared

Old Version 2

changes.mady.by.user Former user

Saved on

compared with

New Version 3

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The JSON Web Token(JWT) bearer grant is simply a JSON string containing claim values. The JWT Grant Handler will evaluate and validate the claims in the JWT token, and issue an access token at the Authorization Server end.

...

Table of Contents

The Flow

Configuring the JWT grant

Image Added


A client can exchange a JWT token to an OAuth 2.0 access token using this grant type.  Once an application is created in the API Store, keys for the application must be generated. When the keys are generated, there will be a Service Provider created on the WSO2 API Manager.  The service provider is  the way that the WSO2 API Manager server obtains information of the application created on the API Store.  There needs to be an Identity Provider configuration corresponding to the IDP which creates and signs the JWT assertion,  created on the WSO2 APIM Server as well. This is required so that the server can identify the issuer of the JWT and obtain the public certificate of the IDP, inorder to validate the JWT. 

When a request is made to the token endpoint with the grant type, the JWT assertion, the client key and client  secret, the WSO2 APIM Server will read the grant type and trigger the JWT Bearer Grant Handler. This handler will check for the issuer of the JWT token and retrieve the IDP configuration. It will then obtain the public certificate of the IDP  stored in the IDP configration, and validate the JWT. Once the JWT is validated, it will create an OAuth2.0 access token for the application holding the provided client key and client secret.  

Configuring the  Identity Provider and the Service Provider

  1. Sign in to the WSO2 API Store.
  2. Create a new application if an application is not available already.
  3. Generate keys for the application.
  4. Sign in to the WSO2 API Manager. Enter your username and password to log on to the Management Console (https://localhost:9443/carbon). 
  5. Navigate to the Identity Providers section under the Main tab of the management console and click Add.
  6. Provide the following values to configure the IDP:
    • Identity Provider Name: Enter an the JWT issuer name as the identity provider name. This is used to generate the JWT assertion.

    • Identity Provider Public Certificate: The certificate used to sign the JWT assertion. 

      Info
      titleIdentity provider Public Certificate

      The Identity Provider Public Certificate is the public certificate belonging to the identity provider. Uploading this is necessary to authenticate the response from the identity provider.

      This can be any certificate. If the identity provider is another API Manager or Identity Server, this can be a wso2.crt file.

      To create the identity provider certificate from the wso2carbon.jks file, follow the steps below.

      1. Open your Command Line interface, go to the <APIM_HOME>/repository/resources/security/directory. Run the following command.

      Code Block
      keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon

      2. Once you run this command, the wso2.crt file is generated and can be found in the <APIM_HOME>/repository/resources/security/ directory. Click Choose File and navigate to this location in order to select and upload this file.

      See Using Asymmetric Encryption in the WSO2 Product Administration Guide for more information on how public keys work and how to sign these keys by a certification authority.
    • Alias: Give the name of the alias if the Identity Provider identifies this token endpoint by an alias (e.g., https://localhost:9443/oauth2/token). For more information, see Adding a new identity provider.

  7. Navigate to the Main menu to access the Identity menu. Click Add under Click List under Service Providers.
  8. Fill in the Service Provider Name and provide a brief Description of the service provider. See Adding a Service Provider for more information.
  9. Expand the OAuth/OpenID Connect Configuration and click Configure.
  10. Enter a Callback URL. For example, use http://localhost:8080/playground2/oauth2client and click Add
    The OAuth Client Key and OAuth Client Secret will now be visible.
    Image RemovedCheck if there is a Service provider listed for the application used to generate the keys in step 3.  The Service Provider name will have the  format <application owner>_<application name>_<generated key type>
    Image Added


Using the JWT grant

The cURL commands below can be used to retrieve the access token and refresh the token using a JWT.

Code Block
titleRequest
curl -i -X POST -u <clientid>:<clientsecret> -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=<JWT>' -H 'Content-Type: application/x-www-form-urlencoded' https://localhost:9443/oauth2/token
  • The -u flag should specify the “<Client Id>:<Client Secret>” value.

...

  •  The assertion parameter value is the signed base64 encoded JWT.

...

  • The value of the assertion parameter MUST contain a single JWT. You can refer Copy of JWT Grant for more information about assertion.

Info

If you have configured the service provider and identity provider in a tenant, you have to add the tenant domain as a query parameter to the access token endpoint.

If the tenant domain is wso2.com, the access token endpoint will be as follows.

Code Block
Access Token Endpoint: https://localhost:9443/oauth2/token?tenantDomain=wso2.com


Sample

Request

Code Block
titleSample request
curl -i -X POST -H 'Content-Type: application/x-www-form-urlencoded' -u bBhEoE2wIpU1zB8HA3GfvZz8xxAa:RKgXUC3pTRQg9xPpNwyuTPGtnSQa -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJhbGciOiJSUzI1NiJ9.eyJleHAiOjE0NTgxNjY5ODUsInN1YiI6ImFkbWluIiwibmJmIjoxNDU4MTA2OTg1LCJhdWQiOlsiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwid3NvMi1JUyJdLCJpc3MiOiJqd3RJRFAiLCJqdGkiOiJUb2tlbjU2NzU2IiwiaWF0IjoxNDU4MTA2OTg1fQ.ZcxdoTVEsWoil80ne42QzmsfelMWyjRZJEjUK1c2vMZJjjtrZnsWExyCA5tN6iXYFAXC_7rkFuuNSgOlBi51MNLPZw3WcgGI52j6apGEW92V2tib9zRRWOeLQLAdo8ae8KzLp7kuKZ2XunfQ2WYU9TvvLDm_vp5ruuYz3ZZrJOc' https://localhost:9443/oauth2/token

Response

You would have now received the response from the token endpoint. The response would contain the access token, refresh token, expiry time and token type. 

Code Block
titleSample response
{"token_type":"Bearer","expires_in":3600,"refresh_token":"b1b4b78e2b0ef4956acb90f2e38a8833","access_token":"615ebcc943be052cf6dc27c6ec578816"} 

The JWT

...

Assertion

JWT contains three parts that are separated by dots ".": header, payload, and a signature. The header identifies the algorithm used to generate the signature.

...

Code Block
languagegroovy
titleSample payload
{  
   "sub":"admin",
   "aud":[  
      "https://localhost:9443/oauth2/token"
   ],
   "nbf":1507546100,
   "iss":"jwtIDP",
   "exp":1507606100,
   "iat":1507546100,
   "jti":"Token56756"
}

The signature is calculated by base64 URL encoding the header and payload and concatenating them with a period as a separator and signing it:

Code Block
Signature = sign(encodeBase64(header) + '.' + encodeBase64(payload))

The signature must then be base64 URL encoded. JWT assertion can be generated by concatenating these three encoded values with a separator dot ".".

Code Block
assertion =  encodeBase64(header) + '.' + encodeBase64(payload) + '.' + encodeBase64(signature)

...