Versions Compared

Old Version 8

changes.mady.by.user Former user

Saved on

compared with

New Version 9

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The JSON Web Token(JWT) is simply a JSON string containing claim values. The JWT Bearer grant handler will evaluate and validate the claims in the JWT token, and issue an access token at the Authorization Server end.

...

A client can exchange a JWT token to an OAuth 2.0 access token using this grant type.  Once an application is created on the API Store, keys for the application must be generated. When the keys are generated, there will be a Service Provider created on the WSO2 API Manager.  The service provider entity  is used by the WSO2 APIM server to obtain information of the application created on the API Store.  There needs to be an Identity Provider configuration corresponding to the IDP created on the WSO2 APIM Server as well. This IDP is who creates and signs the JWT assertion.  This is required so that the server can identify the issuer of the JWT and obtain the public certificate of the IDP, inorder in order to validate the JWT. 

When a request is made to the token endpoint with the grant type, the JWT assertion, the client key and client  secret, the WSO2 APIM Server will read the grant type and trigger the JWT Bearer Grant Handler. This handler will check for the issuer of the JWT token and retrieve the IDP configuration. It will then obtain the public certificate of the IDP  stored in the IDP configration configuration, and validate the JWT. Once the JWT is validated, it will create an OAuth2.0 access token for the application holding the provided client key and client secret.  

...

Code Block
languagegroovy
titleSample payload
{  
   "sub":"admin",
   "aud":[  
      "https://localhost:9443/oauth2/token"
   ],
   "nbf":1507546100,
   "iss":"jwtIDP",
   "exp":1507606100,
   "iat":1507546100,
   "jti":"Token56756"
}

The signature is calculated by base64 URL encoding the header and payload and concatenating them with a period as a separator and signing it:

Code Block
Signature = sign(encodeBase64(header) + '.' + encodeBase64(payload))

The signature must then be base64 URL encoded. JWT assertion can be generated by concatenating these three encoded values with a separator dot ".".

Code Block
assertion =  encodeBase64(header) + '.' + encodeBase64(payload) + '.' + encodeBase64(signature)

...