...
WSO2 API Manager, as an OAuth 2.0 Authorization Server with its Key Manager features, can accept JWT Assertions from OAuth 2.0 clients as a an means of resource owner authentication and authorization. Additionally, it can exchange the JWT token with OAuth 2.0 access tokens in order to access protected resources on behalf of the resource owner.
...
- Sign in to the WSO2 API Store (https://localhost:9443/store).
- Create a new application if an only if the required application is already not available already.
Generate the production and/or sandbox keys for the application.Anchor step3 step3 - Sign in to the WSO2 API Manager Management Console (https://localhost:9443/carbon).
- Navigate to the Identity Providers section under the Main tab of the management console and click Add.
- Provide the following values to configure the IdP:
- Identity Provider Name: Enter the JWT issuer name as the identity provider name. This is used to generate the JWT assertion.
Identity Provider Public Certificate: The certificate used to sign the JWT assertion.
Info title Identity provider Public Certificate The Identity Provider Public Certificate is the public certificate belonging to the identity provider. You need to update this certificate in order to authenticate the response from the identity provider. This can be any certificate. If the identity provider is another API Manager or Identity Server, this can be a
wso2.
crt
file.Follow the steps below to create the identity provider certificate from the
wso2carbon.jks
file:Open your Command Line interface, go to the
<APIM_HOME>/repository/resources/security
directory, and run the following command to generate thewso2.crt
file.Code Block keytool -export -alias wso2carbon -file wso2.crt -keystore wso2carbon.jks -storepass wso2carbon
You can find the generated
wso2.crt
file in the<APIM_HOME>/repository/resources/security
directory.Click Choose File, navigate to the location of the
wso2.crt
file, select the file and upload it.
For more information on how public keys work and how to sign these keys using a certification authority, see Using Asymmetric Encryption in the WSO2 Administration Guide.
- Alias: If the Identity Provider identifies this token endpoint by an alias (e.g.,
https://localhost:9443/oauth2/token)
, enter the name of the alias.
For more information, see Adding and Configuring an Identity Provider in the WSO2 Identity Server documentation.
- Navigate to the Main menu to access the Identity menu. Click List under Service Providers.
- Check if there is a Service Provider listed for the application, which you used to generate the keys in step 3. The Service Provider name will have the following format.
<application owner>_<application name>_<generated key type>
Using the JWT grant
After you have configured the prerequistes required to use the JWT Bearer grant, you can use the following cURL command to retrieve a access token and refresh token using a JWT.
...