Versions Compared

Old Version 1

changes.mady.by.user Former user

Saved on

compared with

New Version 2

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.


This section describes the IS 5.4.0 support for various endpoints. 

...

The JSON Web Key Set (JWKS) endpoint is a read-only endpoint

...

that returns the Identity Server's public key set in

...

the JWKS format. This contains the signing key(s) that the Relying Party (RP) uses to validate signatures from the Identity Server.

...

For more information on this endpoint, see the OpenID Connect Discovery specification.

Let's take a look at the endpoints used in WSO2 Identity Server (WSO2 IS):

Table of Contents

Tip
titleBefore you begin!

Make sure to start WSO2 IS before you try out the endpoints.

The endpoint

...

URL for the super tenant

Endpoint URL

Copy the following URL to your browser: https://

localhost:9443

<IS_HOST>:<IS_HTTPS_PORT>/oauth2/jwks

Code Block
titleRequest
Code Block
titleResponse
{"keys":[{"alg":"RS256","e":"AQAB","n":"AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5","kty":"RSA","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d"}]}
For tenants
Info
  • By default, <IS_HOST> is localhost. However, if you are using a public IP, the respective IP address or domain needs to be specified.
  • By default, <IS_HTTPS_PORT> has been set to 9443. However, if the port offset has been incremented by n, the default port value needs to be incremented by n.

Example: https://localhost:9443

/t/test.com

/oauth2/jwks

/

Code BlocktitleRequest
Response
Code Block
title
Response
{
  "keys": [
    {
"alg

      "kty": "
RS256
RSA",
      "e": "AQAB",
"n

      "use":
"AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5","kty":"RSA","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d"}]}

ID Token contains kid value

The header of the id_token contains a kid claim, which indicates the key that was used to sign the id_token. The same kid value is used in the jwks endpoint to validate the signature of the id_token.

Support to the “claims” Request Parameter

If the "claims" request parameter is used with authorization request with the value 'userinfo' and 'essential =true' the defined claim will be return from the user info endpoint ignoring the requested scope. But this claim should be a requested claim.

Eg : https://localhost:9443/oauth2/authorize?response_type=token&client_id=XXXXXXXX&redirect_uri=http://localhost:8080/playground2&nonce=rrr&claims=userinfo&essential=true&scope =openid

We support [1].

[1] http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter

Support to the “max_age” Request Parameter

...

We support following request parameters as well

acr_value

request_uri

nonce

claims_locales

...

.

The WSO2 Identity Server is shipped with a signed ID Token. This is provided in order to address some security vulnerabilities in a typical production environment. This topic provides information about using this signed ID Token for signature verification. 

Info

The portions of each token are separated by the full stop. To see the exact JSON values, do a Base64 decode for <header>.<body>.

  • If the unsigned ID token contains only 2 portions: 
    <header>.<body>

    Panel
    titleSample of unsigned ID token

    eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0 

  • If the signed ID token contains 3 portions: 
    <header>.<body>.<signature>

    Panel
    titleSample of signed ID token

    eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0.iTf0eDBF-6-OlJwBNxCK3nqTUjwC71-KpqXVr21tlIQq4_ncoPODQxuxfzIEwl3Ko_Mkt030zJs-d36J4UCxVSU21hlMOscNbuVIgdnyWhVYzh_-v2SZGfye9GxAhKOWL-_xoZQCRF9fZ1j3dWleRqIcPBFHVeFseD_64PNemyg

Validating the ID token signature

The following code segment is a simple Java program that can be used to validate the ID token signature against the default wso2carbon.jks public key in WSO2 products.

...

languagejava
themeEclipse
linenumberstrue

...

 "sig",
      "kid": "NTAxZmMxNDMyZDg3MTU1ZGM0MzEzODJhZWI4NDNlZDU1OGFkNjFiMQ",
      "alg": "RS256",
      "n": "luZFdW1ynitztkWLC6xKegbRWxky-5P0p4ShYEOkHs30QI2VCuR6Qo4Bz5rTgLBrky03W1GAVrZxuvKRGj9V9-PmjdGtau4CTXu9pLLcqnruaczoSdvBYA3lS9a7zgFU0-s6kMl2EhB-rk7gXluEep7lIOenzfl2f6IoTKa2fVgVd3YKiSGsyL4tztS70vmmX121qm0sTJdKWP4HxXyqK9neolXI9fYyHOYILVNZ69z_73OOVhkh_mvTmWZLM7GM6sApmyLX6OXUp8z0pkY-vT_9-zRxxQs7GurC4_C1nK3rI_0ySUgGEafO1atNjYmlFN-M3tZX6nEcA6g94IavyQ"
    }
  ]
}
Property valuedescription
ktyThe public key type.
eThe exponent value of the public key.
use

Implies how the key is being used. The value sig represents signature.

kidThe thumbprint of the certificate. This value is used to identifying the key that needs to be used to verify the signature.
alg

The algorithm used to encrypt the certificate.

nThe modulus value of the public key.

The endpoint URL for tenants

Endpoint URL

Copy the following URL to your browser: https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/jwks

Info
  • By default, <IS_HOST> is localhost. However, if you are using a public IP, the respective IP address or domain needs to be specified.
  • By default, <IS_HTTPS_PORT> has been set to 9443. However, if the port offset has been incremented by n, the default port value needs to be incremented by n.
  • Enter your tenant domain for <TENANT_DOMAIN>.

Example: https://localhost:9443/t/foo.com/oauth2/jwks

Response
Code Block
{
  "keys": [
    {
      "kty": "RSA",

...

...

...

...

   "e": "AQAB",

...

...

...

"use": "sig",
      "kid": "MTk5NjA3YjRkNGRmZmI4NTYyMzEzZWFhZGM1YzAyZWMyZTg0ZGQ4Yw",

...

"alg": "RS256",

...

...

...

"n": "0OA-yiyn_pCKnldZBq2KPnGplLuTEtGU7IZP66Wf7ElhFJ-kQ87BMKvZqVNDV84MSY3XQg0t0yL6gITg-W8op61PWO2UrEcxhhMHN_rra22Ae2OCaUfOr43cW1YFc54cYj5p7v-HSVvjTuNLGMMrNfTGAOCPzuLxbSHfq62uydU"
    }

...

]
}
Property valuedescription
ktyThe public key type.
eThe exponent value of the public key.
use

Implies how the key is being used. The value sig represents signature.

kidThe thumbprint of the certificate. This value is used to identifying the key that needs to be used to verify the signature.
alg

The algorithm used to encrypt the certificate.

nThe modulus value of the public key.