Access tokens are credentials used to access protected resources. Typically, an access token is a string representing an authorization issued to the client. The string is usually opaque to the client.
The OAuth 2.0 specification does specification does not mandate any particular implementation for access tokens but it mentions two possible strategies.
- The access token is an identifier that is hard to guess. For example, a randomly generated string of sufficient length, that the server handling the protected resource can use to lookup the associated authorization information.
- The access token self-contains the authorization information in a manner that can be verified. For example, by encoding authorization information along with a signature into the token.
...
Configuring WSO2 Identity Server to issue self-contained access tokens
The WSO2 Identity Server can be configured to issue self-contained access tokens that represent a signed JSON Web Token (JWT) with the following format.
| Panel |
|---|
<base64 encoded header>.<base64 encoded payload>.<signature> eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJhdWQiOlsiZGQ5VTNRRndORjJQUWZ2bEh6VGNTU3VOQzJ3YSJdLCJleHAiOjE1MTA4MTg5ODYsImlhdCI6MTUxMDgxNTM4NiwiYXpwIjoiZGQ5VTNRRndORjJQUWZ2bEh6VGNTU3VOQzJ3YSIsImp0aSI6ImU4NTM4ODM3LWM3NTctNDZlZC04M2YyLWRmYjU0YTliNDA5MCJ9.bi8N3Giqlk2Oo6bLQweZmMq0Slsst5kwIGJfaqzs5yDOj4OYShZ4yMqt3YAoCYJAT71lcTvRv6ykEQ6AORveG0K_OjWx4VsYnvgY_xwtUQpudxGJ-aEgJocbTvc5zbZ2a71LfWtH1aN_OcjbA6RH4RdKCMyZTR5lFfy5wxDzHLXusM2PMiVVJcXxNzJf3WNdPoKA3ntsMlZk1KjPzbApoPa_BkbU3_Bh9MJthQkvOa-aNJe6h4EDSi483EVahV4o6afSUbIDaWDdOzdeBPF7YO1NNsAioLzRbR75isScX28z1hyKaNwa3RJICjgQmsMCtmPyFER4WNdsLF8FOPsCuw |
The payload of the token will include following JWT claims:
...
In addition, for a user authorized, user claims can be obtained over this JWT as per OpenID Connect claim configurations, by configuring requested user claims in the OAuth service provider.
WSO2 Identity Server needs to be configured to issue above explained self-contained JWT access tokens as below.
Open the
<IS_HOME>/repository/conf/identity/identity.xmlfile and uncomment the following entry under<OAuth>element.Code Block language xml <IdentityOAuthTokenGenerator>org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer</IdentityOAuthTokenGenerator>
- Restart the server.
- Configure an OAuth service provider.
Initiate an access token request to the WSO2 Identity Server, over a known grant type. For example, the following cURL command illustrates the syntax of an access token request that can be initiated over the Resource Owner Password Credential grant type.
<client id>:<client secret>cURL command Code Block language powershell title Request curl -u<CLIENT_ID>:<CLIENT_SECRET> -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>" -H "Content-Type:application/x-www-form-urlencoded" https://<IS_HOST>:<IS_HTTPS_PORT>/oauth2/token- Navigate to your service provider, expand Inbound Authenitcaion Configurations and expand OAuth/OpenID Connect Configuration.
- Copy the OAuth Client Key as the value for
<CLIENT_ID>. - Copy the OAuth Client Secret as the value for
<CLIENT_SECRET>.
- Copy the OAuth Client Key as the value for
- Enter the username and password of the user you want to get the token as the value for
<USERNAME>and<PASSWORD>respectively. - By default,
<IS_HOST>islocalhost.However, if you are using a public IP, the respective IP address or domain needs to be specified. - By default,
<IS_HTTPS_PORT>has been set to 9443. However, if the port offset has been incremented byn, the default port value needs to be incremented byn.
Response Code Block language powershell title Request curl -u <CLIENT_ID>:<CLIENT_SECRET> -k -d "grant_type=password&username=<username><USERNAME>&password=<password><PASSWORD>" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443<IS_HOST>:<IS_PORT>/oauth2/token
In response, the self-contained JWT access token will be returned as shown below.
Code Block title Response {"access_token":"eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhZG1pbiIsImF1ZCI6WyJkZDlVM1FGd05GMlBRZnZsSHpUY1NTdU5DMndhIl0sImF6cCI6ImRkOVUzUUZ3TkYyUFFmdmxIelRjU1N1TkMyd2EiLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJleHAiOjE1MTA4MjQ5MzUsImlhdCI6MTUxMDgyMTMzNSwianRpIjoiNDA1YjRkNGUtODUwMS00ZTFhLWExMzgtZWQ4NDU1Y2QxZDQ3In0.FCk3Wo8DnFEHb02JCd9BWAHQ48BBt3n2YLQV6TpLMpFvTRNCZJAA-aEH4LrE7oVejvGd7YWGDy2Vzb7x-Bpg7yMYxozUerCkMy_F4Iw_xctgEJ3WF_TTJFhISGNoWl-FXspM5d9EQvMvk0JxAovhE0HfXv5GCosGy-0oT7ShQrwZLBIwE9d0ceUcmly42dvDZSsqHDIz-PjrFzvpXwbZqq_sRFnh6MHlmmug7t1UCs85caoLhfSweaT0z7ED8P2Tsg_HgmnaaeDapszG6LckeBglqYwbRHy6X6LAcJfAkkwAlqrU0Vu4azsuE8BsLPKMYzu9ZeCoHdLHYdtz-I0yKQ","refresh_token":"5974cdcc-865e-3144-82c5-4f147ddcb519","token_type":"Bearer","expires_in":589}The access token you receive is a signed JSON Web Token (JWT) . Use a JWT decoder to decode the access token and you are able to see the payload of the token that includes following JWT claims:
Claim Name Type Claim Value iss string The issuer of the JWT. The '> Identity Provider Entity Id ' value of the OAuth2/OpenID Connect Inbound Authentication configuration of the Resident Identity Provider is returned here. aud string array The token audience list. The client identifier of the OAuth clients that the JWT is intended for, is sent herewith. azp string The autorized party for which the token is issued to. The client identifier of the OAuth client that the token is issued for, is sent herewith. iat integer The token issue time. exp integer The token expiration time. jti string Unique identifier for the JWT token. - Navigate to your service provider, expand Inbound Authenitcaion Configurations and expand OAuth/OpenID Connect Configuration.
| Info | ||
|---|---|---|
In addition, for a user authorized, user claims can be obtained over this JWT as per OpenID Connect claim configurations, by configuring requested user claims in the OAuth service provider. After configuring the service provider you can run the cURL command given below by providing the required details.
|