Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

The JSON Web Token (JWT) is simply a JSON string containing claim values. The JWT Bearer grant handler evaluates and validates the claims in the JWT token and then issues an access token at the Authorization Server end.

...

A client can exchange a JWT token for an OAuth 2.0 access token using the JWT Bearer grant type. A service provider (sp) and an identity provider (idp) are required on the WSO2 API Manager Server for the JWT Bearer grant type to work. The service provider gets automatically created on the WSO2 API Manager when you generate keys for an application available on the the API Store. The WSO2 APIM server uses the service provider entity to obtain information about the application created on the API Store. The identity provider configuration must be created explicitly on the API Manager via the management console. This configuration should contain details of the Identity provider (for e.g. WSO2 Identity Server or a third party Identity provider such as facebook Facebook etc.) who creates and signs the JWT assertion.  The WSO2 APIM Server uses the  Idp configuration to identify the issuer of the JWT and obtain the public certificate of the IDP, in order to validate the JWT. 

...

  • The -u flag should specify the “<Client Id>:<Client Secret>” value.
  • The assertion parameter value is the signed base64 encoded JWT. The value of the assertion parameter MUST contain a single JWT. See  JWT Assertion for more information about assertion.

...

Code Block
languagegroovy
titleSample payload
{  
   "sub":"admin",
   "aud":[  
      "https://localhost:9443/oauth2/token"
   ],
   "nbf":1507546100,
   "iss":"jwtIDP",
   "exp":1507606100,
   "iat":1507546100,
   "jti":"Token56756"
}


Generating the JWT assertion

  1. Deriving the signature.
    1. Encode the header and the payload separately using a base64 URL.
    2. Concatenate the encoded header and payload with a period and sign it to generate the signature.

      Code Block
      Signature = sign(encodeBase64(header) + '.' + encodeBase64(payload))
  2. . Encode the signature using base64 URL encoding.
  3. Generate the JWT assertion by concatenating the values of the base64 URL encoded header, payload, and signature using a dot "." as the separator.

    Code Block
    assertion =  encodeBase64(header) + '.' + encodeBase64(payload) + '.' + encodeBase64(signature)

 The result is as follows:

...