Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

This section provides instructions on how to get the user claims of the authorized user as a JWT token with the validation response. 

Table of Contents

Configurations

  1. Open the <IS_HOME>/repository/conf/identity/identity.xml file and set the <Enabled> element (found under the <OAuth>,<AuthorizationContextTokenGeneration> elements) to true as seen in the code block below. 

    Code Block
    languagexml
    <AuthorizationContextTokenGeneration>
                <Enabled>true</Enabled>
                <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
                <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
                <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
                <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
                <AuthorizationContextTTL>15</AuthorizationContextTTL>
     </AuthorizationContextTokenGeneration> 
  2. The following configurations are optional and can be configured as needed. 

    1. See the Extension Points for OAuth topic for more details about the usage of the 'TokenGeneratorImplClass' and 'ClaimsRetrieverImplClass'. 

    2. ConsumerDialectURI: Defines the URI for the claim dialect under which the user attributes need to be retrieved. 

    3. SignatureAlgorithm: Defines the algorithm to be used in signing the payload that carries user claims. If you want to disable signing of the JWT token, set this element to "NONE". 

      Code Block
      languagexml
      <SignatureAlgorithm>NONE</SignatureAlgorithm>
    4. AuthorizationContextTTL: Defines the expiry time for JWT token in minutes.

...

Code Block
themeEclipse
languagegroovy
{  
   "http:\/\/wso2.org\/gateway\/applicationname":"Oauth7",
   "exp":1452594892,
   "sub":"admin@carbon.super",
   "http:\/\/wso2.org\/gateway\/subscriber":"admin@carbon.super",
   "iss":"http:\/\/wso2.org\/gateway",
   "http:\/\/wso2.org\/gateway\/enduser":"admin@carbon.super",
   "http:\/\/wso2.org\/claims\/role":"admin,Application\/dewvdew,Application\/Oauth7,Internal\/everyone",
   "http:\/\/wso2.org\/claims\/emailaddress":"admin@wso2.com",
   "iat":1452593254,
   "http:\/\/wso2.org\/claims\/organization":"WSO2"
}

Signature

...

verification

The signature verification can be done similiar to the ID token signature verification. See the  

Include Page
IDToken Signature Verification
topic for more information.  
IDToken Signature Verification