This section guides provides instruction on how to get the user claims of the authorized user as a JWT token with the validation response.
Configurations
Open the
<IS_HOME>/repository/conf/identity/identity.xml
file and set the<Enabled>
element (found under the<OAuth>,<AuthorizationContextTokenGeneration>
elements) to true as seen in the code block below.<AuthorizationContextTokenGeneration> <Enabled>true</Enabled> <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass> <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass> <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI> <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm> <AuthorizationContextTTL>15</AuthorizationContextTTL> </AuthorizationContextTokenGeneration>
The following configurations are optional and can be configured as needed.
See the Extension Points for OAuth topic for more details about the usage of the 'TokenGeneratorImplClass' and 'ClaimsRetrieverImplClass'.
ConsumerDialectURI: Defines the URI for the claim dialect under which the user attributes need to be retrieved.
SignatureAlgorithm: Defines the algorithm to be used in signing the payload that carries user claims. If you want to disable signing of the JWT token, set this element to "NONE".
<SignatureAlgorithm>NONE</SignatureAlgorithm>
AuthorizationContextTTL: Defines the expiry time for JWT token in minutes.
Calling the OAuth2ValidationService with a valid token
After configuring the elements mentioned above, see the OAuth2 Token generation topic to call the OAuth2ValidationService
. The following screenshot is the request and response of the OAuth2ValidationService
from the SOAP UI. Additionally, it shows the required claims of the user as required claim URIs. In the response, you can see the recieved JWT token under the <tokenString>
element.
If there are no requested claim URIs defined, all the claims that carry values for the user are returned.
Header Metadata:
The header contains the metadata for the token as seen below.
<header>.<payload>.<signature>
eyJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXpabFlqTTJaRFJoTlRabFlUQTFZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQSJ9.eyJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvYXBwbGljYXRpb25uYW1lIjoiT2F1dGg3IiwiZXhwIjoxNDUyNTk0ODkyLCJzdWIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvc3Vic2NyaWJlciI6ImFkbWluQGNhcmJvbi5zdXBlciIsImlzcyI6Imh0dHA6XC9cL3dzbzIub3JnXC9nYXRld2F5IiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL2VuZHVzZXIiOiJhZG1pbkBjYXJib24uc3VwZXIiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9yb2xlIjoiYWRtaW4sQXBwbGljYXRpb25cL2Rld3ZkZXcsQXBwbGljYXRpb25cL09hdXRoNyxJbnRlcm5hbFwvZXZlcnlvbmUiLCJodHRwOlwvXC93c28yLm9yZ1wvY2xhaW1zXC9lbWFpbGFkZHJlc3MiOiJhZG1pbkB3c28yLmNvbSIsImlhdCI6MTQ1MjU5MzI1NCwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvb3JnYW5pemF0aW9uIjoiV1NPMiJ9.WRo2p92f-pt1vH9xfLgmrPWNKJfmST2QSPYcth7gXKz64LdP9zAMUtfAk9DVRdHTIQR3gX0jF4Ohb4UbNN4Oo97a35oTL1iRxIRTKUkh8L1dpt3H03Z0Ze7Q2giHGZikMIQv3gavHRYKjNMoU_1MuB90jiK7
Decoded Header:
{"alg":"RS256","x5t":"NmJmOGUxMzZlYjM2ZDRhNTZlYTA1YzdhZTRiOWE0NWI2M2JmOTc1ZA"}
x5t : This header provides a base64url encoded SHA-256 thumbprint (a.k.a. digest) of the DER encoding of an X.509 certificate that can be used to match a certificate to validate the signature.
Decoded Payload:
{ "http:\/\/wso2.org\/gateway\/applicationname":"Oauth7", "exp":1452594892, "sub":"admin@carbon.super", "http:\/\/wso2.org\/gateway\/subscriber":"admin@carbon.super", "iss":"http:\/\/wso2.org\/gateway", "http:\/\/wso2.org\/gateway\/enduser":"admin@carbon.super", "http:\/\/wso2.org\/claims\/role":"admin,Application\/dewvdew,Application\/Oauth7,Internal\/everyone", "http:\/\/wso2.org\/claims\/emailaddress":"admin@wso2.com", "iat":1452593254, "http:\/\/wso2.org\/claims\/organization":"WSO2" }
Signature Verification
Verification of signature can be done similar to IDToken as described below.