This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 2 Next »


This section describes the IS 5.4.0 support for various endpoints. 


EndpointDescription
JSON Web Key Set (JWKS) endpoint

The JSON Web Key Set (JWKS) endpoint is a read-only endpoint. This url returns the Identity Server's public key set in Json web key set format. This contains the signing key(s) the RP uses to validate signatures from the Identity Server. This endpoint is defined loosely by the OpenID Connect Discovery specification.


The endpoint url for the super tenant: https://localhost:9443/oauth2/jwks

Request
Response
{"keys":[{"alg":"RS256","e":"AQAB","n":"AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5","kty":"RSA","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d"}]}

For tenants: https://localhost:9443/t/test.com/oauth2/jwks/


Request


Response
{"keys":[{"alg":"RS256","e":"AQAB","n":"AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5","kty":"RSA","use":"sig","kid":"d0ec514a32b6f88c0abd12a2840699bdd3deba9d"}]}









ID Token contains kid value


The header of the id_token contains a kid claim, which indicates the key that was used to sign the id_token. The same kid value is used in the jwks endpoint to validate the signature of the id_token.


Support to the “claims” Request Parameter


If the "claims" request parameter is used with authorization request with the value 'userinfo' and 'essential =true' the defined claim will be return from the user info endpoint ignoring the requested scope. But this claim should be a requested claim.


Eg : https://localhost:9443/oauth2/authorize?response_type=token&client_id=XXXXXXXX&redirect_uri=http://localhost:8080/playground2&nonce=rrr&claims=userinfo&essential=true&scope =openid


We support [1].


[1] http://openid.net/specs/openid-connect-core-1_0.html#ClaimsParameter


Support to the “max_age” Request Parameter


This request parameter specifies the allowable elapsed time in seconds since the last time the End-User was actively authenticated by the Identity Server. If the elapsed time is greater than  this value, the IS attempts to actively re-authenticate the End-User.


We support following request parameters as well


acr_value


request_uri


nonce


claims_locales



--------------------------------------

.








The WSO2 Identity Server is shipped with a signed ID Token. This is provided in order to address some security vulnerabilities in a typical production environment. This topic provides information about using this signed ID Token for signature verification. 

The portions of each token are separated by the full stop. To see the exact JSON values, do a Base64 decode for <header>.<body>.

  • If the unsigned ID token contains only 2 portions: 
    <header>.<body>

    Sample of unsigned ID token

    eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0 

  • If the signed ID token contains 3 portions: 
    <header>.<body>.<signature>

    Sample of signed ID token

    eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0.iTf0eDBF-6-OlJwBNxCK3nqTUjwC71-KpqXVr21tlIQq4_ncoPODQxuxfzIEwl3Ko_Mkt030zJs-d36J4UCxVSU21hlMOscNbuVIgdnyWhVYzh_-v2SZGfye9GxAhKOWL-_xoZQCRF9fZ1j3dWleRqIcPBFHVeFseD_64PNemyg

Validating the ID token signature

The following code segment is a simple Java program that can be used to validate the ID token signature against the default wso2carbon.jks public key in WSO2 products.

package org.sample;

import java.io.InputStream;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.security.interfaces.RSAPublicKey;

import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.SignedJWT;

public class ValidateRSASignature {

    public static void main(String[] args) throws Exception {
        RSAPublicKey publicKey = null;
        InputStream file = ClassLoader
                .getSystemResourceAsStream("wso2carbon.jks");
        KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
        keystore.load(file, "wso2carbon".toCharArray());

        String alias = "wso2carbon";

        // Get certificate of public key
        Certificate cert = keystore.getCertificate(alias);
        // Get public key
        publicKey = (RSAPublicKey) cert.getPublicKey();

        // Enter JWT String here
        String signedJWTAsString = "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0d";

        SignedJWT signedJWT = SignedJWT.parse(signedJWTAsString);

        JWSVerifier verifier = new RSASSAVerifier(publicKey);

        if (signedJWT.verify(verifier)) {
            System.out.println("Signature is Valid");
        } else {
            System.out.println("Signature is NOT Valid");
        }
    }
}
  • No labels