Unknown macro: {next_previous_links}
Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 4 Next »


OpenID Connect is an authentication protocol that is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.

You can use WSO2 API Manager to obtain basic profile information about the user who is generating the access token. For this, its required to pass the 'openid' scope when generating the access token. As a part of the response for this request, API manager will send a JWT which contains information about the user who is generating the token. The information which are returned with the JWT token is configurable.

Follow the steps below to obtain user profile information with OpenID connect with WSO2 API Manager.

  1. Obtain a token using password grant type and openid scope. For more information on token generation with password grant type, see Password Grant Type documentation for APIM 2.1.0. The format and a sample using curl is as follows:


    The response will be of the format shown below. Note the 'id_token', which contains the JWT related to user information.

    {
  "access_token": "83705add-d77e-3cc8-9b6a-53d210ed3fed",
  "refresh_token": "4b283fb8-942f-316d-ba90-44b4c76ae419",
  "scope": "openid",
  "id_token": "eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiY1hoV0l2SXdSYlBnVDBBTG1hekpIUSIsImFjciI6InVybjptYWNlOmluY29tbW9uOmlhcDpzaWx2ZXIiLCJzdWIiOiJzdWJzY3JpYmVyQGNhcmJvbi5zdXBlciIsImF1ZCI6WyJLb05EbGVTckYzbmFYV3doYXZhbzRiQm9NWWNhIl0sImF6cCI6IktvTkRsZVNyRjNuYVhXd2hhdmFvNGJCb01ZY2EiLCJvcmdhbml6YXRpb24iOiJXU08yIiwiaXNzIjoiaHR0cHM6XC9cLzE3Mi4xNi4yLjExMTo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNTExOTUwNDEzLCJpYXQiOjE1MTE5NDY4MTMsImVtYWlsIjoic3ViMUBnbWFpbC5jb20ifQ.gdj0jn4PX5R4j5Y0ZNyEwi2G-NPq3_iW89NqkRxeszdcMLvDP-ncRWMaYyUYc-bQqADekTdQUC6ACSVUlJBKau3Oy8uu-AO8pajIm-hWEX_PBqoMRtFztxggmKFaL6G0rdRBIu8LzL5lbX2cTKss_zYwNmcPDsKDWdQDmL089Wg",
  "token_type": "Bearer",
  "expires_in": 3600
}
  2. To view the actual user information, two options are available. Either can decode the id_token, or else use the access_token and invoke the userinfo endpoint. 

    1. Decoding the id_token: 
      By decoding the id_token, a payload similar to the following can be obtained. Note the user information such as email, organization, etc. 

      {
  "at_hash": "cXhWIvIwRbPgT0ALmazJHQ",
  "acr": "urn:mace:incommon:iap:silver",
  "sub": "user1@carbon.super",
  "aud": [
    "KoNDleSrF3naXWwhavao4bBoMYca"
  ],
  "azp": "KoNDleSrF3naXWwhavao4bBoMYca",
  "organization": "WSO2",
  "iss": "https://172.16.2.111:9443/oauth2/token",
  "exp": 1511950413,
  "iat": 1511946813,
  "email": "user1@gmail.com"
}

      The online tool at https://jwt.io/ can be used to decode the JWT.

    2. Invoking the userinfo endpoint:
      By invoking the userinfo endpoint with the access token obtained in step 1, can obtain user information as a JSON payload. The format and a sample using curl is as follows:

      The response will be a JSON payload with the format below:

      {
  "sub": "user1@carbon.super",
  "organization": "WSO2",
  "email": "user1@gmail.com"
}

      By default, only the username (sub) information will be available in the response. Its possible to customize the user information returned by configuring the claims of the relevant Service Provider generated for the Application created in Store. For more information, see the Service Provider Claim Configuration documentation of WSO2 IS 5.3.0.

  • No labels
Unknown macro: {next_previous_links2}