You are viewing an old version of this page. View the current version.
Compare with Current
View Page History
« Previous
Version 12
Next »
This topic includes a list of all the WSO2 Identity Server extension points related to OAuth. All implementations using the following extension points must be configured in the <IS_HOME>/repository/conf/identity/identity.xml
file under the OAuth
element.
The following are the available OAuth extension points.
Custom OAuth grant handler
Usage | This extension point is useful when you want to support an OAuth flow that is different from standard grant types. This extension point validates the grant, scopes, and access delegation. |
---|
Sample | See Writing a Custom OAuth 2.0 Grant Type for a sample implementation of this extension point. |
---|
Interface | org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler |
---|
Custom Scope Handler
Usage | Scope handlers are executed during the scope validation step when issuing an access token. Multiple scope handlers can be registered using a sample configuration given below.
<OAuth>
....
<ScopeHandlers>
<ScopeHandler class="org.fully.qualified.class.name.CustomScopeHandler">
<Property name="foo">foo-value</Property>
</ScopeHandler>
</ScopeHandlers>
|
---|
Abstract Class | org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeHandler |
---|
Extended Scope Validator
Usage | These are executed during the token validation step when validating an access token. Multiple scope validators can be registered using a sample configuration given below.
<OAuth>
....
<ScopeValidators>
<ScopeValidator class="org.fully.qualified.class.name.ExtendedScopeValidator">
<Property name="foo">foo-value</Property>
</ScopeValidators>
</ScopeValidators>
|
---|
Abstract Class | org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator |
---|
Client Auth handler
Usage | This extension point can be used when the client credential authentication needs to be customized. By default the Identity Server validate the client id and secret. |
---|
Interface | org.wso2.carbon.identity.oauth2.token.handlers.clientauth.ClientAuthenticationHandler |
---|
IdentityOAuthTokenGenerator
Usage | In the WSO2 Identity Server, you can customize the token generating logic by configuring IdentityOAuthTokenGenerator under OAuth in the <IS_HOME>/repository/conf/identity/identity.xml directory. The following is the default implementation: org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl |
---|
Interface | org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer |
---|
OAuthCallbackHandler
Usage | This extension point is provided to verify whether the authenticated user is the rightful owner of the resource. There can be multiple active OAuthCallbackHandler implementations at a given time. These are registered through the identity.xml file. In run-time, each and every authorization callback handler is invoked to see whether it can handle the given callback. Then the callback with the highest priority is chosen. After handling the callback, the Identity Server can set whether the given callback is authorized or not. |
---|
Interface | org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandler |
---|
Abstract class/default implementation | org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler |
---|
TokenPersistenceProcessor
Usage | Implementations are used to process keys and secrets just before storing them in the database, e.g., to encrypt tokens before storing them in the database. Implementations of this interface can be configured through the identity.xml file. |
---|
Interface | org.wso2.carbon.identity.oauth.tokenprocessor.TokenPersistenceProcessor |
---|
Abstract class/default implementation | |
---|
UserInfoAccessTokenValidator
Usage | Validates the access token and returns the token info. Default behavior is validating the access token with WSO2 IS token validation OSGI service(Scope is also checked to have openid scope). If this needs to be modified this can be used. |
---|
Interface | org.wso2.carbon.identity.oauth.user.UserInfoAccessTokenValidator |
---|
Default implementation | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator |
---|
UserInfoClaimRetriever
Usage | Default behavior is creating claim URI and claim value pairs according to the claim mappings received. Any modifications to this default behavior can be done here. |
---|
Interface | org.wso2.carbon.identity.oauth.user.UserInfoClaimRetriever |
---|
Default implementation | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever |
---|
UserInfoRequestValidator
Usage | The default behavior is validating the schema and authorization header according to the specification. Any further additional validations or modification to this validation on user information request can be done using this extension. |
---|
Interface | org.wso2.carbon.identity.oauth.user.UserInfoRequestValidator |
---|
Default implementation | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator |
---|
UserInfoResponseBuilder
Usage | Creates the UserInfoResponse. By default the response can be in JSON or JWT format. When a different format is required, this extension can be used to support it. If you need to add custom claims into the /userinfo endpoint response, you can implement a custom response builder by implementing the UserInfoResponseBuilder interface.
|
---|
Interface | org.wso2.carbon.identity.oauth.user.UserInfoResponseBuilder |
---|
Default implementation | - org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder
- org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJWTResponse
|
---|
AuthorizationContextTokenGenerator
Usage | Generates the token relevant to the authorization context. By default JWT token generation is supported with the following properties encoded to each authenticated API request. subscriber, applicationName, apiContext, version, tier, and endUserName Additional properties can be encoded by engaging the below extension The JWT header and body are base64 encoded separately and concatenated with a dot Finally the token is signed using SHA256 with RSA algorithm. Any deviations can be made via this extension and configured in the <IS_HOME>/repository/conf/identity/identity.xml file. |
---|
Interface | org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator |
---|
ClaimsRetriever
Usage | The default implementation class of this ClaimsRetriever reads user claim values from the default Carbon user store. The user claims are encoded to the token in the natural order of the claimURIs by the previous token generator. To engage this class, its fully qualified class name should be mentioned in the <IS_HOME>/repository/conf/identity/identity.xml file. This is found under the OAuth tag and nested inside ClaimsRetrieverImplClass which is under TokenGeneration . Any deviation can be done using this extension. |
---|
Interface | org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator |
---|
ResponseTypeHandler
Usage | This is intended to validate access delegation and also conduct oauth scope validation. You can issue codes or tokens. If this flow needs to be customized, this extension can be used. |
---|
Interface | org.wso2.carbon.identity.oauth2.authz.handlers.ResponseTypeHandler |
---|
OAuth2TokenValidator
Usage | This is useful when a token is sent back for validation purposes to validate on scopes, check the validity of access token and access delegation. |
---|
Interface | org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator |
---|
OAuthScopeValidator
Usage | Scope validation custom implementations can be plugged in by extending this class and providing the validation logic. |
---|
AbstractClass | org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator |
---|
OIDCScopeValidator
Usage | Scope validation custom implementations can be plugged in by extending this class and providing the validation logic. |
---|
AbstractClass | org.wso2.carbon.identity.oauth2.validators.OIDCScopeValidator |
---|