This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

OAuth Bearer Token-based Authentication for SCIM Endpoints

WSO2 Identity Server acts as a SCIM Service Provider (both hub and spoke type service providers) as well as SCIM Service Consumer.

WSO2 Identity Server as a SCIM Service Provider explains how to consume SCIM REST endpoints in WSO2 IS, with cURL using Basic Auth authentication. WSO2 IS supports OAuth bearer token-based authentication for SCIM REST endpoints. This section explains how to leverage the OAuth 2.0 feature of IS in order to authenticate to SCIM REST endpoints of IS.

Procedure:

  • Step 1 - Create an application entry and view its details.
  • Step 2 - Obtain a valid access token in order to get authenticated to SCIM REST endpoints.
  • Step 3 - Consume the SCIM REST endpoints using the access token.

Step 1

  1. Login to WSO2 Identity Server as an admin. 
  2. Access the management console and click OAuth under Manage in the Main menu.
  3. Create a new entry for an OAuth client application by clicking Register New Application.
  4. After creating the application entry, click on it to view its details as shown below.
  5. Now copy the Client IdClient Secret and Access Token Url for future use.

 

Step 2

We can use resource owner password credential grant type for this. Format of the the curl command to obtain the access token is:

curl --user Client Id:Client Secret -k -d "grant_type=password&username=username&password=password" -H "Content-Type:application/x-www-form-urlencoded" https://localhost:9443/oauth2endpoints/token

You need to replace the bold strings in the above command with valid values copied from step 1 above and the username and password of the resource owner. (You can use the default admin credentials for that in the default pack).

Once you execute the above command, you get the following response:

{"token_type":"bearer","expires_in":3600,"refresh_token":"16e3de3b7af4e7a43b7e56cd9362ff","access_token":"492d8b51cb815bbe143f219ac2cf61c3"}

Copy the access token value in the above response.

Step 3

Now we can consume the SCIM REST endpoints using the above access token.

E.g.; you can use the following cURL command to create a user through SCIM REST endpoints:

curl -v -k --header "Authorization: Bearer access_token" --data "{"schemas":[],"name":{"familyName":"gunasinghe","givenName":"hasinitg"},"userName":"hasi","password":"hasinitg","emails":[{"primary":true,"value":"hasini_home.com","type":"home"},{"value":"hasini_work.com","type":"work"}]}" --header "Content-Type:application/json" https://localhost:9443/wso2/scim/Users

You need to provide the access token copied in the above step 2, for the bold string in the above command.

You can refer more cURL commands to consume SCIM endpoints here. Also, you can use the SCIM sample clients in WSO2 IS samples to invoke the SCIM endpoints using both Basic auth and OAuth.