This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Extension Points for OAuth

This topic includes a list of all the WSO2 Identity Server extension points related to OAuth. All implementations using the following extension points must be configured in the <IS_HOME>/repository/conf/identity/identity.xml file under the OAuth element.

The following are the available OAuth extension points.

Custom OAuth grant handler

UsageThis extension point is useful when you want to support an OAuth flow that is different from standard grant types. This extension point validates the grant, scopes, and access delegation.
SampleSee Writing a Custom OAuth 2.0 Grant Type for a sample implementation of this extension point.
Interface

org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler

Client Auth handler

UsageThis extension point can be used when the client credential authentication needs to be customized. By default the Identity Server validate the client id and secret.
Interfaceorg.wso2.carbon.identity.oauth2.token.handlers.clientauth.ClientAuthenticationHandler

OAuthCallbackHandler

UsageThis extension point is provided to verify whether the authenticated user is the rightful owner of the resource. There can be multiple active OAuthCallbackHandler implementations at a given time. These are registered through the identity.xml file. In run-time, each and every authorization callback handler is invoked to see whether it can handle the given callback. Then the callback with the highest priority is chosen. After handling the callback, the Identity Server can set whether the given callback is authorized or not.
Interfaceorg.wso2.carbon.identity.oauth.callback.OAuthCallbackHandler
Abstract class/default implementationorg.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler

TokenPersistenceProcessor

UsageImplementations are used to process keys and secrets just before storing them in the database, e.g., to encrypt tokens before storing them in the database. Implementations of this interface can be configured through the identity.xml file.
Interfaceorg.wso2.carbon.identity.oauth.tokenprocessor.TokenPersistenceProcessor
Abstract class/default implementation
  • org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor

  • org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor

UserInfoAccessTokenValidator

UsageValidates the access token and returns the token info. Default behavior is validating the access token with WSO2 IS token validation OSGI service(Scope is also checked to have openid scope). If this needs to be modified this can be used.
Interfaceorg.wso2.carbon.identity.oauth.user.UserInfoAccessTokenValidator
Default implementationorg.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator

UserInfoClaimRetriever

UsageDefault behavior is creating claim URI and claim value pairs according to the claim mappings received. Any modifications to this default behavior can be done here.
Interfaceorg.wso2.carbon.identity.oauth.user.UserInfoClaimRetriever
Default implementationorg.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever

UserInfoRequestValidator

UsageThe default behavior is validating the schema and authorization header according to the specification. Any further additional validations or modification to this validation on user information request can be done using this extension.
Interfaceorg.wso2.carbon.identity.oauth.user.UserInfoRequestValidator
Default implementationorg.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator

UserInfoResponseBuilder

UsageCreates the UserInfoResponse. By default the response can be in JSON or JWT format. When a different format is required, this extension can be used to support it.
Interfaceorg.wso2.carbon.identity.oauth.user.UserInfoResponseBuilder
Default implementation
  • org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder
  • org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJWTResponse

AuthorizationContextTokenGenerator

Usage

Generates the token relevant to the authorization context. By default JWT token generation is supported with the following properties encoded to each authenticated API request.

  • subscriber, applicationName, apiContext, version, tier, and endUserName

  • Additional properties can be encoded by engaging the below extension

  • The JWT header and body are base64 encoded separately and concatenated with a dot

  • Finally the token is signed using SHA256 with RSA algorithm.

Any deviations can be made via this extension and configured in the <IS_HOME>/repository/conf/identity/identity.xml file.
Interfaceorg.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator

ClaimsRetriever

Usage

The default implementation class of this ClaimsRetriever reads user claim values from the default Carbon user store. The user claims are encoded to the token in the natural order of the claimURIs by the previous token generator. To engage this class, its fully qualified class name should be mentioned in the <IS_HOME>/repository/conf/identity/identity.xml file. This is found under the OAuth tag and nested inside ClaimsRetrieverImplClass which is under TokenGeneration.

Any deviation can be done using this extension.

Interfaceorg.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator

ResponseTypeHandler

UsageThis is intended to validate access delegation and also conduct oauth scope validation. You can issue codes or tokens. If this flow needs to be customized, this extension can be used.
Interfaceorg.wso2.carbon.identity.oauth2.authz.handlers.ResponseTypeHandler
Abstract Class/ Default Implementation
  • org.wso2.carbon.identity.oauth2.authz.handlers.AbstractResponseTypeHandler
  • org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler
  • org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler

OAuth2TokenValidator

UsageThis is useful when a token is sent back for validation purposes to validate on scopes, check the validity of access token and access delegation.
Interfaceorg.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator

OAuthScopeValidator

UsageScope validation custom implementations can be plugged in by extending this class and providing the validation logic.
AbstractClassorg.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator