This topic includes a list of all the WSO2 Identity Server extension points related to OAuth. All implementations using the following extension points must be configured in the <IS_HOME>/repository/conf/identity/identity.xml file under the OAuth element.
The following are the available OAuth extension points.
Custom OAuth grant handler
| Usage | This extension point is useful when you want to support an OAuth flow that is different from standard grant types. This extension point validates the grant, scopes, and access delegation. |
|---|
| Sample | See Writing a Custom OAuth 2.0 Grant Type for a sample implementation of this extension point. |
|---|
| Interface | org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler |
|---|
Client Auth handler
| Usage | This extension point can be used when the client credential authentication needs to be customized. By default the Identity Server validate the client id and secret. |
|---|
| Interface | org.wso2.carbon.identity.oauth2.token.handlers.clientauth.ClientAuthenticationHandler |
|---|
OAuthCallbackHandler
| Usage | This extension point is provided to verify whether the authenticated user is the rightful owner of the resource. There can be multiple active OAuthCallbackHandler implementations at a given time. These are registered through the identity.xml file. In run-time, each and every authorization callback handler is invoked to see whether it can handle the given callback. Then the callback with the highest priority is chosen. After handling the callback, the Identity Server can set whether the given callback is authorized or not. |
|---|
| Interface | org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandler |
|---|
| Abstract class/default implementation | org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler |
|---|
TokenPersistenceProcessor
| Usage | Implementations are used to process keys and secrets just before storing them in the database, e.g., to encrypt tokens before storing them in the database. Implementations of this interface can be configured through the identity.xml file. |
|---|
| Interface | org.wso2.carbon.identity.oauth.tokenprocessor.TokenPersistenceProcessor |
|---|
| Abstract class/default implementation | |
|---|
UserInfoAccessTokenValidator
| Usage | Validates the access token and returns the token info. Default behavior is validating the access token with WSO2 IS token validation OSGI service(Scope is also checked to have openid scope). If this needs to be modified this can be used. |
|---|
| Interface | org.wso2.carbon.identity.oauth.user.UserInfoAccessTokenValidator |
|---|
| Default implementation | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator |
|---|
UserInfoClaimRetriever
| Usage | Default behavior is creating claim URI and claim value pairs according to the claim mappings received. Any modifications to this default behavior can be done here. |
|---|
| Interface | org.wso2.carbon.identity.oauth.user.UserInfoClaimRetriever |
|---|
| Default implementation | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever |
|---|
UserInfoRequestValidator
| Usage | The default behavior is validating the schema and authorization header according to the specification. Any further additional validations or modification to this validation on user information request can be done using this extension. |
|---|
| Interface | org.wso2.carbon.identity.oauth.user.UserInfoRequestValidator |
|---|
| Default implementation | org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator |
|---|
UserInfoResponseBuilder
| Usage | Creates the UserInfoResponse. By default the response can be in JSON or JWT format. When a different format is required, this extension can be used to support it. |
|---|
| Interface | org.wso2.carbon.identity.oauth.user.UserInfoResponseBuilder |
|---|
| Default implementation | - org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder
- org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJWTResponse
|
|---|
AuthorizationContextTokenGenerator
| Usage | Generates the token relevant to the authorization context. By default JWT token generation is supported with the following properties encoded to each authenticated API request. subscriber, applicationName, apiContext, version, tier, and endUserName Additional properties can be encoded by engaging the below extension The JWT header and body are base64 encoded separately and concatenated with a dot Finally the token is signed using SHA256 with RSA algorithm.
Any deviations can be made via this extension and configured in the <IS_HOME>/repository/conf/identity/identity.xml file. |
|---|
| Interface | org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator |
|---|
ClaimsRetriever
| Usage | The default implementation class of this ClaimsRetriever reads user claim values from the default Carbon user store. The user claims are encoded to the token in the natural order of the claimURIs by the previous token generator. To engage this class, its fully qualified class name should be mentioned in the <IS_HOME>/repository/conf/identity/identity.xml file. This is found under the OAuth tag and nested inside ClaimsRetrieverImplClass which is under TokenGeneration. Any deviation can be done using this extension. |
|---|
| Interface | org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator |
|---|
ResponseTypeHandler
| Usage | This is intended to validate access delegation and also conduct oauth scope validation. You can issue codes or tokens. If this flow needs to be customized, this extension can be used. |
|---|
| Interface | org.wso2.carbon.identity.oauth2.authz.handlers.ResponseTypeHandler |
|---|
| Abstract Class/ Default Implementation | - org.wso2.carbon.identity.oauth2.authz.handlers.AbstractResponseTypeHandler
- org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler
- org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler
|
|---|
OAuth2TokenValidator
| Usage | This is useful when a token is sent back for validation purposes to validate on scopes, check the validity of access token and access delegation. |
|---|
| Interface | org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator |
|---|
OAuthScopeValidator
| Usage | Scope validation custom implementations can be plugged in by extending this class and providing the validation logic. |
|---|
| AbstractClass | org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator |
|---|