Extension Points for OAuth

This topic includes a list of all the WSO2 Identity Server extension points related to OAuth. All implementations using the following extension points must be configured in the <IS_HOME>/repository/conf/identity/identity.xml file under the OAuth element.

The following are the available OAuth extension points.

Custom OAuth grant handler

Usage	This extension point is useful when you want to support an OAuth flow that is different from standard grant types. This extension point validates the grant, scopes, and access delegation.
Sample	See Writing a Custom OAuth 2.0 Grant Type for a sample implementation of this extension point.
Interface	org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler

Client Auth handler

Usage	This extension point can be used when the client credential authentication needs to be customized. By default the Identity Server validate the client id and secret.
Interface	org.wso2.carbon.identity.oauth2.token.handlers.clientauth.ClientAuthenticationHandler

OAuthCallbackHandler

Usage	This extension point is provided to verify whether the authenticated user is the rightful owner of the resource. There can be multiple active OAuthCallbackHandler implementations at a given time. These are registered through the identity.xml file. In run-time, each and every authorization callback handler is invoked to see whether it can handle the given callback. Then the callback with the highest priority is chosen. After handling the callback, the Identity Server can set whether the given callback is authorized or not.
Interface	org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandler
Abstract class/default implementation	org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler

TokenPersistenceProcessor

Usage	Implementations are used to process keys and secrets just before storing them in the database, e.g., to encrypt tokens before storing them in the database. Implementations of this interface can be configured through the identity.xml file.
Interface	org.wso2.carbon.identity.oauth.tokenprocessor.TokenPersistenceProcessor
Abstract class/default implementation	org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor org.wso2.carbon.identity.oauth.tokenprocessor.PlainTextPersistenceProcessor

UserInfoAccessTokenValidator

Usage	Validates the access token and returns the token info. Default behavior is validating the access token with WSO2 IS token validation OSGI service(Scope is also checked to have openid scope). If this needs to be modified this can be used.
Interface	org.wso2.carbon.identity.oauth.user.UserInfoAccessTokenValidator
Default implementation	org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator

UserInfoClaimRetriever

Usage	Default behavior is creating claim URI and claim value pairs according to the claim mappings received. Any modifications to this default behavior can be done here.
Interface	org.wso2.carbon.identity.oauth.user.UserInfoClaimRetriever
Default implementation	org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever

UserInfoRequestValidator

Usage	The default behavior is validating the schema and authorization header according to the specification. Any further additional validations or modification to this validation on user information request can be done using this extension.
Interface	org.wso2.carbon.identity.oauth.user.UserInfoRequestValidator
Default implementation	org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator

UserInfoResponseBuilder

Usage	Creates the UserInfoResponse. By default the response can be in JSON or JWT format. When a different format is required, this extension can be used to support it.
Interface	org.wso2.carbon.identity.oauth.user.UserInfoResponseBuilder
Default implementation	org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJWTResponse

AuthorizationContextTokenGenerator

Usage

Generates the token relevant to the authorization context. By default JWT token generation is supported with the following properties encoded to each authenticated API request.

subscriber, applicationName, apiContext, version, tier, and endUserName
Additional properties can be encoded by engaging the below extension
The JWT header and body are base64 encoded separately and concatenated with a dot
Finally the token is signed using SHA256 with RSA algorithm.

Any deviations can be made via this extension and configured in the <IS_HOME>/repository/conf/identity/identity.xml file.

Interface org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator

ClaimsRetriever

Usage

The default implementation class of this ClaimsRetriever reads user claim values from the default Carbon user store. The user claims are encoded to the token in the natural order of the claimURIs by the previous token generator. To engage this class, its fully qualified class name should be mentioned in the <IS_HOME>/repository/conf/identity/identity.xml file. This is found under the OAuth tag and nested inside ClaimsRetrieverImplClass which is under TokenGeneration.

Any deviation can be done using this extension.

Interface org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator

ResponseTypeHandler

Usage	This is intended to validate access delegation and also conduct oauth scope validation. You can issue codes or tokens. If this flow needs to be customized, this extension can be used.
Interface	org.wso2.carbon.identity.oauth2.authz.handlers.ResponseTypeHandler

OAuth2TokenValidator

Usage	This is useful when a token is sent back for validation purposes to validate on scopes, check the validity of access token and access delegation.
Interface	org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator

OAuthScopeValidator

Usage	Scope validation custom implementations can be plugged in by extending this class and providing the validation logic.
AbstractClass	org.wso2.carbon.identity.oauth2.validators.OAuth2ScopeValidator