This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
JWT Token Generation
This section provides instructions on how to get the user claims of the authorized user as a JWT token with the validation response.Â
Configurations
Open theÂ
<IS_HOME>/repository/conf/identity/identity.xml
file and set the<Enabled>
element (found under the<OAuth>,<AuthorizationContextTokenGeneration>Â
elements) to true as shown in the code block below.Â<AuthorizationContextTokenGeneration> <Enabled>true</Enabled> <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass> <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass> <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI> <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm> <AuthorizationContextTTL>15</AuthorizationContextTTL> </AuthorizationContextTokenGeneration>Â
Note: By default, the user claims are retrieved as an array. To retrieve the claims as a string instead of an array, add the following property under the
<AuthorizationContextTokenGeneration>
tag in theidentity.xml
file.<UseMultiValueSeparator>false</UseMultiValueSeparator>
The following configurations are optional and can be configured as needed.Â
See the Extension Points for OAuth topic for more details about the usage of the '
TokenGeneratorImplClass
' and 'ClaimsRetrieverImplClass
'.ÂConsumerDialectURI: Defines the URI for the claim dialect under which the user attributes need to be retrieved.Â
SignatureAlgorithm: Defines the algorithm to be used in signing the payload that carries user claims. If you want to disable signing of the JWT token, set this element to "NONE".Â
<SignatureAlgorithm>NONE</SignatureAlgorithm>
AuthorizationContextTTL: Defines the expiry time for JWT token in minutes.
Retrieving user claims with the JWTÂ
User claims can be retrieved using the ID token or the userinfo endpoint. For more information, see Basic Client Profile with Playground.
You can access the userinfo endpoint with the received access token using the following curl command. As per the specification, the received bearer token is sent using the HTTP Authorization header.
curl -k -H "Authorization: Bearer 4164157d677a6cd3a22e26e24c30135d" https://localhost:9443/oauth2/userinfo?schema=openid
As the response, WSO2 Identity Server returns a JSON with user claims.
{"sub":"PRIMARY\/alex","email":"alex@mymail.com","name":"Alex Anderson","family_name":"Anderson","preferred_username":"alexanders","given_name":"Alex"}
Signature verification
The signature verification can be done similar to the ID token signature verification.Â
The WSO2 Identity Server is shipped with a signed ID Token. This is provided in order to address some security vulnerabilities in a typical production environment. This topic provides information about using this signed ID Token for signature verification.
The portions of each token are separated by the full stop. To see the exact JSON values, do a Base64 decode for <header>.<body>
.
If the unsigned ID token contains only 2 portions:
<header>.<body>
Sample of unsigned ID tokeneyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0
If the signed ID token contains 3 portions:
<header>.<body>.<signature>
Sample of signed ID tokeneyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0dHBzOlwvXC9jMmlkLmNvbSIsImlhdCI6MTQxNjE1ODU0MX0.iTf0eDBF-6-OlJwBNxCK3nqTUjwC71-KpqXVr21tlIQq4_ncoPODQxuxfzIEwl3Ko_Mkt030zJs-d36J4UCxVSU21hlMOscNbuVIgdnyWhVYzh_-v2SZGfye9GxAhKOWL-_xoZQCRF9fZ1j3dWleRqIcPBFHVeFseD_64PNemyg
Validating the ID token signature
The following code segment is a simple Java program that can be used to validate the ID token signature against the default wso2carbon.jks
public key in WSO2 products.
package org.sample; import java.io.InputStream; import java.security.KeyStore; import java.security.cert.Certificate; import java.security.interfaces.RSAPublicKey; import com.nimbusds.jose.JWSVerifier; import com.nimbusds.jose.crypto.RSASSAVerifier; import com.nimbusds.jwt.SignedJWT; public class ValidateRSASignature { public static void main(String[] args) throws Exception { RSAPublicKey publicKey = null; InputStream file = ClassLoader .getSystemResourceAsStream("wso2carbon.jks"); KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType()); keystore.load(file, "wso2carbon".toCharArray()); String alias = "wso2carbon"; // Get certificate of public key Certificate cert = keystore.getCertificate(alias); // Get public key publicKey = (RSAPublicKey) cert.getPublicKey(); // Enter JWT String here String signedJWTAsString = "eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJhbGljZSIsImlzcyI6Imh0d"; SignedJWT signedJWT = SignedJWT.parse(signedJWTAsString); JWSVerifier verifier = new RSASSAVerifier(publicKey); if (signedJWT.verify(verifier)) { System.out.println("Signature is Valid"); } else { System.out.println("Signature is NOT Valid"); } } }