This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Configuring OAuth2-OpenID Connect
OAuth 2.0 is an authorization framework that is capable of providing a way for clients to access a resource with restricted access on behalf of the resource owner. OAuth 2.0 is capable of authorizing the flows for web applications, desktop applications and mobile applications among others.
OpenID Connect is an authentication protocol built on top of OAuth 2.0, which facilitates clients to verify the end-user identity against the authentication performed by an authorization server. At the same time, it provides methods to transfer the end user information through claims.
With OAuth as its base, OpenID Connect allows many types of clients such as web-based clients, mobile clients and javascript clients to verify the users with an authorization server-based authentication.
Before you begin
- Sign in to the WSO2 Identity Server Management Console at
https://<Server Host>:9443/carbon
using yourusername
andpassword
. - Configure an application for WSO2 Identity server in the federated authorization server and obtain the application information such as client key ID and secret.
- Navigate to the Identity Provider section under Main > Identity menu-item.
- Click Add.
- Provide values for the following fields under the Basic Information section:
Field Description Sample Value Identity Provider Name The Identity Provider Name must be unique as it is used as the primary identifier of the identity provider.
FacebookIdP, Twitter Display Name The Display Name is used to identify the identity provider. If this is left blank, the Identity Provider Name is used. This is used in the login page when selecting the identity provider that you wish to use to log in to the service provider.
Facebook, Twitter Description The Description is added in the list of identity providers to provide more information on what the identity provider is. This is particularly useful in situations where there are many identity providers configured and a description is required to differentiate and identify them. This is the identity provider configuration. Federation Hub Identity Provider Select the Federation Hub Identity Provider check-box to indicate if this points to an identity provider that acts as a federation hub. A federation hub is an identity provider that has multiple identity providers configured to it and can redirect users to the correct identity provider depending on their Home Realm identifier or their Identity Provider Name. When we have this check-box selected additional window will pop-up in the multi-option page in the first identity server to get the home realm identifier for the desired identity provider in the identity provider hub.
Selected Home Realm Identifier The Home Realm Identifier value can be specified in each federated IDP and can send the Home Realm Identifier value as the “fidp” query parameter (e.g., fidp=googleIdp) in the authentication request by the service provider. The WSO2 Identity Server finds the IDP related to the “fidp” value and redirects the end user to the IDP directly rather than showing the SSO login page. By using this, you can avoid multi-option, in a multi-option scenario without redirecting to the multi-option page.
FB, TW Identity Provider Public Certificate The Identity Provider Public Certificate is the public certificate belonging to the identity provider. Uploading this is necessary to authenticate the response from the identity provider. See Using Asymmetric Encryption in the WSO2 Product Administration Guide for more information on how public keys work and how to sign these keys by a certification authority.
This can be any certificate. If the identity provider is another Identity Server, this can be a
wso2.
crt
file.Alias The Alias is a value that has an equivalent value specified in the identity provider that we are configuring. This is required for authentication in some scenarios.
http://localhost:9443/oauth2/token
- Expand the Federated Authenticators section and then the OAuth2/OpenID Connect Configuration form.
Fill in the following fields where relevant.
Prior to this, you need to configure an application for Identity server in the federated authorization server and get the application information such as client ID and secret. For more information, see configuring OAuth2-OpenID Connect single sign-on.
Field Description Sample value Enable OAuth2/OpenIDConnect Selecting this option enables OAuth2/OpenID Connect to be used as an authenticator for users provisioned to the Identity Server. Selected Default Selecting the Default checkbox signifies that the OAuth2/OpenID Connect credentials are the main/default form of authentication. This removes the selection made for any other Default checkboxes for other authenticators. Selected Authorization Endpoint URL This is a standard OAuth Authorization Endpoint URL of the federated IDP https://localhost:9443/oauth2/authorize/ Token Endpoint URL This is a standard OAuth Token Endpoint URL of the federated IDP https://localhost:9443/oauth2/token/ Client Id Client ID of the application you registered in the IDP for Identity server 1421263438188909 Client Secret Client Secret of the application you registered in the IDP for Identity server 12ffb4dfb2fed67a00846b42126991f8 Callback URL This is the URL to which the browser should be redirected after the authentication is successful. It should be the commonauth endpoint of Identity server https://localhost:9443/commonauth OpenID Connect User ID Location Select whether the User ID is found in the 'sub' attribute that is sent with the OpenID Connect request or if it is found among claims. User ID found in 'sub' attribute Additional Query Parameters This is necessary if you are connecting to another Identity Server or application. Sometimes extra parameters are required by this IS or application so these can be specified here. paramName1=value1
- Identity Federation is part of the process of configuring an identity provider. For more information on how to configure an identity provider, see Configuring an Identity Provider.
- See Login to Identity Server using another Identity Server - OAuth2 for a sample of using OAuth2/OpenIDConnect for federated authentication.