This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, go to https://wso2.com/documentation/.

Setting Up OAuth Token Encryption

Owned by Former user (Deleted)
Last updated: Apr 02, 2019
2 min read

This page provides information and instructions on how to enable OAuth2 token encryption in order to protect the OAuth2 access tokens, refresh tokens, consumer secrets, and authorization codes. Follow the instructions given below to set this up. 

  • This functionality is available with the WSO2 WUM Update released on 15/02/2018. For more information on how to update your pack using WUM, see Updating WSO2 Products
  • Note that you can only deploy a WUM update into production if you have a paid subscription.
  • This update has been tested internally. However, we recommend that you test it your own development/test environment as well before applying it to the production setup.

  1. Change the TokenPersistenceProcessor as shown below in the <IS_HOME>/repository/conf/identity/identity.xml file under the <OAuth> tag to enable token encryption. 

    <TokenPersistenceProcessor>org.wso2.carbon.identity.oauth.tokenprocessor.EncryptionDecryptionPersistenceProcessor</TokenPersistenceProcessor>

  2. Add a carbon.properties file (if it does not already exist) to the <IS_HOME>/repository/conf folder, and add the following property to it to configure the RSA algorithm with OAEP as custom cipher transformation.

    org.wso2.CipherTransformation=RSA/ECB/OAEPwithSHA1andMGF1Padding

  3. Run the following commands against the database to enable OAuth token hashing and encryption.

    1. Add hash columns.

      H2 / MySQL / Oracle / PostGreSQL / DB2 / MSSQL
      ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ADD ACCESS_TOKEN_HASH VARCHAR(255);
ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN ADD REFRESH_TOKEN_HASH VARCHAR(255);
ALTER TABLE IDN_OAUTH2_AUTHORIZATION_CODE ADD AUTHORIZATION_CODE_HASH VARCHAR(255);
ALTER TABLE IDN_OAUTH_CONSUMER_APPS ADD CONSUMER_SECRET_HASH VARCHAR(255);

    2. Create indexes.

      H2 / MySQL / DB2 / PostgreSQL / MSSQL / Oracle
      CREATE INDEX IDX_ATH ON IDN_OAUTH2_ACCESS_TOKEN(ACCESS_TOKEN_HASH);
CREATE INDEX IDX_AUTHORIZATION_CODE_HASH ON IDN_OAUTH2_AUTHORIZATION_CODE (AUTHORIZATION_CODE_HASH,CONSUMER_KEY_ID);

    3. Increase the column size.

      Note: If you have already configured the column size to a value greater than the one configured below, skip this step.

Note: With this WUM update, WSO2 Identity Server also hashes access tokens,refresh tokens, authorization codes, and client secrets. By default it uses SHA-256 algorithm for hashing. To use a different hashing algorithm, do the following:

Enable the following configuration within the <OAuth> root tag in the <IS_HOME>/repository/conf/identity/identity.xml file and configure it accordingly. WSO2 Identity Server supports hashing algorithms supported by MessageDigest. For more information about supported hashing algorithms, see MessageDigest Algorithms.

<HashAlgorithm>SHA-256</HashAlgorithm>