/
Extension Points for OAuth

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Extension Points for OAuth

Nov 27, 2019

This topic includes a list of all the WSO2 Identity Server extension points related to OAuth and OpenID Connect (OIDC).

Implementing an OAuth Extension

Any OAuth extension listed below can be implemented, by implementing an interface or extending an abstract class as defined under each extension point.
When the implementation is done, package your classes as a .jar file and place it in the <IS_HOME>/repository/component/lib directory.
Then configure your extension in <IS_HOME>/repository/conf/identity/identity.xml file under the <OAuth> element referring to the 'Configuration' section of the respective extension point below.
Restart the server to effect changes.

The following are the available OAuth/OIDC extension points.

OAuth Grant Handler 

Usage

This extension point is useful when you want to support an OAuth flow that is different from standard grant types. This extension point validates the grant, scopes, and access delegation.

Interface

org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler

Abstract Class

org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler

Configuration

<SupportedGrantTypes> ... <SupportedGrantType> <GrantTypeName>grant type identifier </GrantTypeName> <GrantTypeHandlerImplClass>full qualified class name of grant handler</GrantTypeHandlerImplClass> </SupportedGrantType> </SupportedGrantTypes>

Sample

See Writing a Custom OAuth 2.0 Grant Type for a sample implementation of this extension point.

OAuth Grant Validator

Usage

This extension point can be used to implement a grant validator that validates the grant request sent to the '/oauth2/token' endpoint. Request parameters and headers can be validated by implementing this extension point.
If a new grant type is being implemented and defined with a new grant type identifier with the OAuth Grant Handler extension, you must also implement a grant validator and register that against the same grant type identifier from the identity.xml.
If a supported grant type is to be modified you may implement a grant validator if needed, otherwise supported grant type validators can be reused.

Abstract Class

org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractValidator

Configuration

<SupportedGrantTypes> ... <SupportedGrantType> <GrantTypeName>grant type identifier </GrantTypeName> <GrantTypeHandlerImplClass>full qualified class name of grant handler</GrantTypeHandlerImplClass> <GrantTypeValidatorImplClass>full qualified class name of grant validator</GrantTypeValidatorImplClass> </SupportedGrantType> </SupportedGrantTypes>

Client Authentication Handler

Usage

This extension point can be used when the client credential authentication needs to be customized when issuing tokens. By default the Identity Server validates the client id and secret.

Interface

org.wso2.carbon.identity.core.handler.AbstractIdentityHandler

Abstract Class

org.wso2.carbon.identity.oauth2.client.authentication.AbstractOAuthClientAuthenticator

Default Implementation

org.wso2.carbon.identity.oauth2.token.handlers.clientauth.BasicAuthClientAuthHandler

Configuration

<EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name="full qualified name of client authentication handler" orderId="order Id" enable="true"> <Property name="name">property value</Property> </EventListener>

OAuth Token Generator

Usage

This extension point can be used to change the access token, refresh token, authorization code generation logic as preferred. By default a UUID will be generated as the token value.

Interface

org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer

Default Implementation

org.wso2.carbon.identity.oauth2.token.OauthTokenIssuerImpl

Other Available Implementations

org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer

Configuration

<IdentityOAuthTokenGenerator>full qualified class name of oauth token generator</IdentityOAuthTokenGenerator>

OAuth Callback Handler

Usage

This extension point is provided to verify whether the authenticated user is the rightful owner of the resource. There can be multiple active OAuthCallbackHandler implementations at a given time. These are registered through the identity.xml file. In run-time, each and every authorization callback handler is invoked to see whether it can handle the given callback. Then the callback with the highest priority is chosen. After handling the callback, the Identity Server can set whether the given callback is authorized or not.

Interface

org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandler

Abstract Class

org.wso2.carbon.identity.oauth.callback.AbstractOAuthCallbackHandler

Default Implementation

org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler

Configuration

<OAuthCallbackHandlers> ... <OAuthCallbackHandler class="full qualified class name of the oauth call back handler"> <Priority>an integer value defining priority</Priority> <Properties> ... <Property Name="property name">property value</Property> ... </Properties> </<OAuthCallbackHandler> </OAuthCallbackHandlers>

Token Persistence Processor