/
Setting Up OAuth Token Hashing
com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links' is unknown.

Setting Up OAuth Token Hashing

Apr 02, 2019

WSO2 Identity Server (WSO2 IS) allows you to enable OAuth2 token hashing to protect OAuth2 access tokens, refresh tokens, consumer secrets, and authorization codes.

Notes:

  • Token hashing is only required if there are long lived tokens.

  • If you want to enable this feature, WSO2 recommends using a fresh WSO2 Identity Server distribution.
    To use this feature with an existing database, you may need to perform data migration before you enable the feature. If you have to perform data migration before you enable this feature Contact us.

Follow the instructions below to set up OAuth token hashing:

  1. Edit the <IS_HOME>/repository/conf/identity/identity.xml file,and do the following configuration changes under the <OAuth> section:

    • Change the value of the <TokenPersistenceProcessor> element as follows to enable token hashing:

      <TokenPersistenceProcessor>org.wso2.carbon.identity.oauth.tokenprocessor.HashingPersistenceProcessor</TokenPersistenceProcessor>

    • Change the value of the <EnableClientSecretHash> element to true as follows:

      <EnableClientSecretHash>true</EnableClientSecretHash>

    • Add the following configuration to specify the algorithm to use for hashing:

      <HashAlgorithm>SHA-256</HashAlgorithm>

  2. Run the appropriate database command to remove the CONN_APP_KEY constraint from the IDN_OAUTH2_ACCESS_TOKEN table. For example, if you are using an H2 database, you need to run the following command:

    ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN DROP CONSTRAINT IF EXISTS CON_APP_KEY

  3. Follow the steps below to configure OAuth/OpenID Connect support for your client application:

    1. Start WSO2 IS and log on to the Management Console with your user name and password. For detailed instructions on how to start WSO2 IS, see Running the Product.

    2. Navigate to Service Providers > Add, enter a name for the new service provider, and then click Register.

    3. Expand the Inbound Authentication Configuration section, then expand the OAuth2/OpenID Connect Configuration, and click Configure.

    4. Specify appropriate values for the required fields. 

    5. Click Add. This displays values of the Consumer Key and the Consumer Secret for your service provider.

  4. Click Show to view the exact Consumer Key and Consumer Secret.

com.atlassian.confluence.content.render.xhtml.migration.exceptions.UnknownMacroMigrationException: The macro 'next_previous_links2' is unknown.