/
JWT Token Generation

This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

JWT Token Generation

Jul 21, 2020

This section provides instructions on how to get the user claims of the authorized user as a JWT token with the validation response. 

Configurations

  1. Open the <IS_HOME>/repository/conf/identity/identity.xml file and set the <Enabled> element (found under the <OAuth>,<AuthorizationContextTokenGeneration> elements) to true as shown in the code block below. 

    <AuthorizationContextTokenGeneration> <Enabled>true</Enabled> <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass> <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass> <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI> <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm> <AuthorizationContextTTL>15</AuthorizationContextTTL> </AuthorizationContextTokenGeneration> 

  2. Add the following property under <OAUTH> section to use the JWT Token Builder instead of the default Token Builder.

    <IdentityOAuthTokenGenerator>org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer</IdentityOAuthTokenGenerator>

  3. The following configurations are optional and can be configured as needed.

    1. See the Extension Points for OAuth topic for more details about the usage of the 'TokenGeneratorImplClass' and 'ClaimsRetrieverImplClass'. 

    2. ConsumerDialectURI: Defines the URI for the claim dialect under which the user attributes need to be retrieved. 

    3. SignatureAlgorithm: Defines the algorithm to be used in signing the payload that carries user claims. If you want to disable signing of the JWT token, set this element to "NONE". 

      <SignatureAlgorithm>NONE</SignatureAlgorithm>

    4. AuthorizationContextTTL: Defines the expiry time for JWT token in minutes.

Instead of configuring the JWT token in the identity.xml file, you can also choose to configure it using the management console while configuring the OAuth application.

Select JWT as the Token Issuer for a new or existing OAuth/OpenID connect consumer application. See Configuring inbound authentication with OAuth/OpenID Connect  for more information.

Retrieving user claims with the JWT 

User claims can be retrieved using the ID token or the userinfo endpoint. For more information, see Basic Client Profile with Playground.

You can access the userinfo endpoint with the received access token using the following curl command. As per the specification, the received bearer token is sent using the HTTP Authorization header.

curl -k -H "Authorization: Bearer 4164157d677a6cd3a22e26e24c30135d" https://localhost:9443/oauth2/userinfo?schema=openid

As the response, WSO2 Identity Server returns a JSON with user claims.

{"sub":"PRIMARY\/alex","email":"alex@mymail.com","name":"Alex Anderson","family_name":"Anderson","preferred_username":"alexanders","given_name":"Alex"}

Signature verification

The signature verification can be done similar to the ID token signature verification.