This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Identity Related Tables

This section lists out all the identity related tables and their attributes in the WSO2 Identity Server database. 

IDN_BASE_TABLE

This table is used to check if the database structure has been created already when starting the server with -Dsetup option. It has only one column (PRODUCT_NAME), which contains a row with the value “WSO2 Identity Server”.
 

IDN_OAUTH_CONSUMER_APPS

This table is used when adding OAuth/OpenID Connect Configuration as Inbound Authentication Configuration for a Service Provider. The following table lists out the columns and the values they contain. 

 

ColumnDescription
CONSUMER_KEYThe OAuth client key
CONSUMER_SECRETThe OAuth client secret
USERNAMEThe username of the user who created the application
TENANT_IDThe tenant ID
APP_NAMEThe name of the service provider
OAUTH_VERSIONThe supported OAuth version of the application
CALLBACK URLThe URL to be redirected to when authorization is complete
GRANT_TYPESAll the grant types for the application

 

IDN_OAUTH1A_REQUEST_TOKEN

When using OAuth 1.0a, OAuth clients need to send the consumer key, consumer secret and scope to the OAuth service and obtain a request token. When the Identity Server returns a request token to such a client, it adds a record to this table. The client will then receive the request token and the OAuth verifier. The client can send these values back to the service and obtain the OAuth access token. Then the record in this table will be deleted and a new row will be added to the IDN_OAUTH1A_ACCESS_TOKEN table. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription

REQUEST_TOKEN  

The generated request token value
REQUEST_TOKEN_SECRETThe generated request token secret
CONSUMER_KEY    The consumer key of the OAuth application in the service provider
CALLBACK_URL  The redirect URL specified for the client in the OAuth application in the service provider
SCOPE  The provided scope in the recieved request
AUTHORIZED True/False (indicates whether the resource owner authorized the request). Initially this column will be marked as false.
OAUTH_VERIFIER Initially this column will be NULL. The client application then receives the request token and the request token secret after which it can authorize the request token where the user enters the credentials and authorizes the request.
AUTHZ_USERThe username of the user that authorized the request token. Once the value of this column is added, the AUTHORIZED column will be marked as true and a random number will be inserted into the OAUTH_VERIFIER column for verification purposes.

 

IDN_OAUTH1A_ACCESS_TOKEN

When using OAuth 1.0a and receiving a OAuth 1.0a request token, the client application can obtain the access token by authorizing the request token. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
ACCESS_TOKEN Randomly generated access token value

ACCESS_TOKEN_SECRET

Randomly generated access token secret
CONSUMER_KEY   The consumer key of the OAuth application created in the Service Provider
SCOPE    The authorized scope
AUTHZ_USER     The username of the user who authorized the request token for obtaining the access token

 

IDN_OAUTH2_AUTHORIZATION_CODE

When a client application is used with OAuth 2 authorization code grant type, after the authentication, the Identity Server returns the authorization code to the client. When this occurs, a record is added to this table. The client application can then request the OAuth access token using the authorized code. When the access token is returned, the record with that authorization code is deleted from this table.The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription

AUTHORIZATION_CODE

The generated authorization code value
CONSUMER_KEYThe particular consumer key for which the authorization code was generated. It is used to identify the OAuth application.
CALLBACK_URL  The redirect URL of the client for returning the authorization code
SCOPE    The approved OAuth scope
AUTHZ_USER  The fully qualified username (with the tenant domain) of the user who authorized the application
TIME_CREATED  The date and time when the authorization code was generated

VALIDITY_PERIOD

The validity time period for the authorization code (default value is 300000 ms)

 

IDN_OAUTH2_ACCESS_TOKEN

When an OAuth2 access token is returned to a client, a record will be added to this table. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
ACCESS_TOKENThe access token
REFRESH_TOKENThe refresh token
CONSUMER_KEYThe consumer key of the OAuth application
AUTHZ_USERThe fully qualified username (with the tenant domain) of the user who authorized the application
USER_TYPEThe type of user
TIME_CREATEDThe date time value when the access token was generated
VALIDITY_PERIODThe validity period of the token (default is 3600000 ms)
TOKEN_SCOPEThe scope of the access token
TOKEN_STATEThe state of the access token (ACTIVE)
TOKEN_STATE_ID 

 

IDN_OAUTH2_SCOPE

When the Identity Server is used with a product such as the WSO2 API Manager, custom OAuth scopes can be defined. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
SCOPE_IDThe unique ID of the scope
SCOPE_KEYA scope key
NAMEName for the scope
DESCRIPTIONDescription of the scope
TENANT_IDTenant ID
ROLESList of roles given

 In a standalone Identity Server instance, this table will not get populated with data. 

 

IDN_OAUTH2_RESOURCE_SCOPE

When the Identity Server is used with a product such as WSO2 API Manager, the custom scopes defined for the APIs will be stored in the IDN_OAUTH2_SCOPE table. These scopes can be mapped with the resources in the API and these resources and scopes mapping are stored in this table. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
RESOURCE_PATHThe path to the resource
SCOPE_IDThe ID of the scope that points to the SCOPE_ID column of the IDN_OAUTH2_SCOPE table

 In a standalone Identity Server instance, this table will not get populated with data. 


IDN_SCIM_GROUP

When creating a new role in the user store,  if the SCIMEnabled property in the user store configuration is set to true, the SCIM attributes for the created role are stored in this table.  For each role that is created, there are multiple rows stored since multiple SCIM attributes are associated with a role (GROUP). The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
ID 
TENANT_IDTenant ID
ROLE_NAMEThe name of the role
ATTR_NAMEThe name of the SCIM attribute
ATTR_VALUEThe value of the SCIM attribute

 

IDN_SCIM_PROVIDER

This table is not used in the latest version of the Identity Server.
  • CONSUMER_ID   
  • PROVIDER_ID  
  • USER_NAME    
  • USER_PASSWORD
  • USER_URL    
  • GROUP_URL    
  • BULK_URL

 

IDN_OPENID_REMEMBER_ME

This table is not being used in the latest version of Identity Server because the 'Remember Me' feature is handled from the authentication framework.
  • USER_NAME  
  • TENANT_ID    
  • COOKIE_VALUE
  • CREATED_TIME

 

IDN_OPENID_USER_RPS

When users login to OpenID relying party applications where the OpenID authentication is provided by the Identity Server, the login details are stored in this table. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
USER__NAMEThe username of the logged in user
TENANT_IDTenant ID of the tenant that the user belongs to
RP_URLThe URL of the relying party to which it should be redirected upon successful login
TRUSTED_ALWAYSTrue/False (indicates whether the user has given the  “Approve Always” or “Approve” options of the application for authentication)
LAST_VISITDate of the last login of the user
VISIT_COUNTThe number of successful login attempts for the user
DEFAULT_PROFILE_NAMEThe default profile name

 

IDN_OPENID_ASSOCIATIONS

The OpenID associations are stored in this table. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
HANDLEThe association handle
ASSOC_TYPEThe OpenID association type
EXPIRE_INThe datetime value of the expiry of the association
MAC_KEYThe Message Authentication Code of the association
ASSOC_STORE 

 

IDN_STS_STORE

When the Identity Server is used as a Security Token Service which issues access tokens, such records are stored in following table. Following are the columns of the table.
  • ID           
  • TOKEN_ID     
  • TOKEN_CONTENT
  • CREATE_DATE  
  • EXPIRE_DATE   
  • STATE

 

IDN_IDENTITY_USER_DATA

When using a JDBC user store, the user attributes of a user are stored in the UM_USER_ATTRIBUTE table for the supported claims. There are some claims used for Identity Management features that should be handled specifically. Claims used for Identity Management feature will be stored in the userstore which is specified in the <IS_HOME>/repository/conf/security/identity-mgt.properties file. In that property file, the property Identity.Mgt.User.Data.Store is used to define what kind of store it uses to store those reserved claims. Upon updating the user profile, these claims and their mapped attribute values will be inserted to this table.
 
  • If you specify org.wso2.carbon.identity.mgt.store.UserStoreBasedIdentityDataStore for the Identity.Mgt.User.Data.Store property which is the default store, it will use the same user store where the user resides for storing these special attributes.
  • If you specify org.wso2.carbon.identity.mgt.store.JDBCIdentityDataStore for the Identity.Mgt.User.Data.Store property, it will not use the user's user store and will instead use Identity Server's internal JDBC database to store those claims.


The reserved claims are as follows:
The following table lists out the columns and a description of the values it contains. 
ColumnDescription
TENANT_IDThe ID of the tenant to which the user belongs to
USER_NAMEThe username of the user
DATA_KEYThe Claim URI of the supported claim
DATA_VALUEThe user attribute value of the particular claim

 

IDN_IDENTITY_META_DATA

  • USER_NAME    
  • TENANT_ID    
  • METADATA_TYPE
  • METADATA    
  • VALID
     

IDN_THRIFT_SESSION

This table is used to store the authenticated Thrift session. Once the user is authenticated to the thrift authenticator, it creates a thrift session. This is mainly used in the XACML feature in WSO2 Identity Server. The Entitlement Service of the Identity Server is exposed via Thrift transport and in order to access this admin service, it must be authenticated. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
SESSION_IDThe unique idea of the created session
USER_NAMEThe username of the user
CREATED_TIMEThe time that the session was created
LAST_MODIFIED_TIMEThe time that the session was last modified

 

IDN_ASSOCIATED_ID

In the Identity Server Dashboard, users can associate their social identity (i.e. Facebook, Yahoo, Google, Microsoft ) with the user account created in the Identity Server. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
ID 
IDP_USER_IDThe user's username in the social account (i.e., Facebook username)
TENANT_IDThe ID of the tenant in which the user is created
IDP_IDThe ID of the identity provider which contains the federated authenticator
USER_NAMEThe username of the user in Identity Server that this social identity is associated with

 

IDN_AUTH_SESSION_STORE

When the remember me option is selected when logging into the either a service provider or the Identity Server, session data is persisted provided that the session data persistence is enabled from configuration. The following table lists out the columns and a description of the values it contains. 

 

ColumnDescription
SESSION_IDThe unique ID of the session
SESSION_TYPEThe type of session created
SESSION_OBJECTThe session object
TIME_CREATEDThe time of the session creation