Integrating a Third-Party Identity Provider for Access Token Management
WSO2 IoT Server is prepackaged with a default key manager to handle clients, security and access token-related operations. The following section provides an alternative to using the default key manager and guides you through using WSO2 Identity Server (WSO2 IS) as the key manger in WSO2 IoT Server. This is useful in a production environment where a WSO2 IS node is already in use and you want to use the WSO2 IoT Server with it.Â
Before you begin
Before you begin
- Download WSO2 API Manager and unzip it if you have not done it before. The unzipped directory is referred to asÂ
<APIM_HOME>
throughout this documentation. - Download WSO2 Identity Server and unzip it. The unzipped directory is referred to asÂ
<IS_HOME>
 throughout this documentation.
- Follow the steps listed in the Configuring WSO2 Identity Server as a Key Manager topic in the WSO2 API-M documentation, to configure WSO2 IS as the key manager.Â
Download the following feature installation pom file and place it inside theÂ
<APIM_HOME>
 directory.Navigate toÂ
<APIM_HOME>
 on the terminal and execute the following command. This will install the required features to the WSO2 IoT Server pack.Âmvn clean install -f apim-feature-installation.xml
Open theÂ
identity.xml
 file found in theÂ<APIM_HOME>/repository/conf/identity
 directory and add the following grant type under theÂ<SupportedGrantTypes>
 element.Â<SupportedGrantType> <GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName> <GrantTypeHandlerImplClass>org.wso2.carbon.device.mgt.oauth.extensions.handlers.grant.ExtendedJWTGrantHandler</GrantTypeHandlerImplClass> <GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass> </SupportedGrantType>
Update theÂ
OAuthScopeValidator
 class as follows.<OAuthScopeValidator class="org.wso2.carbon.device.mgt.oauth.extensions.handlers.ScopeValidationHandler"/>
The default keystore used in WSO2 IoT Server has been updated from version 3.1.0 onwards. Since all servers must use the same certificate, do the following to update the keystore in WSO2 API-M
- Navigate to theÂ
<IOTS_HOME>/repository/resources/security
 folder and copy theÂwso2carbon.jks
 file. - Paste a copy of the file in theÂ
<APIM_HOME>/repository/resources/security
 folder and replace the existingÂwso2carbon.jks
 file. - Paste a copy of the file in theÂ
<IS_HOME>/repository/resources/security
 folder as well and replace the existingÂwso2carbon.jks
 file.Â
- Navigate to theÂ
Create a file based identity provider using the WSO2 IoT Server certificate and save it inside theÂ
<APIM_HOME>/repository/conf/identity/identity-providers
 directory. A sample of a file based identity provider configuration file can be seen below.ÂThe default IoT Server certificate can be found under the
<Certificate>
tag of theiot-default.xml
file found in the<IOTS_HOME>/repository/conf/identity/identity-providers
folder.