This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.
Authentication Data API
- Gomathy Kumarakuruparan (Unlicensed)
- Former user (Deleted)
Authentication Data API provides REST services that are used to retrieve endpoint parameters provided by the authentication framework or related services.
These parameters may not be passed in the redirect URL due to one or many of the following reasons.
- Sensitivity of the values passed.
- Complexity of the values passed.
- Length of the parameters exceeding, or has the possibility of exceeding the allowed limits.
- Compliance to certain business policies.
To use this feature, apply the 3524 WUM update for WSO2 IS 5.7.0 using the WSO2 Update Manager (WUM).
To deploy a WUM update into production, you need to have a paid subscription. If you do not have a paid subscription, you can use this feature with the next version of WSO2 Identity Server when it is released. For more information on updating WSO2 Identity Server using WUM, see Getting Started with WUM in the WSO2 Administration Guide.
Configuring Authentication Data API
To make these parameters available via the Authentication Data API, we need to configure the Identity Server as follows.
Configure the following parameters in the
application-authentication.xmlfile in<IS_HOME>/repository/conf/identityas per the descriptions provided below.<AuthenticationEndpointRedirectParams action="include" removeOnConsumeFromAPI="true"> <AuthenticationEndpointRedirectParam name="sessionDataKey"/> </AuthenticationEndpointRedirectParams>
Field Name Description action Value is either include or exclude. An include indicates a allowlist, whereas an exclude indicates a denylist. removeOnConsumeFromAPI The decides whether to remove the parameters on a read. If set to true, parameters are deleted upon read and won’t be available for subsequent API requests, unless they are repopulated at the backend. AuthenticationEndpointRedirectParam The list of parameters to be allowlisted/denylisted. The name attribute is used to specify the parameter name. sessionDataKey This is an identifier used by the Identity Server to maintain state information related to this particular request by the service provider.
Note: The 'sessionDataKey' query parameter is used to coordinate the request state across components participating in the request flow. It does not correlate with the user session. Furthermore, the request state maintained against the 'sessionDataKey' parameter value is cleared by each participating component at the end of request flow. This means that even if an external party grabs the 'sessionDataKey' they will not be able to get into the authentication sequence, as the user session is not associated with that key.
- Restart the server.
Using the API
The data can be accessible at https://<IS_HOST>:<PORT>/api/identity/auth/v1.1/data/<Type>/<Key>.
- <Type> - This refers to the key type that should be used. The value is AuthRequestKey for pages which directly communicate with the authentication framework using
sessionDataKey,and OauthConsentKey for the Oauth consent page which usessessionDataKeyConsentas the correlation key. - <Key> - The correlation key whose value is either sessionDataKey or sessionDataKeyConsent.
Authenticating the API
This API can be authenticated by following the steps given here.
Following are the sample requests and responses using cURL.
curl -k -X GET "https://localhost:9443/api/identity/auth/v1.1/data/AuthRequestKey/7a6886ab -b02f-424f-9cd4-adf5e92f0798" -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "accept: application/json"
{"paramKey1": "paramValue1","paramKey2": "paramValue2"}
curl -k -X GET "https://localhost:9443/api/identity/auth/v1.1/data/OauthConsentKey/7a6886a b-b02f-424f-9cd4-adf5e92f0798" -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "accept: application/json"
{"paramKey1":"paramValue1","paramKey2":"paramValue2"}