Thursday, July 18, 2013

How to get a user profile for OAuth Token using JWT headers


In this blog post lets discuss how you can retrieve user profile and view attributes of a user using only the OAuth token in WSO2 Identity server. I assume that reader is familiar with WSO2 identity server and if you need more help you can follow the documentation at http://docs.wso2.org/wiki/display/IS400/WSO2+Identity+Server+Documentation

1) Change the CARBON_HOME/repository/conf/identity.xml and make following attribute true. Then start the WSO2 Identity server.

   <AuthorizationContextTokenGeneration>
                        <Enabled>true</Enabled>
                        <TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator</TokenGeneratorImplClass>
                        <ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
                        <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
                        <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
                        <AuthorizationContextTTL>15</AuthorizationContextTTL>
                </AuthorizationContextTokenGeneration>

2) Get the oauth Token ( you need to get the base64 encoded value for (client id:client secret) value.


You can use an online service for encoding such as http://www.base64encode.org/ and then issue following CURL command to obtain the access token. (make sure you have the correct port in the server URL)

curl -v -X POST -H "Authorization: Basic VE01enNFem9FZG9NRERjVEJjbXRBcWJGdTBFYTpYUU9URExINlBBOHJvUHJfSktrTHhUSTNseGNh" -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=admin&password=admin" https://localhost:9443/oauth2endpoints/token



 3) Now you need to invoke and admin service in the Identity server. Please follow

http://charithaka.blogspot.com/2013/06/invoking-wso2-carbon-admin-services.html on how to invoke admin services using SOAP UI.

We shall now invoke the following service.
https://localhost:9443/services/OAuth2TokenValidationService

Request



Response



Now you will be getting the authorization context token which is encoded in base64 and delimited with "." values. Middle part will contain the user profile value and we can get it decoded using http://www.base64decode.org/

<ax2303:tokenString>eyJ0eXAiOiJKV1QiLCJhbGciOiJTSEEyNTZ3aXRoUlNBIiwieDV0IjoiTm1KbU9HVXhNelpsWWpNMlpEUmhOVFpsWVRBMVl6ZGhaVFJpT1dFME5XSTJNMkptT1RjMVpBPT0ifQ==.eyJpc3MiOiJodHRwOi8vd3NvMi5vcmcvZ2F0ZXdheSIsImV4cCI6MTM3NDE2NDYzMDE4MiwiaHR0cDovL3dzbzIub3JnL2dhdGV3YXkvc3Vic2NyaWJlciI6ImFkbWluIiwiaHR0cDovL3dzbzIub3JnL2dhdGV3YXkvYXBwbGljYXRpb25uYW1lIjoiTXlBcHBsaWNhdGlvbiIsImh0dHA6Ly93c28yLm9yZy9nYXRld2F5L2VuZHVzZXIiOiJhZG1pbiIsICJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2FjY291bnRMb2NrIjoiZmFsc2UiLCAiaHR0cDovL3dzbzIub3JnL2NsYWltcy9jaGFsbGVuZ2VRdWVzdGlvbjEiOiIxMjM0NDUiLCAiaHR0cDovL3dzbzIub3JnL2NsYWltcy9jaGFsbGVuZ2VRdWVzdGlvbjIiOiI0NTY3NTYiLCAiaHR0cDovL3dzbzIub3JnL2NsYWltcy9jaGFsbGVuZ2VRdWVzdGlvblVyaXMiOiJteVRva2VuMiIsICJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VtYWlsYWRkcmVzcyI6ImFkbWluQHdzbzIuY29tIiwgImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvZnVsbG5hbWUiOiJhZG1pbiIsICJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2dpdmVubmFtZSI6ImFkbWluIiwgImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvbGFzdG5hbWUiOiJhZG1pbiIsICJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL3JvbGUiOiJhZG1pbixldmVyeW9uZSJ9.IUpGsH149iJDcn/UWYdGBrAoTNOZiUdI3X7QMXqVt+ss5rOOlDeB5bgz0Q3Y4SKh+H4PBkvlLd0/WAlbuvTi9Zj/G/QupenQpqYKulOFihUMNHiWRUgFT5BvfATVMsvqO/023BFprhdDShuPlpI9pJAEeuvmUiRIBPVVeoj09Ec=</ax2303:tokenString>
               <ax2303:tokenType>JWT</ax2303:tokenType>

Following is the output of the decoded value which has the user profile details of the user who generated the OAuth access token.




6 comments:

  1. Is it possible for WSO2 IS to generate the JWT as the access token? Because then we can avoid another round trip to the WSO2 IS for token validation...

    ReplyDelete
  2. As asked by squanderer, I would be interested in getting back directly the JWT.
    Did anyonme manage to do it ?

    ReplyDelete
  3. Thanks for this article.
    As asked by squanderer, and another reader, is it possible to get back directly the JWT ? (in a bearer mode)

    ReplyDelete
  4. hi,we provide online training & video tutorial for soapui
    for free videos refer
    http://soapui-tutorial.com/soapui-tutorial/introduction-to-webservices/

    ReplyDelete