Skip to main content

Generate JWT access tokens from WSO2 Identity Server

In Identity Server 5.2.0 we have created an interface to generate access tokens. Using that we have developed a sample to generate JWT tokens. You can find that sample under msf4j samples[1][2]. If you are build it as it is you will need to use Java 8 to build since msf4j is developed on Java 8. So you will need to run Identity Server on Java 8 as well. After building the project[2] please copy the jar inside target directory to $IS_HOME/repository/components/dropins/ directory. And then please add the following configuration to Identity.xml which is placed under $IS_HOME/repository/conf/identity/ folder inside tag OAuth.

 <IdentityOAuthTokenGenerator>com.wso2.jwt.token.builder.JWTAccessTokenBuilder</IdentityOAuthTokenGenerator>


Then go to the database you used to store oauth tokens (This is the database pointed from the datasource you mentioned in the $IS_HOME/repository/conf/identity/identity.xml) and then alter the size of the column ACCESS_TOKEN of the table IDN_OAUTH2_ACCESS_TOKEN to the maximum value provided by your database provider.


Labels:

Comments

  1. UnknownDecember 10, 2016 at 9:02 PM

    hello, danushka,
    I am following your instruction of confgiuring the WSO2 IS to output Access Token of JWT format.

    I am just using the default embedded H2 database shipped together with WSO2 IS 5.2.0.
    I changed the maximum length of "ACCESS_TOKEN" to 65536 in /dbscripts/identity/h2.sql.

    and restart the IS.

    yet when I called the IS with Oathu2 resource owner password grant type. I still got the following error

    org.h2.jdbc.JdbcSQLException: Value too long for column "ACCESS_TOKEN VARCHAR(255)": "'eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDNcL29hdXRoMlwvdG9rZW4iLCJzdWIiOiJ3ZW5AY2FyYm9uLnN1cGVyIiwiYXVkIj... (439)"; SQL statement:
    INSERT INTO IDN_OAUTH2_ACCESS_TOKEN (ACCESS_TOKEN, REFRESH_TOKEN, CONSUMER_KEY_ID, AUTHZ_USER, TENANT_ID, USER_DOMAIN, TIME_CREATED, REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD, TOKEN_SCOPE_HASH, TOKEN_STATE, USER_TYPE, TOKEN_ID, GRANT_TYPE, SUBJECT_IDENTIFIER) SELECT ?,?,ID,?,?,?,?,?,?,?,?,?,?,?,?,? FROM IDN_OAUTH_CONSUMER_APPS WHERE CONSUMER_KEY=? [22001-175]


    it seems that the field length of ACCESS_TOKEN is still 255 instead of 65536.

    so, how do you make the change on H2 database data schema to take effect.


    ReplyDelete
    Replies
    1. AnonymousMay 10, 2017 at 6:22 AM

      Hi George
      You can change h2.sql files in dbscripts folder and then restart the server with -Dsetup.

      Delete
  2. UnknownDecember 13, 2016 at 1:08 AM

    hello, danushka:

    One more question: how do you configure the claims in the JWT Access Token?

    I am using the SCIM interface for provisioning, I intent to have the scimId (urn:scim:schemas:core:1.0:id; UUID generated automatically upon user-generation) to replace userId(userName) in JWT Access Token so that no user privacy is ever compromised. can you please provide a detailed instruction?

    thanks

    ReplyDelete
    Replies
    1. AnonymousMay 10, 2017 at 10:51 PM

      In custom code provided, you can change following line
      https://github.com/wso2/msf4j/blob/master/samples/jwt-claims/JWTAccessTokenBuilder/src/main/java/com/wso2/jwt/token/builder/JWTAccessTokenBuilder.java#L146

      Delete
  3. UnknownApril 12, 2018 at 5:15 AM

    Has your bundle ever been tested in WSO2 IS 5.3.0 ?

    ReplyDelete
    Replies
    1. Danushka FernandoMay 4, 2018 at 12:12 AM

      This is created for IS 5.2.0. Not sure whether it is tested for 5.3.0. Are you having any issues with 5.3.0?

      Delete

Post a Comment

Popular posts from this blog

Oauth custom basic authenticator with WSO2 IS 5.1.0

WSO2 Identity Server supports Oauth2 authorization code grant type with basic authentication OOTB. But basic authentication is done only with WSO2 user store. So there could be use cases that basic authentication has to be done against some other system. In this case you follow below steps to achieve your requirement. First you need to create an class which extends AbstractApplicationAuthenticator and implements LocalApplicationAuthenticator. Because this class is going to act as your application authenticator so it needs to be an implementation of application authenticator interface and to achieve this it needs to be a local authenticator as well. [2] public class CustomBasicAuthenticator extends AbstractApplicationAuthenticator implements LocalApplicationAuthenticator {   Then you need to override the initiateAuthenticationRequest method so you can redirect to the page to enter user and password. In my sample I redirected to the page that is used by our default basic au
Post a Comment
Read more

Integrate New Relic with WSO2 API Manager

In WSO2 API Manager, we have two transports. HTTP servlet transport and Passthru / NIO transport. All the web application requests are handled through HTTP servlet transport which is on 9763 port and 9443 port with ssl and here we are using tomcat inside WSO2 products. All the service requests are served via Passthru / NIO transport which is on 8082 and 8243 with ssl. When we integrate API Manager with new relic in the way discussed in blog posts [5],[6], new relic only detects the calls made to tomcat transports. So we couldn’t get the API calls related data OOTB. But by further analyzing new relic APIs I managed to find a workaround for this problem. New relic supports publishing custom events via their insights api[1]. So what we can do is publish these data via custom API handler[2]. Following is a sample implementation of a handler that I used to test the scenario. I will attach the full project herewith[7]. I have created an osgi bundle with this implementation so after building
Post a Comment
Read more