we are using WSO2 API Manager version 2.5 and Identity Server 5.6 where the IS is the key manager for the API Manager.
I enabled JWT in the IS config.
Added a custom claim dialect with userid and roles (as we do not need everything the local claim includes and it leads to errors in backend because the header is to big)
When I call an API the JWT is generated and passed on. However - the roles claim is not working in my custom dialect.
When I use the local claim dialect for JWT the roles are included in the token.
My Config:
<JWTConfiguration>
<JWTHeader>X-JWT-Assertion</JWTHeader
<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>
<ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
<ConsumerDialectURI>http://ourdomain.com/jwt</ConsumerDialectURI>
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
<EnableJWTGeneration>true</EnableJWTGeneration>
</JWTConfiguration>
The http://ourdomain.com/jwt dialect looks like this:
http://ourdomain.com/jwt/uid
Claim URI http://ourdomain.com/jwt/uid
Mapped Local Claim http://wso2.org/claims/our/uid
http://ourdomain.com/jwt/fullname
Claim URI http://ourdomain.com/jwt/fullname
Mapped Local Claim http://wso2.org/claims/fullname
http://ourdomain.com/jwt/accountNr
Claim URI http://ourdomain.com/jwt/accountNr
Mapped Local Claim http://wso2.org/claims/accountNr
http://ourdomain.com/jwt/role
Claim URI http://ourdomain.com/jwt/role
Mapped Local Claim http://wso2.org/claims/role
This is the resulting JWT content:
{
"http://ourdomain.com/jwt/version": "1.0.0",
"http://ourdomain.com/jwt/applicationid": "90",
"http://ourdomain.com/jwt/keytype": "SANDBOX",
"http://ourdomain.com/jwt/uid": "123",
"http://ourdomain.com/jwt/enduser": "mail.address#ourdomain.com#carbon.super",
"http://ourdomain.com/jwt/subscriber": "EXTERNAL/subscriber#ourdomain.com",
"iss": "wso2.org/products/am",
"http://ourdomain.com/jwt/fullname": "Mail Address",
"http://ourdomain.com/jwt/applicationtier": "Unlimited",
"http://ourdomain.com/jwt/applicationname": "application",
"http://ourdomain.com/jwt/enduserTenantId": "-1234",
"http://ourdomain.com/jwt/tier": "Unlimited",
"http://ourdomain.com/jwt/usertype": "APPLICATION_USER",
"http://ourdomain.com/jwt/accountNr": [
"123451",
"123452",
"123453"
],
"http://ourdomain.com/jwt/apicontext": "/heimdall/1.0.0",
"exp": 1541605849
}
Any leads where I'm mistaken? Do I have to write a custom token generator?
Related
I have setup a SuperSet with a Keycloak integrated as an authentication provider. In the official API documentation, we can get the access token by calling /security/login API with corresponding credential data provided. The example of the document is using "db" as provider. In my case, I believe I should change this option. However, I have tried to search for the suitable provider name in my scenario but no luck (i.g. ido,idoc,none of them works..)...
Does anyone know what provider name should I put in this case?
POST /security/login
Request body
{
"password": "complex-password",
"provider": "db",
"refresh": true,
"username": "admin"
}
I have set up AppSync to use OIDC / OpenID Connect as authoriser and have gotten token on client successfully. I am not using cognito. I am now trying to figure out following:
I am using apollo sdk to interact with my AppSync GraphQL api, how do I pass this open id token from client to it? I assume it has to be some sort of header, but I am unable to find any docs on what AppSync expects it to be.
Once I pass the token, how do I access its claims in AppSync / AppSync resolver, after it has been verified and token data extracted?
Pass the Firebase token when you create the client:
const client = new AWSAppSyncClient({
url: ...,
region: ...,
auth: {
type: 'OPENID_CONNECT',
jwtToken: async() => token // Token from Firebase
}
})
The claims from the token are available in $context.identity . Some of these claims are standard claims (specified by OpenID Connect) and others are custom claims (unique to your project). The shape of $context.identity will be similar to one emitted had you used AWS Cognito instead of Firebase:
{
"sub" : "...", // standard claim - straight from the token
"issuer" : "...", // standard claim - straight from the token
"username" : "...",
"claims" : { ... }, // custom claims from the token
"sourceIp" : ["x.x.x.x"],
"defaultAuthStrategy" : "..."
}
As you can see above, sub and iss are two standard claims that are mapped directly from the token. All other claims from the token are surfaced as custom claims. They can be retrieved via $context.identity.claims.get()
You could then use these claims in a resolver and act on them in a standard fashion.
I'm trying to config a service provider of WSO Identity Server v5.7.0 in order to export the UUID & roles of a user as part of JWT token. I've done like this but only roles are exported. UUID is not shown.
local claim:http://wso2.org/claims/userid. mandatory claim: yes
local claim:http://wso2.org/claims/role. mandatory claim: yes
Steps:
In wso2 is admin console->main tab->locate the service provider I've created.
In "claim configuration", I choose "use local claim dialect"; 3. In "Requested Claims" I Add Claim URI.
I've add "wso2.org/claims/userid" & "wso2.org/claims/role" and both of them are marked "mandatory claim"
After saving it. I use curl -u kbxx:Vyy -k -d "grant_type=password&username=youfa.mao&password=x&scope=openid" -H "Content-Type:application/x-www-form-urlencoded" xxx:yyy/oauth2/token to get the JWT token;
Only roles are in the token. The user UUID is not found
In WSO2 Identity Server password grant type issue id_token(JWT) by adhering to OIDC core specification. In order to get a user claim in JWT you should have a mapping between wso2 claims(http://wso2.org/claims) and OIDC claims ( http://wso2.org/oidc/claim ). For role claim this mapping is already there where http://wso2.org/role map to groups claim in OIDC dialect.
Please follow below steps in addition to what you did to get userid claim in id_token(JWT)
Add userid to OIDC claim dialect
Dialect URI: http://wso2.org/oidc/claim
Claim URI: userid
Mapped Local Claim: http://wso2.org/claim/userid
From management console UI "OIDC Scopes" add userid claim to openid scope.
You need to map wso2 claims to OIDC claims in order to achieve this. blog, blog section 6 with claim configuration will help you to understand how to add wso2 claim mappings.
Which configuration needs to put, to retrieve all user attributes (Claims) and associated user Roles into JWT acces_token self-contained on OAuth 2 authentication patterns ?
Please note that I am into a multi-tenant configuration, with only one Service Provider where we have configured Inbound Authentication Configuration to OAuth/OpenID Connect Configuration, with OAuth-2.0.
Action that has been realised:
1. Specify Requested Claims into Service Provider (use Local Claim Dialect), see below
Service Provider Claim Configuration
Verify if default information is present into Registry, section: /_system/config/oidc into openid property:
openid=sub,email,email_verified,name,family_name,given_name,middle_name,nickname,preferred_username,profile,picture, website,gender,birthdate,zoneinfo,locale,updated_at,phone_number,phone_number_verified,address,street_address,country,formatted,postal_code,locality,region
3.Retrieve an acces_token https://{{auth0_domain}}/oauth2/token
Each time we have only :
{
"sub": "SANDBOX-TEST.COM/usertest#sandbox-test.com",
"aud": [
"Y058MDvS1NSe_NrqSV84vDJ6JHga"
],
"azp": "V0458MDvS3NSe_NrqSE84vDJ8JHga",
"iss": "https://localhost:9443/oauth2/token",
"exp": 1519148273,
"iat": 1519144673,
"jti": "4366e42c-48b1-42c6-bf52-a084f1521851"
}
Any help/ideas is much appreciated.
I hope this is the latest IS version. I will give you few tips to troubleshoot this issue.
Make sure the user that you trying to authenticate do have values for given claims. You can do this by login in to admin portal of Identity Server and viewing the user profile of the specified user.
In "/_system/config/oidc" claims are given in OIDC dialect. Make sure you have correct mapping to local claim dialect to the respective OIDC claim in the claim configurations section.
Since this is OIDC make sure you pass the "openid" scope.
Environment
Clustered API Manager 2.1.0 (two workers, one manager) and Identity Server 5.3.0 (two workers)
Issue
When logging into a webpage, I login as the application creator. Which causes the JWT claims to be the application creator instead of user who logged in.
Idea of issue
My idea of the problem is since the application was created by one user it uses applications client_id as authorization. Since the application is linked to the user who created the application, it logs others in as that user. So when we get the JWT claims back it has the information for the user who created the application instead of the user who logged in.
What types of things should I be looking at as a possible fix for this problem? I believe the JWT configurations can fix the problem. Which I know either api-manager.xml or identity.xml could have the answer.
How do I get the correct JWT claims back from the access token?
JWT Sample
{
"sub": "12345678",
"http://wso2.org/claims/applicationtier": "Unlimited",
"http://wso2.org/claims/client_id": "bzuM29gewg5gxazegXiNfkwsgz",
"http://wso2.org/claims/keytype": "SANDBOX",
"http://wso2.org/claims/version": "1.0.1",
"iss": "wso2.org/products/am",
"http://wso2.org/claims/applicationname": "CellPhones",
"http://wso2.org/claims/enduser": "null",
"http://wso2.org/claims/enduserTenantId": "null",
"http://ourdomain.com/claims/client_rest_of_name": "Ben",
"http://ourdomain.com/claims/client_surname": "Kenobi",
"http://wso2.org/claims/subscriber": "DOMAIN/benk",
"http://wso2.org/claims/tier": "Bronze",
"http://ourdomain.com/claims/client_claim_source": "CLIENT_SUBSCRIBER",
"http://ourdomain.com/claims/client_roles": [
"Full-Time Employee",
"Employee",
"Technology Engineer"
],
"http://wso2.org/claims/applicationid": "8",
"http://wso2.org/claims/usertype": "APPLICATION_USER", <- Client app
"exp": 1493232200,
"email": "user#gmail.com",
"http://wso2.org/claims/apicontext": "/jwt/1.0.1"
}
This was an issue with custom claims. Just had to alter code.