Which configuration needs to put, to retrieve all user attributes (Claims) and associated user Roles into JWT acces_token self-contained on OAuth 2 authentication patterns ?
Please note that I am into a multi-tenant configuration, with only one Service Provider where we have configured Inbound Authentication Configuration to OAuth/OpenID Connect Configuration, with OAuth-2.0.
Action that has been realised:
1. Specify Requested Claims into Service Provider (use Local Claim Dialect), see below
Service Provider Claim Configuration
Verify if default information is present into Registry, section: /_system/config/oidc into openid property:
openid=sub,email,email_verified,name,family_name,given_name,middle_name,nickname,preferred_username,profile,picture, website,gender,birthdate,zoneinfo,locale,updated_at,phone_number,phone_number_verified,address,street_address,country,formatted,postal_code,locality,region
3.Retrieve an acces_token https://{{auth0_domain}}/oauth2/token
Each time we have only :
{
"sub": "SANDBOX-TEST.COM/usertest#sandbox-test.com",
"aud": [
"Y058MDvS1NSe_NrqSV84vDJ6JHga"
],
"azp": "V0458MDvS3NSe_NrqSE84vDJ8JHga",
"iss": "https://localhost:9443/oauth2/token",
"exp": 1519148273,
"iat": 1519144673,
"jti": "4366e42c-48b1-42c6-bf52-a084f1521851"
}
Any help/ideas is much appreciated.
I hope this is the latest IS version. I will give you few tips to troubleshoot this issue.
Make sure the user that you trying to authenticate do have values for given claims. You can do this by login in to admin portal of Identity Server and viewing the user profile of the specified user.
In "/_system/config/oidc" claims are given in OIDC dialect. Make sure you have correct mapping to local claim dialect to the respective OIDC claim in the claim configurations section.
Since this is OIDC make sure you pass the "openid" scope.
Related
I have setup a SuperSet with a Keycloak integrated as an authentication provider. In the official API documentation, we can get the access token by calling /security/login API with corresponding credential data provided. The example of the document is using "db" as provider. In my case, I believe I should change this option. However, I have tried to search for the suitable provider name in my scenario but no luck (i.g. ido,idoc,none of them works..)...
Does anyone know what provider name should I put in this case?
POST /security/login
Request body
{
"password": "complex-password",
"provider": "db",
"refresh": true,
"username": "admin"
}
I'm trying to config a service provider of WSO Identity Server v5.7.0 in order to export the UUID & roles of a user as part of JWT token. I've done like this but only roles are exported. UUID is not shown.
local claim:http://wso2.org/claims/userid. mandatory claim: yes
local claim:http://wso2.org/claims/role. mandatory claim: yes
Steps:
In wso2 is admin console->main tab->locate the service provider I've created.
In "claim configuration", I choose "use local claim dialect"; 3. In "Requested Claims" I Add Claim URI.
I've add "wso2.org/claims/userid" & "wso2.org/claims/role" and both of them are marked "mandatory claim"
After saving it. I use curl -u kbxx:Vyy -k -d "grant_type=password&username=youfa.mao&password=x&scope=openid" -H "Content-Type:application/x-www-form-urlencoded" xxx:yyy/oauth2/token to get the JWT token;
Only roles are in the token. The user UUID is not found
In WSO2 Identity Server password grant type issue id_token(JWT) by adhering to OIDC core specification. In order to get a user claim in JWT you should have a mapping between wso2 claims(http://wso2.org/claims) and OIDC claims ( http://wso2.org/oidc/claim ). For role claim this mapping is already there where http://wso2.org/role map to groups claim in OIDC dialect.
Please follow below steps in addition to what you did to get userid claim in id_token(JWT)
Add userid to OIDC claim dialect
Dialect URI: http://wso2.org/oidc/claim
Claim URI: userid
Mapped Local Claim: http://wso2.org/claim/userid
From management console UI "OIDC Scopes" add userid claim to openid scope.
You need to map wso2 claims to OIDC claims in order to achieve this. blog, blog section 6 with claim configuration will help you to understand how to add wso2 claim mappings.
I am not able to get custom attribute in ID_TOKEN returned from AWS Cognito after successful user login.
Steps I tried :
1.Created user pool
2.Created app client and checked the custom attribute(customattrib1,customattrib2)
User Pool screen :
Check custom attribute in app client config
3.Created user using admin-create-user api
Below image shows the value for user attributes:
4.Signed in user using aws-cognito-auth.js in client app.The ID token returned do not contain the custom attribute.
ID_TOKEN
{
"at_hash": "PKfjYDaiEty5mUOyJZlPQA",
"sub": "639d5016-2bd3-4c6f-b82d-21ae38071b09",
"email_verified": true,
"iss": "https://cognito-idp.ap-south-1.amazonaws.com/ap-south-1_XXXXXXX",
"phone_number_verified": true,
"cognito:username": "testuser",
"aud": "XYXYXYXYX",
"token_use": "id",
"auth_time": 1549349674,
"phone_number": "##########",
"exp": 1549353274,
"iat": 1549349674,
"email": "testuser#somedomain.com"
}
I have already checked links below, which had some info regarding this issue, but nothing helped so far.
Adding Cognito custom attributes post pool creation?
Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider
Cognito User Pool custom attributes do not show up in the ID token if user pool is configured with a SAML identity provider
https://www.reddit.com/r/aws/comments/a07dwg/cognito_add_custom_attribute_to_jwt_token/
Please help me figure out if I am missing something..
In your Cognito user pool go to General Settings -> App Clients, then for each app client click on Show Details, then Set attribute read and write permissions. Check the checkbox next to your attribute name under Readable Attributes.
In your Cognito user pool go to App client settings -> Allowed OAuth Scopes and enable profile scope.
I had the same trouble and your question came up when I was searching for a solution.
My custom attributes started to appear in ID token when I enabled profile scope in 'App client settings'. (available at: AWS console-> 'User pools'-> click your pool -> 'App client settings' -> 'Allowed OAuth Scopes')
(BTW: I was misled by this sentence from the documentation: "The openid scope returns all user attributes in the ID token that are readable by the client". In my case openid scope was not enough.)
For me the problem was that I was getting my token (after authenticating with the Amplify js library) from:
Auth.currentSession().then(u => u.getAccessToken().getJwtToken())
Instead of:
Auth.currentSession().then(u => u.getIdToken().getJwtToken());
After changing it worked fine! Hope it helps!
For anyone coming here that is using the Amplify SDK like the OP - Copy and Paste calls out an important point that your client ALSO needs to explicitly ask for the scope.
In my case we I am using Angular. After adding "profile" to the User Pool "Allowed OAuth Scopes" - you also need to specify it in your client configuration:
we are using WSO2 API Manager version 2.5 and Identity Server 5.6 where the IS is the key manager for the API Manager.
I enabled JWT in the IS config.
Added a custom claim dialect with userid and roles (as we do not need everything the local claim includes and it leads to errors in backend because the header is to big)
When I call an API the JWT is generated and passed on. However - the roles claim is not working in my custom dialect.
When I use the local claim dialect for JWT the roles are included in the token.
My Config:
<JWTConfiguration>
<JWTHeader>X-JWT-Assertion</JWTHeader
<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>
<ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
<ConsumerDialectURI>http://ourdomain.com/jwt</ConsumerDialectURI>
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
<EnableJWTGeneration>true</EnableJWTGeneration>
</JWTConfiguration>
The http://ourdomain.com/jwt dialect looks like this:
http://ourdomain.com/jwt/uid
Claim URI http://ourdomain.com/jwt/uid
Mapped Local Claim http://wso2.org/claims/our/uid
http://ourdomain.com/jwt/fullname
Claim URI http://ourdomain.com/jwt/fullname
Mapped Local Claim http://wso2.org/claims/fullname
http://ourdomain.com/jwt/accountNr
Claim URI http://ourdomain.com/jwt/accountNr
Mapped Local Claim http://wso2.org/claims/accountNr
http://ourdomain.com/jwt/role
Claim URI http://ourdomain.com/jwt/role
Mapped Local Claim http://wso2.org/claims/role
This is the resulting JWT content:
{
"http://ourdomain.com/jwt/version": "1.0.0",
"http://ourdomain.com/jwt/applicationid": "90",
"http://ourdomain.com/jwt/keytype": "SANDBOX",
"http://ourdomain.com/jwt/uid": "123",
"http://ourdomain.com/jwt/enduser": "mail.address#ourdomain.com#carbon.super",
"http://ourdomain.com/jwt/subscriber": "EXTERNAL/subscriber#ourdomain.com",
"iss": "wso2.org/products/am",
"http://ourdomain.com/jwt/fullname": "Mail Address",
"http://ourdomain.com/jwt/applicationtier": "Unlimited",
"http://ourdomain.com/jwt/applicationname": "application",
"http://ourdomain.com/jwt/enduserTenantId": "-1234",
"http://ourdomain.com/jwt/tier": "Unlimited",
"http://ourdomain.com/jwt/usertype": "APPLICATION_USER",
"http://ourdomain.com/jwt/accountNr": [
"123451",
"123452",
"123453"
],
"http://ourdomain.com/jwt/apicontext": "/heimdall/1.0.0",
"exp": 1541605849
}
Any leads where I'm mistaken? Do I have to write a custom token generator?
Environment
Clustered API Manager 2.1.0 (two workers, one manager) and Identity Server 5.3.0 (two workers)
Issue
When logging into a webpage, I login as the application creator. Which causes the JWT claims to be the application creator instead of user who logged in.
Idea of issue
My idea of the problem is since the application was created by one user it uses applications client_id as authorization. Since the application is linked to the user who created the application, it logs others in as that user. So when we get the JWT claims back it has the information for the user who created the application instead of the user who logged in.
What types of things should I be looking at as a possible fix for this problem? I believe the JWT configurations can fix the problem. Which I know either api-manager.xml or identity.xml could have the answer.
How do I get the correct JWT claims back from the access token?
JWT Sample
{
"sub": "12345678",
"http://wso2.org/claims/applicationtier": "Unlimited",
"http://wso2.org/claims/client_id": "bzuM29gewg5gxazegXiNfkwsgz",
"http://wso2.org/claims/keytype": "SANDBOX",
"http://wso2.org/claims/version": "1.0.1",
"iss": "wso2.org/products/am",
"http://wso2.org/claims/applicationname": "CellPhones",
"http://wso2.org/claims/enduser": "null",
"http://wso2.org/claims/enduserTenantId": "null",
"http://ourdomain.com/claims/client_rest_of_name": "Ben",
"http://ourdomain.com/claims/client_surname": "Kenobi",
"http://wso2.org/claims/subscriber": "DOMAIN/benk",
"http://wso2.org/claims/tier": "Bronze",
"http://ourdomain.com/claims/client_claim_source": "CLIENT_SUBSCRIBER",
"http://ourdomain.com/claims/client_roles": [
"Full-Time Employee",
"Employee",
"Technology Engineer"
],
"http://wso2.org/claims/applicationid": "8",
"http://wso2.org/claims/usertype": "APPLICATION_USER", <- Client app
"exp": 1493232200,
"email": "user#gmail.com",
"http://wso2.org/claims/apicontext": "/jwt/1.0.1"
}
This was an issue with custom claims. Just had to alter code.