I am implementing an OAuth 2 token flow using the password grant_type as per the WSO2 docs here
I have this working for logging in users in the web application I am working on currently, and am storing the retrieved access token in local storage.
If I wanted to check the token is still valid (say the user refreshes the browser), is there a request I can make to check access token is still valid and hasn't expired? I assume it would be some form of POST request to the token end point URL?
Thanks
To validate the token, there is a admin service which you can use.It's a SOAP service and calling "validate" method in admin service can used to validate the token.
Validation Endpoint
https://localhost:9443/services/OAuth2TokenValidationService/
Validate method will respond back to you with validity period. This service is an admin service which you can invoke through basic authentication and other authentication mechanisms such as mutual authentication.
I believe another approach is to call the token endpoint for new token. AFAIR if valid token exist, it's return it with the expiry time which you can calculate the validity period.
Another way is that, if possible you can store the token requested time and have a separate timer to check whether the validity time expired. At the very first time the token generation request make, it's return token with validity period.
As harsha89 mentioned you can use the OAuth2TokenValidationService to validate. Sample SOAP request will be like as follows
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:xsd="http://org.apache.axis2/xsd" xmlns:xsd1="http://dto.oauth2.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<xsd:validate>
<xsd:validationReqDTO>
<xsd1:accessToken>
<xsd1:identifier>b443652fdc3642bb1b3ba8ebae99068</xsd1:identifier><!--access token received-->
<xsd1:tokenType>bearer</xsd1:tokenType>
</xsd1:accessToken>
<xsd1:context>
<xsd1:key></xsd1:key>
<xsd1:value></xsd1:value>
</xsd1:context>
</xsd:validationReqDTO>
</xsd:validate>
</soapenv:Body>
</soapenv:Envelope>
Sample response
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/">
<soapenv:Body>
<ns:validateResponse xmlns:ns="http://org.apache.axis2/xsd">
<ns:return xsi:type="ax2369:OAuth2TokenValidationResponseDTO" xmlns:ax2369="http://dto.oauth2.identity.carbon.wso2.org/xsd" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
<ax2369:authorizationContextToken xsi:type="ax2369:OAuth2TokenValidationResponseDTO_AuthorizationContextToken">
<ax2369:tokenString>eyJhbGciOiJSUzI1NiIsIng1dCI6Ik5tSm1PR1V4TXpabFlqTTJaRFJoTlRabFlUQTFZemRoWlRSaU9XRTBOV0kyTTJKbU9UYzFaQSJ9.eyJodHRwOlwvXC93c28yLm9yZ1wvZ2F0ZXdheVwvYXBwbGljYXRpb25uYW1lIjoiRGVmYXVsdEFwcGxpY2F0aW9uIiwiZXhwIjoxNDQ2Nzg1NjczLCJzdWIiOiJhZG1pbjJAY2FyYm9uLnN1cGVyIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL3N1YnNjcmliZXIiOiJhZG1pbiIsImlzcyI6Imh0dHA6XC9cL3dzbzIub3JnXC9nYXRld2F5IiwiaHR0cDpcL1wvd3NvMi5vcmdcL2dhdGV3YXlcL2VuZHVzZXIiOiJhZG1pbjJAY2FyYm9uLnN1cGVyIiwiaHR0cDpcL1wvd3NvMi5vcmdcL2NsYWltc1wvcm9sZSI6WyJJbnRlcm5hbFwvZXZlcnlvbmUiXSwiaWF0IjoxNDQ2NzgzMjExfQ.VY2J_stNVvCwdGdOn71yw96z0EnbtRabQBt8fDFO5LM4TyNmF56T4uXLGjPW-BaHFKEa21ao0s8zW3UVp3yh2Va5pJhJdEcNeSMHObVvDJBdrDbOqrFZnVG7hxV4n4yIJfWt3jciRQz-SdqVYKJuRF-Tn8qfX30m1s0cMeqEZ2A</ax2369:tokenString>
<ax2369:tokenType>JWT</ax2369:tokenType>
</ax2369:authorizationContextToken>
<ax2369:authorizedUser>admin2#carbon.super</ax2369:authorizedUser>
<ax2369:errorMsg xsi:nil="true"/>
<ax2369:expiryTime>1737</ax2369:expiryTime>
<ax2369:scope/>
<ax2369:valid>true</ax2369:valid>
</ns:return>
</ns:validateResponse>
</soapenv:Body>
</soapenv:Envelope>
Related
I need to find the REST/SOAP API for Password Policies (Password History and Password Pattern) and Login Policies (Account Locking and Account Disabling).
I am using WSO2 IS 5.9.0.
I am creating a Multi-tenant environment from WSO2. I am able to perform all the steps from code but not able to find API for these two settings.
I have to manually do this but this is just a workaround and need to figure out the WSO2 APIs for these.
Need curl request or documentation for these 2 settings API.
From WSO2 IS 5.10.0 onwards there is a rest API to update these configurations.
However, in 5.9.0 and before that, only SOAP APIs are available. You can use https://localhost:9443/services/IdentityGovernanceAdminService SOAP service for this purpose. There are 2 operations available in this service. getConnectorList and updateConfigurations.
You can use getConnectorList to find the available connectors and their property names. Then you can use updateConfigurations operation to update property value. Message body would look like below to update Password History validation count configuration.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:gov="http://governance.identity.carbon.wso2.org" xmlns:xsd="http://model.common.application.identity.carbon.wso2.org/xsd">
<soapenv:Header/>
<soapenv:Body>
<gov:updateConfigurations>
<gov:configurations>
<xsd:name>passwordHistory.count</xsd:name>
<xsd:value>6</xsd:value>
</gov:configurations>
</gov:updateConfigurations>
</soapenv:Body>
</soapenv:Envelope>
We have logout Request Object from the java and we don't have the cookie session index value but we have the session index coming from SAML2 assertion XML coming from wso2Is ,So by using the session Index and logout Request how can i post by using the ajax call or any rest-client.
Can any one provide me the URL of logout request how it will be?
Check out this blog post. It provides steps you should follow.
Basically you need to create the SAMLogoutRequest as below,
<saml2p:logoutrequest xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol" id="flkjhgfehcfjkjjmabgkcmlcnalbcillibfeeeag" issueinstant="2013-06-28T11:51:06.024Z" notonorafter="2013-06-28T11:56:06.024Z" reason="urn:oasis:names:tc:SAML:2.0:logout:user" version="2.0">
<saml2:nameid xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">admin</saml2:nameid>
<saml2p:sessionindex>26C0530CBEA1DCF404C95B029D6A64AF</saml2p:sessionindex>
</saml2p:logoutrequest>
and send a POST to https://localhost:9443/samlsso (which is the saml sso logout endpoint by default)
You could use https://localhost:9443/samlsso?slo=true&spEntityID=travelocity.com&returnTo=https://localhost:8080/avs.com/slo Get reqeust for logout.
The SAML2 request is sent to WSO2 Identity Server with HTTP-GET binding, but it still POSTs the response. Any idea to let WSO2IS respect the request?
[2014-03-06 17:52:25,961] DEBUG {org.wso2.carbon.identity.sso.saml.util.SAMLSSOUtil} - Request message <samlp:AuthnRequest xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" ID="_73d5b9c1-d448-4076-9e9d-98767f1e2a2d" Version="2.0" IssueInstant="2014-03-06T17:52:21" ProtocolBinding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-GET" AssertionConsumerServiceURL="http://host.tld/java-saml/consume.jsp"><saml:Issuer xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">http://host.tld/java-saml/</saml:Issuer><samlp:NameIDPolicy Format="urn:oasis:names:tc:SAML:2.0:nameid-format:unspecified" AllowCreate="true"></samlp:NameIDPolicy><samlp:RequestedAuthnContext Comparison="exact"></samlp:RequestedAuthnContext><saml:AuthnContextClassRef xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion">urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport</saml:AuthnContextClassRef></samlp:AuthnRequest>
results in firefox:
You are now redirected back to http://host.tld/java-saml/consume.jsp If the redirection fails, please click the post button.
Any idea to fix it? In the request or in WSO2IS do I need to configure?
Yes.. It must be the expected behavior, SAML response must be sent as POST from IDP to the SP. (can not use HTTP Redirect) It is defined in the specification. Please check the saml-profile spec. WSO2 identity Server may not support for Artifact binding, therefore it does HTTP POST.
The identity provider issues a <Response> message to be delivered by the user agent to the service provider. Either the HTTP POST, or HTTP Artifact binding can be used to transfer the message to the service provider through the user agent. The message may indicate an error, or will include (at least) an authentication assertion. The HTTP Redirect binding MUST NOT be used, as the response will typically exceed the URL length permitted by most user agents.
I guess, POST button and the page that you shown can be changed and modified.
I'd like to know if it is possible to retrieve the user claims via the UserAdmin SOAP interface? I have found when adding a user it is possible to specify user claims. Also i have noticed that get list of user by Claims is possible but I have not found how to retrieve all the claims of a user.
Any hint?
Thanks in advance.
You can try "RemoteUserStoreManagerService" for your purpose.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserClaimValues>
<ser:userName>admin</ser:userName>
</ser:getUserClaimValues>
</soapenv:Body>
</soapenv:Envelope>
Above request will return you the claims of admin user of its default profile.
EDIT
As per the comment you need the WSDL of new admin service.
By default WSDLs of admin services are hidden. To change that behavior open <IS_HOME>/repository/conf/carbon.xml then locate HideAdminServiceWSDLs tag and set it to false.
Then you can view WSDL of any admin service from the url
https://localhost:9443/services/<SERVICE_NAME>?wsdl
In this case
https://localhost:9443/services/RemoteUserStoreManagerService?wsdl
HTH,
DarRay,
I need to know how to get wso2 users by claim value, to perform some kind of search?
example:
getUsersByClaimValue(String claimUri, String claimValue);
Yes.This API method has been introduced to user store API to get user names associated with particular user's attribute. say you want to get users whose "country" attribute value is "USA". then you can use this method as follows.
getUserList("http://wso2.org/claims/country", "USA", null);
You can find this method as web service API in RemoteUserStoreManagerService of WSO2IS. Your SOAP message would look likes follows.
<soapenv:Envelope xmlns:soapenv="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://service.ws.um.carbon.wso2.org">
<soapenv:Header/>
<soapenv:Body>
<ser:getUserList>
<ser:claimUri>http://wso2.org/claims/country</ser:claimUri>
<ser:claimValue>USA</ser:claimValue>
<ser:profile></ser:profile>
</ser:getUserList>
</soapenv:Body>
</soapenv:Envelope>
Here, this claim uri is generic one which is independent of the user store. With WSO2 Identity server you can map these claim uri in to any attribute in your user store. More details from here