This blog will explain, how to retrieve user profile and view user's attributes using OAuth access token in WSO2 IS. I assume that reader is familiar with WSO2 identity server
and if you need more help you can follow the documentation at
http://docs.wso2.org/wiki/display/IS400/WSO2+Identity+Server+Documentation
1.
First we need to enable JWT token generation in Identity Server. Goto IS_Home/repository/conf/identity.xml and make
following attribute true.
<AuthorizationContextTokenGeneration>
<Enabled>true</Enabled>
<TokenGeneratorImplClass>org.wso2.carbon.identity.oauth2.authcontext.
JWTTokenGenerator</TokenGeneratorImplClass>
<ClaimsRetrieverImplClass>org.wso2.carbon.identity.oauth2.authcontext.
DefaultClaimsRetriever</ClaimsRetrieverImplClass>
<ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>
<SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
<AuthorizationContextTTL>15</AuthorizationContextTTL>
</AuthorizationContextTokenGeneration>
2. Enable Admin services in Identity Server. Open
IS_HOME/repository/conf/carbon.xml
and set
HideAdminServiceWSDLs
property
to false.
<HideAdminServiceWSDLs>false</HideAdminServiceWSDLs>
3. Then start the WSO2 Identity server.
4. Create
a service provider with OAuth2. To
create a sample SP, Login to the Identity Server management console. Goto Main >
select Add under Service provider. Give
a name for a SP and select
register.
Goto
Inbound
Authentication Configuration > OAuth/OpenID
Connect Configuration and select Configure.
Put a call back url and select add.
5. Then we can get the Client key and Client secret as show below.
6. Get
the base64 encoded value for (client id:client secret) value. we
can use an online tool like http://www.base64encode.org/
7. Use
following CURL command to obtain the access token from the Identity
Server.
curl
-v -X POST -H "Authorization: Basic
RnpVMXc0TXpUZE5ZaWd3d0VyajhYbHk1REdFYToxUm9mbzlHNDdSTkUyQ2ppakk3Zldubkw4RDRh"
-H "Content-Type:
application/x-www-form-urlencoded;charset=UTF-8" -k -d
"grant_type=password&username=admin&password=admin"
https://localhost:9443/oauth2/token
8. Create
a SOAP web service project in soapUI using the following WSDL.
9. Then
send the request and get the authorization
context token which is encoded in base64 and delimited with "." character as
shown below.
10. The
Middle part will contain the user profile value and we can get it
decoded using http://www.base64decode.org/
<ax2337:authorizationContextToken
xsi:type="ax2337:OAuth2TokenValidationResponseDTO_AuthorizationContextTok
en">
<ax2337:tokenString>eyJ0eXAiOiJKV1QiLCJhbGciOiJTSEEyNTZ3aXRoUlNBIiwie
DV0IjoiTm1KbU9HVXhNelpsWWpNMlpEUmhOVFpsWVRBMVl6ZGhaVFJpT1dFM
E5XSTJNMkptT1RjMVpBIn0.eyJpc3MiOiJodHRwOi8vd3NvMi5vcmcvZ2F0ZXdheS
IsImV4cCI6MTQ1MTk3ODM2OTAzNiwiaHR0cDovL3dzbzIub3JnL2dhdGV3YXkvc
3Vic2NyaWJlciI6ImFkbWluIiwiaHR0cDovL3dzbzIub3JnL2dhdGV3YXkvYXBwbGlj
YXRpb25uYW1lIjoiU2FtcGxlIiwiaHR0cDovL3dzbzIub3JnL2dhdGV3YXkvZW5kdXN
lciI6ImFkbWluQGNhcmJvbi5zdXBlciIsICJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2
NvdW50cnkiOiJTcmlsYW5rYSIsICJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2VtYWls
YWRkcmVzcyI6ImFkbWluQHdzbzIuY29tIiwgImh0dHA6Ly93c28yLm9yZy9jbGFpb
XMvZnVsbG5hbWUiOiJhZG1pbiIsICJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2dpdm
VubmFtZSI6ImFkbWluIiwgImh0dHA6Ly93c28yLm9yZy9jbGFpbXMvaW0iOiIxcWF
6MndzeCIsICJodHRwOi8vd3NvMi5vcmcvY2xhaW1zL2xhc3RuYW1lIjoiYWRtaW4iL
CAiaHR0cDovL3dzbzIub3JnL2NsYWltcy9tb2JpbGUiOiIwNzc3Nzc4ODg4IiwgImh0
dHA6Ly93c28yLm9yZy9jbGFpbXMvb3JnYW5pemF0aW9uIjoiV1NPMiIsICJodHRw
Oi8vd3NvMi5vcmcvY2xhaW1zL3JvbGUiOiJhZG1pbixJbnRlcm5hbC9TYW1wbGUsS
W50ZXJuYWwvVHJhdmVsb2NpdHksSW50ZXJuYWwvZXZlcnlvbmUiLCAiaHR0cDo
vL3dzbzIub3JnL2NsYWltcy9zdHJlZXRhZGRyZXNzIjoiS29scGl0eSIsICJodHRwOi8v
d3NvMi5vcmcvY2xhaW1zL3RlbGVwaG9uZSI6IjA3MTIzNDU2NzgiLCAiaHR0cDov
L3dzbzIub3JnL2NsYWltcy91cmwiOiIyd3MxcWEifQ.jKYijQhFrWZRq9ddpxQ2dTGYj
VpCwOd8BOIpItW7v1pg-rbMdDGa14KcrWddL0nKUn1Wl3chUQsqtxaippUAPiSO0N7qqLbG1Qoe48COsAW
tFa_T7QBlzilwAffC3XAgdnqH20FcxK1_K3ttrvyfGR-Lhl7oyQsv8UcGsOSI6x0</ax2337:tokenString>
<ax2337:tokenType>JWT</ax2337:tokenType>
</ax2337:authorizationContextToken>
Hope this will helpful. Thank you.
