Coder Social home page Coder Social logo

identity-oauth2-grant-token-exchange's Introduction

Welcome to the WSO2 Identity Server Token Exchange Grant Type for OAuth2.

This repository contains implementation for the OAuth 2.0 Token Exchange Grant, described in spec. You can exchange external Identity Provider's token for the token issued by Identity Server. The initial implementation supports exchanging JWT type tokens.

How to test Token Exchange Grant Type:

  • Download and build the project by executing maven clean install
  • Copy the grant.token.exchange-1.0.0.jar into /repository/components/dropins directory
  • Add the following configurations to deployment.toml to enable this grant type:
[oauth.grant_type.token_exchange]
enable = true
allow_refresh_tokens = true
iat_validity_period = "1h"

NOTE: If you are adding it as a custom grant type, add the following configuration to deployment.toml to enable this grant type:

[[oauth.custom_grant_type]]
name="urn:ietf:params:oauth:grant-type:token-exchange"
grant_handler="org.wso2.carbon.identity.oauth2.grant.token.exchange.TokenExchangeGrantHandler"
grant_validator="org.wso2.carbon.identity.oauth2.grant.token.exchange.TokenExchangeGrantValidator"
[oauth.custom_grant_type.properties]
IdTokenAllowed=true
IATValidityPeriod="1h"
  • Start the WSO2 server
  • Register an Identity Provider in WSO2 Identity Server with the configurations of the external Identity Provider.
  • Obtain an access token from external Identity Provider
  • Execute the following curl command:
curl --location --request POST 'https://localhost:9443/oauth2/token?scope=openid' \
--header 'Content-Type: application/x-www-form-urlencoded' \
--header 'Authorization: Basic ${base64(clientId:clientSecret)}' \
--data-urlencode 'grant_type=urn:ietf:params:oauth:grant-type:token-exchange' \
--data-urlencode 'subject_token=${externalIdPToken}' \
--data-urlencode 'subject_token_type=urn:ietf:params:oauth:token-type:jwt' \
--data-urlencode 'requested_token_type=urn:ietf:params:oauth:token-type:jwt'
  • You will get JWT type access token in the response. Sample response:
{
    "access_token": "eyJ4NXQiOiJPVGt3TnpSa01tTmxZekZoWWpFeU56VTNOemN3TjJZNU9EQmpNV1kzTTJJMk1EZGhabUU1TmpCbE1qRmtaR0kxTkdFNU9XVTRPREU0TlRCaE1EWXhZUSIsImtpZCI6Ik9Ua3dOelJrTW1ObFl6RmhZakV5TnpVM056Y3dOMlk1T0RCak1XWTNNMkkyTURkaFptRTVOakJsTWpGa1pHSTFOR0U1T1dVNE9ERTROVEJoTURZeFlRX1JTMjU2IiwiYWxnIjoiUlMyNTYifQ.eyJzdWIiOiJ0ZXN0QGdtYWlsLmNvbSIsImF1dCI6IkFQUExJQ0FUSU9OX1VTRVIiLCJhdWQiOiJYdllmNDI5M2FLX19PNkdXUXV4MDMxZ0VxRUVhIiwibmJmIjoxNjIzMTUyNDQ0LCJhenAiOiJYdllmNDI5M2FLX19PNkdXUXV4MDMxZ0VxRUVhIiwic2NvcGUiOiJkZWZhdWx0IiwiaXNzIjoiaHR0cHM6XC9cL2xvY2FsaG9zdDo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNjIzMTU2MDQ0LCJpYXQiOjE2MjMxNTI0NDQsImp0aSI6IjZmZjJjY2FmLWEzNGMtNDYzZi04MTUxLTUxMDNlNzNkNTljMSJ9.BOxQeP3ZZgckIHazM79AFRdy1-S2ntaCzEDQLQwSQjswuaXHesNARVKrwuyw8v7IJXF_7zFglpF2d9PfoTNwjgpJStW_d-n_1NOUr5eyMU0Y5zHDwOFFKrV51WpV99L1KWZbLwiN_kvUbpVDvTijyNDK29cHxQHak6TqUeqDJfVW92bOAqrp88Rn3h19YRlEttjpPrepKDFJ1lse7gO1NO--87pJpwjWEaniQrNNuB1GDbVXYOLWp5ql-X5w9PrJtnrtbska6sAuURScNL0MpLdB4QiO1cMLVyIedwPotv04qeX80ATv9KOlEkoG2ycNHCmW0iHHspn5HtPyTZxxYg",
    "refresh_token": "7f3bf5df-feb2-356b-a3fb-0a3fc499bf1e",
    "issued_token_type": "urn:ietf:params:oauth:token-type:jwt",
    "scope": "default",
    "token_type": "Bearer",
    "expires_in": 3600
}

identity-oauth2-grant-token-exchange's People

Contributors

dhaura avatar hwupathum avatar janakamarasena avatar madurangasiriwardena avatar maheshika avatar ruks avatar senthalan avatar sujansanjula96 avatar sumedhe avatar thamindur avatar thumimku avatar udeshathukorala avatar vithu30 avatar wso2-jenkins-bot avatar yasasr1 avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

vithu30 chathuranga95 darshanasbg nirothipan wasuradananjith ruks erandiganepola vlgunarathne irham0019 sthenusan mefarazath hwupathum bhagyasakalanka thamindur ravinduramesh shashimalcse renuka-fernando teslahub yasasr1 indeewari sachin-mamoru lakshan-banneheke amshikah sandushi shanchathusanda93 janakamarasena ziyamsanthosh rakhitharr dhaura thumimku afrahussaindeen

identity-oauth2-grant-token-exchange's Issues

How to fix "No Registered IDP found for the JWT with issuer name"

Hi,

I have the token exchange plugin running, but... when I request a delegation token I get this error, e.g.: No Registered IDP found for the JWT with issuer name

The thing is that the issuer of the subject token is the same WSO2 IS instance as the issuer for the delegation token. I guess I have to add "myself" as an OAuth identity provider, but that seems a little strange to me.

Any thoughts?

Using:

  • WSO2 IS 6.0.0
  • Token exchange plugin 1.0.2

TIA

Bert

The authenticated client is not authorized to use this authorization grant type

Hi,

I have enabled the token_exchange grant on my WSO2 IS instance, but I get the following error message when I try to use it from a client application: "The authenticated client is not authorized to use this authorization grant type"

I have checked the settings through the console and there is no method to add the token_exchange grant to the client's registration. I can edit the SQL table directly, but I don't think this is the way to do it.

My question is: is there a accepted method to accomplish this?

I'm using WSO2 IS 6.0.0 and the token_exchange plugin version 1.0.2

TIA

Bert

Query : Is this grant type usable with APIM 4.0.0 keyManager ?

Description:
As people are asking if WSO2 APIM 4.0.0 is supportting OAUTH2 token exchange I am wondering if I can use this grant type ootb with the API Manager Key Manager

Suggested Labels:
APIM, grant-type

Affected Product Version:
WO2 API Manager 4.0.0

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.