Posts

Showing posts from 2017

Request Object Support for WSO2 Identity Server

Purpose of Request Object in OIDC Usually in OIDC the returning claims will be filtered from the requested scopes that is passed to the server as an query param with the authorization request. When it comes to wso2 IS server, it filters the requested claims both from the requested scopes defined with the authorization request and the requested claims that can be configured in service provider configurations. But if Request Object is associated with the authorization request, then the server will return the essential request object claims if those claims are requested from the scope. This request object can be either 1.  request parameter (Passed by value) 2.  request_uri parameter (Passed by reference) 'request' parameter As we previously discussed the main purpose of this parameter is for supporting to request some claims other than the default Userinfo and IdToken claim set which is associated with the requested scope. This parameter value can be a pure j...

JWKS endpoint of wso2 IS

What is JWKS endpoint? The JSON Web Key Set (JWKS) endpoint is a read-only endpoint. This url returns the Identity Server's public key set in Json web key set format. This contains the signing key(s) the RP uses to validate signatures from the Identity Server. This endpoint is defined loosely by the OpenID Connect Discovery specification . Try JWKS endpoint with Identity Server The endpoint url for the super tenant: https://localhost:9443/oauth2/jwks The jwks for the super tenant will be as follows: { "keys" : [ { "alg" : "RS256" , "kty" : "RSA" , "use" : "sig" , "n" : " AJSn-hXW9Zzz9ORBKIC9Oi6wzM4zhqwHaKW2vZAqjOeLlpUW7zXwyk4tkivwsydPNaWUm-9oDlEAB2lsQJv7jwWNsF7SGx5R03kenC-cf8Nbxlxwa-Tncjo6uruEsK_Vke244KiSCHP8BOuHI-r5CS0x9edFLgesoYlPPFoJxTs5 " , "e" : "AQAB" , "kid" : " d0ec514a32b6f88c0abd12a2840699bdd3deba9d "...

Maintain the history of the user’s passwords in Wso2 Identity Server 5.3.0

Image
By using this feature it can keep the history of a user's past passwords according to a pre-configured count. This enables you to prevent a user from using a password he/she has used in the recent past. Detailed Instructions Login to the management console. 1. Click Resident under Identity Providers in the Main tab of the management console. 2. Expand the Password Policies tab. 3. Expand the Password History tab and select Enable Password History Feature. 4.Specify the Password History Validation Count and click Update.   Expected Outcome If the user is trying to reuse his recently changed (according to the configurations) password as the current password it will give below error.  

Forced Password Reset Via Email by Admin users In Wso2 IS 5.3.0

Image
Why Forced Password is important? If a user forgets his credentials and requested the admin to reset his password or the credentials get exposed to outsiders. In both cases admin can forcefully reset the password. High Level Steps Configuring Identity Server     Password reset via recovery Email     Detailed Instructions   Enable account recovery functionality Open the output-event-adapters.xml file found in the <IS_HOME>/repository/conf directory. Configure the relevant property values for the email server that you need to configure for this service under the <adapterConfig type="email"> tag.   <adapterConfig type="email"> <!-- Comment mail.smtp.user and mail.smtp.password properties to support connecting SMTP servers which use trust based authentication rather username/password authentication --> <property key="mail.smtp.from">abcd@gmail.com</property> <proper...

OIDC Discovery in wso2 Identity Server 5.3.0

Why OIDC Discovery is important? I dentity Server offers a JSON document under the /.well-known/openid-configuration URL. This document has information about the issuer name, endpoint URLs, key material and capabilities of the provider, e.g. which scopes or response types it supports.  High Level Steps   Start Identity Server. Use curl commands to discover the end user's OpenID Provider and the other information. Detailed Instructions   Start Identity server, open the terminal and run below curl command to obtain ‘href’ value which is the OpenidConnect discover endpoint of the Identity Servers. curl -v -k --user admin:admin https://localhost:9443/.well-known/webfinger?resource='acct:admin@localhost&rel=http://openid.net/specs/connect/1.0/issuer ' (Here resource is identifier for the target end user that is the subject of the discovery request and rel is URI identifying the type of service whose location is being requested.)   ...