0

I have an backend which is give response based on role of enduser which are managed using WSO2 API Manager v2. I want to pass the user role based on it's access token which is already generated. I have already read topic Add header with username in WSO2 Api Manager but i can't find topic to pass the user role. I know that it is possible to get user role by query on ldap/active directory, but if there is simple way using mediator, it would be great. Thanks.

Community
  • 1
  • 1
adwisatya
  • 1
  • 1

2 Answers2

0

You can't retrieve roles like that. The standard way to achieve your requirement is JWT tokens. When you enable JWT token generation, at the time of OAuth2 token validation, key manager generates a JWT token with user claims, which includes roles too. Then that JWT token is sent to backend service. You can find docs here.

Bee
  • 12,251
  • 11
  • 46
  • 73
  • But, i read another article and it said that role is retrievable using get-property http://sanjeewamalalgoda.blogspot.co.id/2014/08/how-to-retrive-property-and.html , is it impossible? i don't mind for downgrading my wso2 version anyway) Anyway, i will try using JWT too – adwisatya Oct 25 '16 at 23:40
0

In the end, I was able to get user role using JWT, although it needed some steps which are:

  1. Enable JWT
  2. Generate JWT Token
  3. Decode JWT Token which is base64 encoded
  4. Parse the decoded JWT Token
adwisatya
  • 1
  • 1
  • adwisatya: Is the custom JWTGenerator required (as described in https://docs.wso2.com/display/AM180/Passing+Enduser+Attributes+to+the+Backend+Using+JWT) or can you achieve it just by configuration? – sax May 07 '18 at 17:46
  • @sax i don't use custom JWT so and it worked. Btw, WSO2 giving defautl claim if you don't use custom JWT, such as role, username, email, etc. Enough for my case – adwisatya May 07 '18 at 22:50
  • I am using just Identity Server (not API Manager) and although it should be similar I am struggling to populate claims to JWT. What needs to be configured to have list of roles populated to the token? Do I need to add the role claim to Service Provider Claim Configuration? Or where? Thank you! – sax May 09 '18 at 04:24
  • Found a way how to configure it in the WSO2 IS 5.5 - SP needs to have the role claim, but you also need to add external claim to claims (dialect http://wso2.org/oidc/claim, external claim URI "roles", mapped local claim http://wso2.org/claims/role) and finally update registry /_system/config/oidc, property openid - add "roles" to the list. – sax May 10 '18 at 03:28