WSO2IS JWT access token

Question

I am trying get a JWT access token from WSO2 IS. I followed instructions from msf4j Oauth2 Security Sample, and managed to get a JWT acces token by resource owner password grant type. but I have problem authenticating the token externally.

it seems that the token had not been signed by the default "wso2carbon.jks".

also, my claim configurations in the "service providers" was not reflected in jwt content

so my questions: how to config the JWT signing certificate in WSO2IS?

and also: How to manipulate the claims in the JWT?

I do not want to turn to the "introspect" endpoint out of performance concern, and my strategy is to just trust the IS, only to make sure(locally) of the authenticity of the JWT token

please advise

thanks

Answer 1

You can follow [1] to get JWT Access Tokens(Self contained access tokens) using WSO2 Identity Server

[1] https://medium.com/@hasinthaindrajee/self-contained-access-tokens-with-wso2-identity-server-82111631d5b6

Answer 2

well, it seems to be my own fault.

I had been using the jose4j JWT package, and kept getting verification failed message.

after further checking into the msf4j implementation, I switched over to nimbus-jose-jwt JWT package, and got it done,

below are my implementation.

import com.nimbusds.jose.JWSVerifier;
import com.nimbusds.jose.crypto.RSASSAVerifier;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
public class JwtParser {

     private static final String KEYSTORE = System.getProperty("javax.net.ssl.trustStore");
     private static final String KEYSTORE_PASSWORD = System.getProperty("javax.net.ssl.trustStorePassword");

     private static Map<String, JWSVerifier> verifiers = getVerifiers();

     public static JWTClaimsSet verify(String jwt) throws Exception {

                SignedJWT signedJWT = SignedJWT.parse(jwt);
                if (!new Date().before(signedJWT.getJWTClaimsSet().getExpirationTime())) {
                    new Exception("token has expired");
                }

                boolean notYet = true;
                for(Iterator<JWSVerifier> it = verifiers.values().iterator(); notYet && it.hasNext();){
                    JWSVerifier verifier = it.next();
                    notYet =  !signedJWT.verify(verifier);
                }

                if(notYet){
                    throw new Exception("token verification failed");
                }
                JWTClaimsSet claims = signedJWT.getJWTClaimsSet();
                if (claims == null) {
                    // Do something with claims
                    throw new Exception("non valid payload in token, failed");
                }

                return claims;
     }

     private static Map<String, JWSVerifier> getVerifiers(){

         Map<String, JWSVerifier> verifiers = new HashMap<>();

        try (InputStream inputStream = new FileInputStream(KEYSTORE)) {
            KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
            keystore.load(inputStream, KEYSTORE_PASSWORD.toCharArray());
            Enumeration<String> aliases = keystore.aliases();

            while(aliases.hasMoreElements()){
                String alias = aliases.nextElement();

                if(!keystore.isCertificateEntry(alias)){
                    continue;   
                }
                Certificate cert = keystore.getCertificate(alias);
                if(cert == null){
                    continue;
                }
                PublicKey key = cert.getPublicKey(); 
                verifiers.put(alias, new RSASSAVerifier((RSAPublicKey)key));        
            }


        }catch(KeyStoreException | CertificateException | NoSuchAlgorithmException | IOException e){
            //TODO: report the exception
        }
        return verifiers;
     }

}