Retrieving the JWT token from WSO2 IS using SSO OIDC authentication protocol

Question

I am implementing a basic NodeJS app that connects to WSO2 Identity Server for authentication.

I configured it using SSO with openid-connect. When I receive the callback, the jwt token is returned as a fragment identifier as I think it is returned as a GET request. How do I retrieve this JWT from the server side itself?

This is how the URL looks like when I try to login https://localhost:9443/oauth2/authorize?response_type=id_token&client_id={CLIENT_ID}&scope=openid%20profile%20email&nonce=aaa&redirect_uri=http://localhost:3001/auth/callback replaced the client_id with the actual client_id from what the Service Provider gave

this is a sample of how WSO2 returns the callback. http://localhost:3001/auth/callback#id_token={TOKEN}

I believe you're using the OIDC implicit grant type to get the id token. As a response, the WSO2 Identity Server sends a 302 redirect to the application and the id token is attached as a URI fragment. What do you mean by "retrieve this JWT from the server side itself"? — Vihanga Liyanage, Nov 15 '18 at 05:32
@VihangaLiyanage Oh, I'll try to reconfigure it, to other grant types. So is it possible to retrieve it so that WSO2 will redirect it as a post request? By "retrieve the JWT to the serverside", I mean that currently, it is redirected back as a GET request, and since the way the token is being returned is attaching it as a fragment, it wont be passed to the server, https://stackoverflow.com/questions/14462218/is-the-url-fragment-identifier-sent-to-the-server. Thanks — cjBucketHead, Nov 15 '18 at 23:10

score 0 · Answer 1 · answered Nov 15 '18 at 04:58

If you are using JAVA for your back-end development you can use a servlet filter to intercept this JWT token and process it. Following is a sample filter that you can use. You can use WSO2 Application Server to deploy your application.

public class JWTAction implements Filter {
private static final Logger logger = Logger.getLogger(JWTAction.class);
private static final PropertyReader propertyReader = new PropertyReader();


/**
 * This method is for get public key
 *
 * @return return for getting public key
 * @throws IOException              if unable to load the file
 * @throws KeyStoreException        if unable to get instance
 * @throws CertificateException     if unable to certify
 * @throws NoSuchAlgorithmException cause by other underlying exceptions(KeyStoreException)
 */

private static PublicKey getPublicKey() throws IOException, KeyStoreException, CertificateException, NoSuchAlgorithmException {

    InputStream file = Thread.currentThread().getContextClassLoader()
            .getResourceAsStream(propertyReader.getSsoKeyStoreName());
    KeyStore keystore = KeyStore.getInstance(KeyStore.getDefaultType());
    //loading key store with password
    keystore.load(file, propertyReader.getSsoKeyStorePassword().toCharArray());
    Certificate cert = keystore.getCertificate(propertyReader.getSsoCertAlias());
    return cert.getPublicKey();
}

public void init(FilterConfig filterConfig) {

}


public void doFilter(ServletRequest servletRequest, ServletResponse servletResponse,
                     FilterChain filterChain) throws IOException {

    HttpServletRequest request = (HttpServletRequest) servletRequest;
    HttpServletResponse response = (HttpServletResponse) servletResponse;

    String jwt = request.getHeader("X-JWT-Assertion");
    String ssoRedirectUrl = propertyReader.getSsoRedirectUrl();

    if (jwt == null || "".equals(jwt)) {
        if (logger.isDebugEnabled()) {
            logger.debug("Redirecting to {}");
        }
        response.sendRedirect(ssoRedirectUrl);
        return;
    }

    String username = null;
    String roles = null;

    try {

        SignedJWT signedJWT = SignedJWT.parse(jwt);
        JWSVerifier verifier = new RSASSAVerifier((RSAPublicKey) getPublicKey());

        if (signedJWT.verify(verifier)) {
            if (logger.isDebugEnabled()) {
                logger.debug("JWT validation success for token: {}");
            }
            username = signedJWT.getJWTClaimsSet().getClaim("http://wso2.org/claims/emailaddress").toString();
            roles = signedJWT.getJWTClaimsSet().getClaim("http://wso2.org/claims/role").toString();
            if (logger.isDebugEnabled()) {
                logger.debug("User = {" + username + "} | Roles = " + roles);
            }
        } else {
            logger.error("JWT validation failed for token: {" + jwt + "}");
            response.sendRedirect(ssoRedirectUrl);
            return;
        }
    } catch (ParseException e) {
        logger.error("Parsing JWT token failed");
    } catch (JOSEException e) {
        logger.error("Verification of jwt failed");
    } catch (Exception e) {
        logger.error("Failed to validate the jwt {" + jwt + "}");
    }

    if (username != null && roles != null) {
        request.getSession().setAttribute("user", username);
        request.getSession().setAttribute("roles", roles);
    }

    try {
        filterChain.doFilter(servletRequest, servletResponse);
    } catch (ServletException e) {
        logger.error("Failed to pass the request, response objects through filters", e);
    }
}

public void destroy() {

}

}

If you want the response to be a form post you can include &response_mode=form_post in your request. It will be returned as a form post. — dilin993, Nov 16 '18 at 06:25

Retrieving the JWT token from WSO2 IS using SSO OIDC authentication protocol

1 Answers1