1

how do I add user roles to JWT generated through OAuth2 Password Grant as described here:

I tried this approach but it adds custom claims only to JWT passed to backend but there is nothing in JWT used to authenticate clients.

What I'm trying to do is to add a login page to Angular application and call https://[APIM]/token to get token when successful authentication occurs. Roles are important to render correct menus based on user roles.

Thanks in advance,

Emilio Numazaki
  • 836
  • 1
  • 5
  • 25

1 Answers1

1

You need to request the token with openid scope to retrieve the additional user information as claims of the JWT token. You can refer https://apim.docs.wso2.com/en/latest/learn/api-security/openid-connect/obtaining-user-profile-information-with-openid-connect/ for more details.

For instance, if you want to get the user roles in the generated JWT, you can add the http://wso2.org/claims/role claim as a requested claim under Claim Configuration to the service provider you are using from the carbon console. Refer https://is.docs.wso2.com/en/5.10.0/learn/configuring-claims-for-a-service-provider/#claim-mapping for more details.

Then when you are invoking the token endpoint, you need to add the openid scope.

curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>, Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token

The generated JWT token payload will be something like this,

{
  "sub": "admin",
  "aut": "APPLICATION_USER",
  "aud": "5af6EfSzqxS_dfmUnQ28sHdpZzYa",
  "nbf": 1610395871,
  "azp": "5af6EfSzqxS_dfmUnQ28sHdpZzYa",
  "scope": "openid",
  "iss": "https://localhost:9443/oauth2/token",
  "groups": [
    "Internal/subscriber",
    "Internal/creator",
    "Application/admin_DefaultApplication_PRODUCTION",
    "Application/apim_devportal",
    "Internal/publisher",
    "Internal/everyone",
    "Internal/devops",
    "Application/apim_admin_portal",
    "admin",
    "Internal/analytics",
    "Application/apim_publisher"
  ],
  "exp": 1610399471,
  "iat": 1610395871,
  "jti": "75ddfca2-5088-435d-825a-3320efc10036"
}

Hope this helped!

Heshan Sudarshana
  • 91
  • 7
  • Yes, you're right, I made another question and got the answer for this as well: https://stackoverflow.com/questions/63792575/wso2-apim-add-user-roles-in-jwt-payload. But your answer is right, I'll mark it as correct to help others. Thank you! – Emilio Numazaki Jan 12 '21 at 10:48