I have questions.
Does WSO2 support something similar to:
https://docs.wso2.com/display/AM190/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type
using JWT instead of SAML?
Is it possible to achieve it using Facebook/Google as Federated identity provider?
And another one:
Can we use JWT token instead of OAuth2 Access Token in WSO2 Api Manager to authorize incoming requests?
Thanks
Does WSO2 support something similar to:
https://docs.wso2.com/display/AM190/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type
using JWT instead of SAML?
Yes, it does. We have the JWT Bearer Grant implementation for this. The idea behind JWT Grant is that a signed JWT valid according to [1] issued by a trusted IDP can be exchanged for an access_token. Follow [2] to try out the JWT Bearer Grant.
Facebook and Google do issue JWTs in the form of id_token. But there's a problem with using those id_token as a JWT Bearer Grant at the moment. According to the spec[1], the JWT Bearer Grant must contain some value in the 'aud' claim to let the entity that validates the bearer grant that it was intended to them. At present we cannot do this with any OpenID Connect provider ie. there is no standard way to request a OIDC provider to give us a token that we can use at 'X' identity provider.
Can we use JWT token instead of OAuth2 Access Token in WSO2 Api
Manager to authorize incoming requests?
AFAIK, this is not possible out of the box. One solution would be to use the JWT to get an access token using the JWT Bearer grant type. And then use the access_token APIM.
[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-12#section-3
[2] https://docs.wso2.com/display/ISCONNECTORS/JWT+Grant+Type+for+OAuth2
Related
What are the main differences between grant types "urn:ietf:params:oauth:grant-type:jwt-bearer (https://www.rfc-editor.org/rfc/rfc7523) and "urn:ietf:params:oauth:grant-type:token-exchange" (https://www.rfc-editor.org/rfc/rfc8693).
"urn:ietf:params:oauth:grant-type:jwt-bearer" is a URN defined as a JWT Bearer Token by OAuth 2.0 Authorization server (uses OAuth2.0 Authorization grant type ).
"urn:ietf:params:oauth:grant-type:token-exchange" is a URN defined as a JWT Bearer Token by OAuth 2.0 Authorization server (uses OAuth2.0 Token Exchange grant type).
Notes:
jwt-bearer means whoever bearing the JWT token shall be given access to the requested resource.
token-exchange is basically used for user impersonation and delegation purpose. Typically used by a support person who exchange his/ her JWT bearer token to impersonate as an end-user to request the end-user's resource to help in live-debugging of issue (or) exchange another JWT bearer token for a given token for a downstream systems.
I want to use these APIs from backend:
https://apiexplorer.docusign.com/#/esign/restapi?categories=Authentication&tags=Authentication&operations=login&mode=basic
The problem is from where I can get the bearer token in Backend?
The DocuSign /RESTAPI/v{2, 2.1}/ login, updatePassword, revokeOAuthToken, getOAuthToken API methods are obsolete and should not be used for any application.
Instead, use the DocuSign OAuth2 flows to obtain Bearer tokens:
Authorization Code Grant
JWT Grant
Implicit Grant
Recommendation: use libraries for the OAuth flows. See the eg-01-*-jwt example repos for the JWT Grant flow and the eg-03-*-auth-code-grant example repos for Authorization Code Grant. The example repos are on https://github.com/docusign
The examples are also discussed on developers.docusign.com
I have done a sample application using Sprint Boot, Spring security and JWT and define my custom authentication & authorization filters. While performing basic authentication (passing username & password) I get JWT token in the format of xxxx.yyyy.zzzz where xxxx is header, yyyy is payload and zzzz is signature and each part is encoded using Base64URL encoder. What I do not understand is how JWT is different from OAuth 2.0. In OAuth 2.0, we can pass 2 types of grant_types as either 'username' or 'client credentials' & also needs to pass client id, secret id to get access & refresh tokens.
Please assist to clarify my following doubts:-
1) Is JWT lighter than OAuth 2.0 as it does not contain the refresh token but just access token?
2) Is JWT cannot be used to make a standalone authorization server like we can make a standalone authorization server using #EnableAuthorizationServer annotation when it comes to OAuth 2.0. Is my assumption correct?
3) JWT does not accept client id/secret client but just used as basic authentication to get bearer tokens?
4) Is the format of access token (or bearer) for both OAuth2.0 and JWT are different?
I have seen an example where both OAuth 2.0 and JWT were used. OAuth 2.0 was to make authorization server which returns JWT token only in the end but did not understand why JWT was used if OAuth2.0 can return a token by itself.
Thank you
JWT is a JSON-based token defined in RFC 7519. OAuth 2.0 is an authorization framework defined in RFC 6749. Comparing both is like asking "How Glucose is different from Apple Pie?".
However, it is possible to bring OAuth 2.0 and JWTs together as is defined in RFC 7523 – The JSON Web Token (JWT) Profile for OAuth 2.0 Client Authentication and Authorization Grants. It standardizes, how to use JWTs as bearer tokens within the OAuth 2.0 framework, which enables what I call stateless authentication.
Regarding your questions:
Whether or not you use JWTs as bearer tokens does not influence whether or not you want to hand out refresh tokens.
Not sure whether I get your questions. However, using JWT allows you to do decentral, stateless auth decisions as there is no necessity to store token state centrally. However, nobody prevents you from having a standalone authorization server.
How you want to do authentication has nothing to do with JWT. It is still OAuth 2.0.
In OAuth 2.0 bearer tokens are considered to be opaque tokens – the format does not matter. If you use JWTs as bearer tokens, you need to follow the corresponding RFC.
I am using wso2is 5.4 and want to access the scim2 rest API. I am able to do so by using basic authorization and bearer token, but I would prefer to do it by using client id and client secret. Is there a way to do this?
Thanks
Clemens
You can use Client Credentials Grant [1] to get a bearer token and use that to access the SCIM2 endpoint.
[1] https://docs.wso2.com/display/IS540/Client+Credentials+Grant
I want to use the id_token issued by Google OAuth2/OIDC provider as a JWT Bearer grant[1] at some other Identity Provider(say X) to obtain an access_token.
Everything is fine except for 'aud' claim of the id_token. According to the JWT bearer spec[1], the 'aud' claim should contain some identifier of IDP X (tokenEndpoint Alias is the commonly used value). AFAIK the only claim that we have in the id_token at the moment is the client_id of OAuth2.
Is there a standard way to configure some identifier of X to be included in the id_token so that it becomes a valid jwt bearer grant to be used at X?
I think this problem is not specific to id_tokens coming from Google but rather for any OIDC provider.
[1] https://datatracker.ietf.org/doc/html/draft-ietf-oauth-jwt-bearer-12#section-3