The main objective of this blog is to give an overview of OIDC RP-initiated logout and how the WSO2 Identity Server handles it.

What is OpenID Connect (OIDC)?

OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server.

WSO2 Identity Server supports different user session management capabilities.

Imagine, you have logged into two applications AppA and AppB. As an end-user you may want to manage your user sessions. You may want to terminate one session, or terminate all sessions, or you want to see all your active sessions. In order to support your use cases, WSO2 IS provides User Session management REST APIs.

WSO2 IS User Session management REST API

WSO2 IS supports session management using REST APIs. It has

  1. Me API (used by a user to manage his/her sessions)
  2. Admin API (used by the admin to manage user sessions.)

Both Me and Admin APIs…

This blog shows how you can add saml authentication to a spring-boot-application with the WSO2 Identity server in a few minutes.

The sample application uses Spring Boot and the spring-security-saml2-service-provider module which is new in Spring Security 5.2 [1]. This shows how to integrate your spring-boot-saml application with WSO2 Identity Server.

If you have spring-security-saml2-service-provider on your classpath, you can take advantage of some auto-configuration to make it easy to set up a SAML 2.0 Relying Party. This configuration makes use of the properties under Saml2RelyingPartyProperties.

This blog contains the content under the following topics.

1. Register a saml aservice…

You may end up in SSL issues when you are trying to integrate your android application with WSO2 identity server running in a local machine.

This may occur when your android emulator trying to call the local server through the ip-address 10.0.2.2

Fix the SSLHandshakeException

  • Sometimes you may get SSLHandshakeException in android application since WSO2 IS is using self-signed certificate. T
javax.net.ssl.SSLHandshakeException: java.security.cert.CertPathValidatorException: Trust anchor for certification path not found.
  • Follow this documentation of android to get rid of SSLHandshakeException.
  • To fix this exception, you need to add the public certificate of IS inside the res/raw folder and
  • Then add the following config…

Spring Security is a powerful and highly customizable authentication and access-control framework. It is the de-facto standard for securing Spring-based applications. [1].

“Spring Boot is basically an extension of the Spring framework which eliminated the boilerplate configurations required for setting up a Spring application.” [2]

It will take only 5 minutes to create a simple spring-boot web application using Intellij Idea and secure it using the OIDC protocol for authenticating the users. WSO2 Identity Server provides several authentication and authorization mechanisms with different Standards.

This blog will guild you on how to create a simple spring-boot web application and make…

What is Private Key JWT Client Authentication?

All confidential clients must be authenticated at the Token API to obtain an access token. The platform’s OAuth 2.0 Token API supports the following authentication methods:

  • Basic Authentication (client_secret_basic)
  • Client Secret JWT Authentication (client_secret_jwt)
  • Private Key JWT Client Authentication (private_key_jwt)
  • Mutual TLS Authentication (tls_client_auth)

Let's see how OAuth clients can authenticate to Token API using privat_key_jwt.

All Clients have a private key and public key for the SSL handshake. We can consider this Private Key JWT Authentication in 2 steps:

  1. OAuth2 Client shares its public key with the Authorization Server.
  2. OAuth2 client sends the JWT data signed with its private…

There are some sample applications that demonstrates SAML2 SSO with WSO2 Identity Server(IS).

  1. saml2-web-app-pickup-dispatch.com

2. saml2-web-app-pickup-manager.com

3. travelocity

But saml2-web-app-pickup-dispatch.com and saml2-web-app-pickup-manager.com are the recent samples app and we recommend to use this app with the latest IS versions.

Lets see how to configure saml2-web-app-pickup-dispatch.com app in a tenant.

1. Building from source

  1. Get a clone or download source of WSO2 sample-is repository.
  2. We will refer this directory as <IS_SAMPLE_REPO> here onwards.
  3. Run the Maven command mvn clean install from the <IS_SAMPLE_REPO>/saml2-sso-sample directory.

4. You can find SSO sample applications in target directory of <IS_SAMPLE_REPO>/saml2-sso-sample/saml2-web-app-pickup-dispatch and <IS_SAMPLE_REPO>/saml2-sso-sample/saml2-web-app-pickup-manager directories. Application distributions are named saml2-web-app-pickup-dispatch.com.war and…

WSO2 IS sends Account recovery confirmation mails for the following scenarios:

But if the user didn’t get the recovery mail for some reason or confirmation code expired, then account recovery confirmation emails need to be resent. Resending account recovery confirmation mails.

This feature available in 5.3.0 wum update, 5.7.0 wum update and in the latest IS versions.

To configure this feature, first we need to configure email templates via the management console.

1. Configure Email Templates

Refer this document for Resending Account…

The JSON Web Token (JWT) is simply a JSON string containing claim values. To know about JWT, please read my previous blog. A JWT will look like

header.payload.signature.

Eg:

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.POstGetfAytaZS82wHcjoTyoqhMyxXiWdR7Nn7A29DNSl0EiXLdwJ6xC6AfgZWF1bOsS_TuYI3OG85AmiExREkrS6tDfTQ2B3WXlrr-wp5AokiRbz3_oB4OxG-W9KcEEbDRcZc0nH3L7LzYptiy1PtAylQGxHTWZXtGz4ht0bAecBgmpdgXMguEIcoqPJ1n3pIWk_dUZegpqx0Lka21H6XxUTxiy8OcaarA8zdnPUnV6AmNP3ecFawIFYdvJB_cm-GvpCSbr8G8y_Mllj8f4x9nBH8pQux89_6gUY618iYv7tuPWBFfEbLxtF2pZS6YC1aSfLQxeNe8djT9YjpvRZA

When we decode the JWT, it will look as

{
"alg": "RS256",
"typ": "JWT"
}
{
"sub": "1234567890",
"name": "John Doe",
"admin": true,
"iat": 1516239022
}
signature{
}

When the grant-type is saml-bearer-grant, SP can exchange the saml assertion obtained from an Identity Provider which is trusted by the Identity Server. …

Piraveena Paralogarajah

Software Engineer @WSO2, CSE Undergraduate @ University of Moratuwa, Former Software Engineering Intern @ WSO2

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store