Request Object Support in WSO2 Identity Server
What is Request Object?
5 min readMar 24, 2019
In simple terms, request objects are a jwt tokens which requests for some claims from Identity provider during authorization process. Request object is a JWT (JSON Web Token) that contains a set of request parameters as its Claims. WSO2 Identity Server supports this feature since 5.5.0 version.
If Request Object is associated with the authorization request, then the server will return the essential request object claims if those claims are requested from the scope.
According to OIDC spec, This request object can be either
1. request parameter (Passed by value)
2. request_uri parameter (Passed by reference)
WSO2 Identity Server supports request parameter (Passed by value)
The main purpose of this parameter is for supporting to request some claims other than the default Userinfo and IdToken claim set which is associated with the requested scope. This parameter value can be a pure json object or an encoded json object.
Lets see the outline of this flow.
- Configuring claims
- Creating self-signed certificate for service provider
- Configuring a service provider through management console
- Creating a user
- Creating a jwt object
- Testing the flow using the service provider
Now we configure each step.
1. Configure claims.
- Add two new external claims. Here we create two claims under oidc dialect and map those claims to local claims.
- Navigate to Main -> claims -> Add -> Add External Claims
Dialect URI : http://wso2.org/oidc/claim dialect.External Claim URI : customClaim1Mapped Local Claim : http://wso2.org/claims/challengeQuestion1
- Similarly add challegeQuestion2 also as another claim.
Dialect URI : http://wso2.org/oidc/claim dialect.External Claim URI : customClaim1Mapped Local Claim : http://wso2.org/claims/challengeQuestion2
Here, customClaim1 and customClaim2 are selected as claim URIs because those are not configured as requested claims in the OIDC scope. For the purpose of testing, these claims are mapped to existing http://wso2.org/claims/challengeQuestion1 and http://wso2.org/claims/challengeQuestion2 local claims. If necessary you can create two new local claims for this purpose.
- Then we have to make those claims as default ones.
- Navigate to Main ->Claims -> List.
- Select https://wso2.ord/claims. Select. Challenge Question1 as shown in the image below
- Click edit button and select enable support by default.
- Similarly do those for Challenge Question2 as well.
2. Create a self signed certificate for the service provider.
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem- This will generate a private key (key.pem) and a public key (certificate.pem).
- You can view these certificates using any text editors.
- Public key will be in the pem format.
— — -BEGIN CERTIFICATE — — -
MIIDiDCCAnACCQDXIsIsZw21WzANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
c2wxEDAOBgNVBAgMB3dlc3Rlcm4xEDAOBgNVBAcMB2NvbG9tYm8xDTALBgNVBAoM
BHdzbzIxCzAJBgNVBAsMAmlzMRMwEQYDVQQDDApwbGF5Z3JvdW5kMSEwHwYJKoZI
hvcNAQkBFhJwaXJhdmVlbmFAd3NvMi5jb20wHhcNMTkwMzI0MDgwMjQwWhcNMjAw
MzIzMDgwMjQwWjCBhTELMAkGA1UEBhMCc2wxEDAOBgNVBAgMB3dlc3Rlcm4xEDAO
BgNVBAcMB2NvbG9tYm8xDTALBgNVBAoMBHdzbzIxCzAJBgNVBAsMAmlzMRMwEQYD
VQQDDApwbGF5Z3JvdW5kMSEwHwYJKoZIhvcNAQkBFhJwaXJhdmVlbmFAd3NvMi5j
b20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDraCNSF+Kp48F85HGf
4GRi/wOJ7pYbNFYrWXfbVH2Dzue4dRERMqDh1+IIbgBJ5UWY/n2X+yEdfnY6JEB3
rdocuS/+c5OaeeWmIYWSTEuBWvsXn9j0oKrWhrtrZGAWw7F8/vUO+6Iwn97E5sYf
DO2vjf3ae9m94todG8NRe2xkjnpxVkbMSJrT/KUeguJ0Se4jtiQqaiJM9JjyhC8C
YnrfedSEw955w2QBPvsDJvdixuApPmGE7ealHtAeHCWGlRHuvP/vhq0KS9cJtGMq
Jq1vbVfbUUYWnlbR354LJ2kdaSLK4R3Ii/3Ll8nfIXA1CReQryw4B04EqWz02Vfc
IB5lAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAN2dR6K0PF00+QpvVwvThknIh20K
Ds9o/MqC44NZJWKjyWx1LBd1mv0Gr6Xs1mEqJwNE/30CHg09jY0uPZ0uKF7AHZDq
M9wfndG3eK+mAoS82bFNSgd9pktI2J+ojQTLxqZl7bL8Syw17yURBo/M3MiETIQW
esD+zKcSwnivW8LhBP+Vug96vvcgbFieSstxM9p7MRZq1TnEtzCKxsmqBXEXKE+d
8qAFDdkTbTxtdRMxrf0cI6eMxV7Os5J+Jot8jIWwyG97Ngz78pT98NhoVpfWD2QW
6DHJvsynGv6yzFQxA1i1shhIL7SKFI9S1ddjkjMr5XDBLtJdWECQXySvlqo=
— — -END CERTIFICATE — — -3. Configuring a service provider (SP)
- Navigate to Main -> Service Provider -> Add and create a service provider.
- In the Basic Information section, select the Application Certificate as Upload SP certificate.
- Inside the text box, upload the public certificate you obtained for the service provider.
- Navigate to Inbound Authentication Configuration.
- Select OAuth/OpenID Connet Configuration.
- Select Configure button, add callback URL and update the SP(http://localhost:8080/playground2)
- Edit the service provider that you created above, expand Claim Configuration, and select Define Custom Claim Dialect
Add the following as Requested Claims:
http://wso2.org/claims/challengeQuestion1http://wso2.org/claims/challengeQuestion2http://wso2.org/claims/countryhttp://wso2.org/claims/emailaddress
4. Creating a user
- Navigate to Main -> Users and Roles and Add new user
- Create a new user as Tom.
- Then update his profile.
- Now in his user profile, you will be asked to enter email address, challenge question1, challenge question2, and country.
5. Creating a jwt object
{
“client_id”: “<client-id>”,
“sub”: “<client-id>”,
“aud”: [
“https://localhost:9443/oauth2/token"
],
“claims”: {
“userinfo”: {
“given_name”: {
“essential”: true
},
“nickname”: null,
“email”: {
“essential”: true
},
“customClaim2”: {
“essential”: true
}
},
“id_token”: {
“gender”: null,
“birthdate”: {
“essential”: true
},
“customClaim1”: {
“essential”: true
}
}
},
“iss”: “<client-id>”,
“exp”: 1516786878,
“iat”: 1516783278,
“jti”: “1003”
}
- Modify client_id and claims if you need.
- Open https://jwt.io and select the algorithm as RSA256
- Paste the payload into payload section.
- In the VERIFY SIGNATURE section , delete every thing inside those text boxes and paste the public certificate and private key of the Service provider.
Now generate the encoded jwt.
6. Testing the flow.
- Do a authorize request using a browser and obtain a authorization code, since we have put the response_type=code.
https://localhost:9443/oauth2/authorize?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&client_id=e_govr0VxJqqiNLAY4LQijXbkOQa &request=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjbGllbnRfaWQiOiJlX2dvdnIwVnhKcXFpTkxBWTRMUWlqWGJrT1FhICIsInN1YiI6ImVfZ292cjBWeEpxcWlOTEFZNExRaWpYYmtPUWEgIiwiYXVkIjpbImh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIl0sImNsYWltcyI6eyJ1c2VyaW5mbyI6eyJnaXZlbl9uYW1lIjp7ImVzc2VudGlhbCI6dHJ1ZX0sIm5pY2tuYW1lIjpudWxsLCJlbWFpbCI6eyJlc3NlbnRpYWwiOnRydWV9LCJjdXN0b21jbGFpbTIiOnsiZXNzZW50aWFsIjp0cnVlfX0sImlkX3Rva2VuIjp7ImdlbmRlciI6bnVsbCwiYmlydGhkYXRlIjp7ImVzc2VudGlhbCI6dHJ1ZX0sImN1c3RvbWNsYWltMSI6eyJlc3NlbnRpYWwiOnRydWV9fX0sImlzcyI6ImVfZ292cjBWeEpxcWlOTEFZNExRaWpYYmtPUWEgIiwiZXhwIjoxNTUzNDIyNTM3LCJpYXQiOjE1MTY3ODMyNzgsImp0aSI6IjEwMDMifQ.YputORL4oMi6Va8moERGUXL4VedC1ttr8RHZLeKR6eea61T2sqlnziPF6zBJQON9o6j6t1nDNYzrxkNbzbv6oGbz3KT8opbwuQBcMwTIzBv92uaR97c6Gdzwkd9odRsqadHfPV_RrN5dLNR8NMoQiJ-nMfQ_eZtfWqJva8IPO0j93wSce6-JFpe9cQA_k2izZ-BBMN7Ju52QfobvR_npqb-UjWj3r3yKOtnZXJvsn2xNAWiZ5LpsT19aWXmB8iHnEOELYKbAXSJUZGJY-tNMdhw2JzTPtnkxVuFoCjnqZCDArgv11a4_eOVv6FBL0qjD5V3imS_TjN8sWRv6_hvAYA- Using the code we obtained, we can get a access token and id token. By using the following curl command, you can obtain the access token and id token.
curl -k -v — user <cliaent_id>:<client_secret> -d “grant_type=authorization_code&code=<code>&redirect_uri=http://localhost:8080/playground2/oauth2client&scope= “ https://localhost:9443/oauth2/tokenWhen you analyse the id_token obtained,
- Since we requested customclaim1 in the id_token, it will send those in the id_token.
- Using curl command below, obtain user information from user info endpoint.
curl -k -H "Authorization: Bearer <access_token>" https://localhost:9443/oauth2/userinfo{“country”:”Sri Lanka”, “sub”:”tom”, “email”:”piraveena@wso2.com”, “customclaim2”:”What is your father’s name?”}
Now you have obtained customclaim2 from userInfo endpoint.
