Token validation at WSO2 API Manager (and Identity Server)

2
votes

We building our API with wso2 API manager + separate identity server.

For implementation of resource server we need to

  1. validate token (that it's valid)
  2. get information about user (roles, username, full name etc.)
  3. details of authentication through OAuth (scope)

User roles and auth scope are necessary to do determine user capabilities and apply security settings (as an intersection of user roles and granted scopes)

Currently it seems that I can get all necessary information with 2 requests:

  1. call "validate" method at SOAP web service, that is located at /services/OAuth2TokenValidationService/ (IS or ApiManager in case of no dedicated IS)

    Response contains information about token validity, expiration data and user scopes.

  2. do GET on /oauth2/userinfo?schema=openid

    Response contains JSON with information about user (roles, username etc.)

First request requires a basic auth with the credentials of user, registered at wso2 IS server. The second one requires only OAuth token that a resource server obtained from a client.

So the question is: are this 2 requests with the different technologies are necessary for this use case (to get scopes and user info at resource server) or maybe I'm missing something?

The second request is almost good, but it does not contains information about token scope, thus the server can't restrict access to resource if a user, in general, has access to it (according to his roles)

If 2 request are necessary what are the minimum system roles at wso2 app the user should have to access SoapService? Using admin credentials (like default admin/admin) seems too unsecure to me and I'd like to create user for token validation with minimum permissions.

1
wso2wso2-am
I need to implement the same resource server, did you manage solve it?Lesther Vega
Our company had a commercial support from WSO2 and they provided us a patch for their key manager part of IdentityServer that let us include scopes in generated JWT token. So our app relies only on received JWT and extracts all necessary info from contained claims. For that we had to implement custom jwt generator and included scopes information along with claims of client owners (need them to check what client is allowed to do). Not sure if this patch is available now for open access with latest release of IS or ApiManagerzeldigas

1 Answers

0
votes

  1. do GET on /oauth2/userinfo?schema=openid This is an rest endpoint which is secured with OAuth you need to use access token to authenticate and get user info.

  2. call "validate" method at SOAP web service, that is located at /services/OAuth2TokenValidationService/ This service is an admin service where you can invoke using any authentication mechanism allowed to invoke admin services like Basic-Auth, Mutual ssl etc

In your scenario you can use mutual ssl authenticator to authenticate with Identity server [1] here you can find more information on that.

Apart from that without calling to userinfo endpoint you can configure Identity server to send JWT token with token validation response. Then you can get user information from JWT token. [2] here you will find more information on this.

[1] http://isharaaruna.blogspot.com/2014/01/oauth-20-playground-sample-with-mutual.html

[2] http://blog.shelan.org/2013/07/how-to-get-user-profile-for-oauth-token.html