I have been using WSO2IS as OIDC provider. I have implemented a custom claim handler which is working fine and being invoked when WSO2 receives grant_type "Authorization_code". The problem started when a Service Provider sent a request with grant_type=password
. In this case, WSO2 succesfully authenticated the user and returned the JWT but... without custom claim as WSO2 did not invoke the custom claim handler.
This is the configuration I did in file <IS_HOME>/repository/conf/identity/application-authentication.xml
for custom claim handler which is being invoked for grant_type=authorization_code
.
<ClaimHandler>com.wso2.carbon.identity.custom.claim.handler.CustomClaimHandler</ClaimHandler>
this the debug log from WSO2:
TID: [-1234] [] [2018-04-06 11:34:38,199] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Created singleton instance for org.wso2.carbon.identity.auth.service.handler.HandlerManager TID: [-1234] [] [2018-04-06 11:34:38,200] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler for the given handler list. TID: [-1234] [] [2018-04-06 11:34:38,200] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler : DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager) TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID EjQvbCf0pclp6eVO5lxTq23_lxQa, User ID userldap, Scope : [ openid, email] and Grant Type : password TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : password Strict client validation set to : null TID: [-1234] [] [2018-04-06 11:34:38,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were fetched from the database. TID: [-1234] [] [2018-04-06 11:34:38,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,207] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Oauth App validation success for consumer key: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,209] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - Pre authenticator is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,210] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,210] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.DefaultClaimMetadataStore} - Assigned mapped attribute : ref from user store domain : PRIMARY for claim : http://wso2.org/claims/identity/accountDisabled in tenant : -1234 TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - post get user claim values is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.governance.store.InMemoryIdentityDataStore} - Loaded UserIdentityClaimsDO from cache for user :userldap with claims: {} TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.recovery.handler.AdminForcedPasswordResetHandler} - Handling event : PRE_AUTHENTICATION TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.recovery.handler.AdminForcedPasswordResetHandler} - PreAuthenticate - AdminForcedPasswordResetHandler for user : [email protected] TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,216] DEBUG {org.wso2.carbon.identity.recovery.handler.AccountConfirmationValidationHandler} - PreAuthenticate TID: [-1234] [] [2018-04-06 11:34:38,216] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,217] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.DefaultClaimMetadataStore} - Assigned mapped attribute : accountLock from user store domain : PRIMARY for claim : http://wso2.org/claims/identity/accountLocked in tenant : -1234 TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - post get user claim values is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.governance.store.InMemoryIdentityDataStore} - Loaded UserIdentityClaimsDO from cache for user :userldap with claims: {} TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,222] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - post authenticator is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,222] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received. Username : [email protected] : email openid , Authentication State : true TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected] Client Id : EjQvbCf0pclp6eVO5lxTq23_lxQa Scope : email openid TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected] Client Id : EjQvbCf0pclp6eVO5lxTq23_lxQa Scope : email openid TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthTokenReqMessageContext to threadlocal TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - SP wise token expiry time feature is applied for tenant id : -1234and consumer key : EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Service Provider specific expiry time enabled for application : EjQvbCf0pclp6eVO5lxTq23_lxQa. Application access token expiry time : null, User access token expiry time : null, Refresh token expiry time : null TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - OAuth application id : EjQvbCf0pclp6eVO5lxTq23_lxQa, access token validity time in milliseconds : 3600000 TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Infinite lifetime Access Token e88de89f-70d4-33d5-b447-5cd0135fd682 found in cache TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthTokenReqMessageContext TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access token issued to client Id: EjQvbCf0pclp6eVO5lxTq23_lxQa username: [email protected] and scopes: email openid TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Issuing ID token for client: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Loading Basic Application Data of AdministradorOmnicanalidad TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - ApplicationID: 21 ApplicationName: AdministradorOmnicanalidad UserName: userldap TenantDomain: carbon.super TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Clients of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,233] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Steps of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,236] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Claim Mappings of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,237] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Role Mapping of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,241] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,241] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO} - Retrieve access token for tokenId: e88de89f-70d4-33d5-b447-5cd0135fd682 with flag includeExpired: false TID: [-1234] [] [2018-04-06 11:34:38,244] DEBUG {org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder} - Using issuer https://localhost:9445/oauth2/token Subject userldap ID Token life time 3600 Current time 1523032478 Nonce Value null Signature Algorithm RS256 TID: [-1234] [] [2018-04-06 11:34:38,244] DEBUG {org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback} - Adding claims for user [email protected] to id token. TID: [-1234] [] [2018-04-06 11:34:38,247] DEBUG {org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback} - User attributes not found in cache. Trying to retrieve attribute for user [email protected] TID: [-1234] [] [2018-04-06 11:34:38,249] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Loading Basic Application Data of AdministradorOmnicanalidad TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - ApplicationID: 21 ApplicationName: AdministradorOmnicanalidad UserName: userldap TenantDomain: carbon.super TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Clients of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Steps of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,255] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Claim Mappings of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,256] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Role Mapping of Application 21
If someone can point what did I miss, or what else I can try, It would be a great help.
Thanks.