I have the following setup on the same machine:
- WSO2-AM
- WSO2-IM-KM (Identity manager as key manager)
The identity manager federates authentication to an external OpenID identity provider.
What I've done so far:
- Share the databases between the two components
- Make WSO2-AM delegate the authentication to WSO2-IM-KM
- Configure the external provider to the generated service provider (generated in WSO2-IM-KM when creating an application in WSO2-AM store)
The current behavior:
- I can obtain an authorization code by calling the following URL : https://my.site:9444/oauth2/authorize?response_type=code&client_id=pkYcC4xFQ1jt6dQbdZAe6savv4oa&scope=phone+email+address+openid+profile&redirect_uri=https://my.site:9443/store/jagg/jaggery_oidc_acs.jag&nonce=3734e7d4c22f1&state=128d20e14c884, the authentication succeeds, then the
jaggery_oidc_acs.jag
endpoint fails - Since the
jaggery_oidc_acs.jag
endpoint fails, I manually retrieve thecode
thenPOST
it to https://my.site:8243/token which returns me anaccess_token
, arefresh_token
, and anid_token
My problems :
- How am I supposed to automate the manual step I described before? Am I in charge of creating a dedicated endpoint to do it, in order to keep the
authorization_code
obfuscated from the client, or is there a built-in endpoint in WSO2? If appropriate, what is this endpoint? - Is there an endpoint that generates the
oauth2/authorize
URL?
After further research:
I have found the following document https://docs.wso2.com/display/IS540/Authorization+Code+Grant that seems to indicate that I need a "client", but I don't have one, I just need my API to be authenticated with the external identity provider.