How to persist external Idp generated user access_token with WSO2 IS

0
votes

I've below usecase to be implemented :

A User should be able to login through External IDP's authorization_code grant flow into Service provider configured in WSO2 Identity Server -> This requirement has been achieved by adding External IDP & Configuring it as Federated authenticator in Service Provider.

Post login, We also want to persist External IDP's user access_token. So that we can invoke the external user specific APIs. Tried below approaches:

  1. Tried to publish External APIs in WSO2 API Manager, But in order to access the external API/resource we need current user's access token. As we can either configure Client Credentials/Resource owner password grant types which will either authorize a application or a specific user. But our usecase doesn't limit to specific user.

WSO2 APIM Endpoint Security Configurations

Would like to know how can I achieve my requirement by leveraging WSO2 IS & WSO2 API Manager(Only If required).

Any possible solutions around this requirment highly appreciated. Thanks in advance.

Environment WSO2 IS -> v5.10.0 WSO2 API Manager -> v3.2.0

1
wso2wso2iswso2-am
Where do you want to save the user access token?. It is expected to be kept under the user space?. And from where do you invoke the apis published in apim?anuu_online
@anuu_online intially planned to do it as one of the claim in WSO2 generated access token. But that would have security issue right. So I'm looking what could be the possible options. Currently APIs are not published in apim.Abhishek Kandi
I am not clear on the complete work flow. Is your application a browser SPA or native /webservice ? If the APIs are exposed via APIM, then you must use a corresponding key manager to validate the access token. For eg, if the access token is generated by IS, then use IS key manager. What is the external IDP you are using. ? If it is OKTA, apim provides key manager out of the box.anuu_online
@anuu_online Our application is a Browser SPA (ASP.NET MVC) which has been added as Service Provider. We've integrations with ADP and so we're providing login with ADP(External IDP) option. Currently we're migrating to WSO2 IS from Asp.Net Identity Server. Earlier we used to persist both the tokens (Asp.Net Idp & Adp access token). So that respective ADP APIs could be invoked with adp access token. If required, I was planning to publish ADP APIs in API Manager which could be invoked with IS_token which could internally generate current user's adp access token & invoke ADP APIs.Abhishek Kandi

1 Answers

1
votes

This accesstoken obtained by WSO2 IS onbehalf of the user is persisted to AuthenticationContext in the OIDC outbound connector. https://github.com/wso2-extensions/identity-outbound-auth-oidc/blob/master/components/org.wso2.carbon.identity.application.authenticator.oidc/src/main/java/org/wso2/carbon/identity/application/authenticator/oidc/OpenIDConnectAuthenticator.java#L486. After federated authentication is successful, SESSION_CREATE event will be published by Identity Server. So you can write an event handler and listen to this SESSION_CREATE event. Then you can get accesstoken from the authentication context using your EventHandler.

Docs on Event Handlers

https://is.docs.wso2.com/en/5.12.0/develop/writing-a-custom-event-handler/ https://medium.com/@isurakarunaratne/wso2-identity-server-eventing-framework-32505bcc1600

Refer this implementation for writing a custom event handler to listen to the SESSION_CREATE event. https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/bindings/handlers/TokenBindingExpiryEventHandler.java#L65