JWT Grant type for Native mobile application Authentication and Authorization with WSO2 Identity Server and WSO2 API manager

Background

At the beginning you might start WSO2 Identity Server with SAML2 protocol for authentication, authorization and Single Sign On in web application context. Once WSO2 API manager came into picture you might have to invoke secure APIs without reauthenticating since you have already authenticated with SAML2 and you have SAML assertion in your hand. In order solve this problem you can use SAML2 Bearer grant type [1].

After some time with the rapid use of mobile applications you might have to implement your web application functionalities as a native mobile application. When it comes to native mobile applications manipulating XML based SAML requests and responses is not that much effective since mobile applications have limited processing power. In order to address new requirement JWT grant type would be an ideal solution. JWTs represent a set of claims as a JSON object that is encoded in a JWS and/or JWE structure.

Solution in a nutshell

Mobile application get JWT (ID token) generated by WSO2 Identity Server from password grant type. Mobile application exchange JWT token for access token in WSO2 API manager

Above solution applicable for WSO2 Identity Server 5.0.0 or higher versions and WSO2 API manager 1.10.0

WSO2 Identity Server Configuration

1. Register a service provider in WSO2 Identity Server →Inbound Authentication Configuration → OAuth/OpenID Connect Configuration → Register oauth application to obtain client id and client secret 

2. Use this CURL command to obtain ID Token from password grant type

curl -v -X POST --basic -u 4ukcHRoYnNmWDO15tLDfvcoz7BIa:FEUMUvhe0iTCpOMa8wyMKYqWBCYa -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=admin&password=admin&scope=openid" https://localhost:9444/oauth2/token

Response

{"scope":"openid","token_type":"Bearer","expires_in":3600,"refresh_token":"59542c6864fcf4505a09981607f9d7d2","id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NjI2MTM4NDEsImV4cCI6MTQ2MjYxNzQ0MSwic3ViIjoiYWRtaW4iLCJhenAiOiI0dWtjSFJvWW5ObVdETzE1dExEZnZjb3o3QklhIiwiYXRfaGFzaCI6Ikd4UFltYV94SkhoSTVhZHBnZWJNTXciLCJhdWQiOlsiNHVrY0hSb1luTm1XRE8xNXRMRGZ2Y296N0JJYSJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDRcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0NjI2MTM4NDF9.J3cgYKWKfCpxZKZD4uMUfSFl4Sd_Lo1qnSSlqnTYcynPs9bo5M3ErCmhObUuWleFr5Bnyg8cyeu8BokNr9vNqc_AnBG2KIPaWAA-BeRXl8ggxoWROP9U4Bs5aTsL2r1Z-Lf27cKTaLf4F6odincX8evnlL5fsqcYCws2T2DuU5E","access_token":"edc6193573e1a30318626c5161962808

Signed JWT

Format: <header>:<body>:<signature>

eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NjI2MTM4NDEsImV4cCI6MTQ2MjYxNzQ0MSwic3ViIjoiYWRtaW4iLCJhenAiOiI0dWtjSFJvWW5ObVdETzE1dExEZnZjb3o3QklhIiwiYXRfaGFzaCI6Ikd4UFltYV94SkhoSTVhZHBnZWJNTXciLCJhdWQiOlsiNHVrY0hSb1luTm1XRE8xNXRMRGZ2Y296N0JJYSJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDRcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0NjI2MTM4NDF9.J3cgYKWKfCpxZKZD4uMUfSFl4Sd_Lo1qnSSlqnTYcynPs9bo5M3ErCmhObUuWleFr5Bnyg8cyeu8BokNr9vNqc_AnBG2KIPaWAA-BeRXl8ggxoWROP9U4Bs5aTsL2r1Z-Lf27cKTaLf4F6odincX8evnlL5fsqcYCws2T2DuU5E

Base64 decode of <header>:<body>

{"alg":"RS256"}{"auth_time":1462613841,"exp":1462617441,"sub":"admin","azp":"4ukcHRoYnNmWDO15tLDfvcoz7BIa","at_hash":"GxPYma_xJHhI5adpgebMMw","aud":["4ukcHRoYnNmWDO15tLDfvcoz7BIa"],"iss":"https:\/\/localhost:9444\/oauth2\/token","iat":1462613841}

Note: If you don’t see attribute “sub” please set subject claim uri from service provider claim configuration 

WSO2 API manager Configuration

1. Install JWT grant type as a connector to API manager according to instructions provided in

Important: When you register Identity provider in API manager Identity provider name should be equal to value of issuer (iss) and Identity provider alias should be equal to audience (aud) value.

In this Sample

Identity provider name: https://localhost:9444/oauth2/token

Alias: 4ukcHRoYnNmWDO15tLDfvcoz7BIa

2. After Installing JWT grant type for WSO2 API manager, publish and subscribe to API to get an Oauth application. 
   
   
   
   
   
3. Now you can use this CURL command to get an access token from JWT grant type. Assertion is signed JWT obtained from Identity Server

curl -i -X POST -u  FIUK0c8VVJRIh_k3j3YPfXN6QnYa:VZXv9rCbZy89HHIkdC8Wb1SEQesa -k -d 'grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0NjI2MTM4NDEsImV4cCI6MTQ2MjYxOTI5Niwic3ViIjoiYWRtaW4iLCJhenAiOiI0dWtjSFJvWW5ObVdETzE1dExEZnZjb3o3QklhIiwiYXRfaGFzaCI6Ikd4UFltYV94SkhoSTVhZHBnZWJNTXciLCJhdWQiOlsiNHVrY0hSb1luTm1XRE8xNXRMRGZ2Y296N0JJYSJdLCJpc3MiOiJodHRwczpcL1wvbG9jYWxob3N0Ojk0NDRcL29hdXRoMlwvdG9rZW4iLCJpYXQiOjE0NjI2MTU2OTZ9.O3A7o_8BX7rURBMI_2b62RMUs1x7gyOBKn5tW981AJrFMRPdtx9q4lnKkAFUEIr21H59GJv_3TOF-FfqNCIqdFPB97cmPN4wZsJwOumybv56tNil-fMNFGwcsMoaNxeP3Z4BahcQQ5g8WxzH0oPQZ5O-aNWx-62qNYblsENBiWw' -H 'Content-Type: application/x-www-form-urlencoded' https://localhost:9443/oauth2/token

Response

{"scope":"default","token_type":"Bearer","expires_in":3600,"refresh_token":"0ebd12b29b11e00555f68133f5bb1f48","access_token":"518bcb2fa8d83097622b89133066148b"}

[1] https://docs.wso2.com/display/AM1100/Exchanging+SAML2+Bearer+Tokens+with+OAuth2+-+SAML+Extension+Grant+Type

[2] https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type