Wednesday, May 6, 2015

Use OpenID Connect with OAuth 2.0 in WSO2 API Manager to retrieve user information

When we calling an API, we request for an oauth token which we send with each API call.

The reason for introduce OpenID on top of oauth 2.0 is oauth 2.0 access token retrieving process does not provide any additional information about user who is generating access tokens. Oauth is only authorization mechanism and we cannot derive more information from that.
So to get more information about user we will use openId scope to get user access token.

In that case we will pass openid scope with token request. Then we will get JWT as a part of the response from API manager, which contains user information in addition to access token and refresh token. So we will have all required user information after token generation process and we can use it for next steps if we need to do anything specific to users.
Issue following command to request OpenID based OAuth token.

Request
curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded" https://apiw.test.com/token

Response

{"scope":"openid","token_type":"Bearer","expires_in":3600,
"refresh_token":"65af3dbea3294b1524832d3869361e3e",
"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0MzA0NTY4MzM5OTgsImV4cCI6MTQzMDQ2MDQzNDAxNCwic3ViIjoiYWRtaW5AY2FyYm9uLnN1cGVyIiwiYXpwIjoiM1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYSIsImF0X2hhc2giOiJNV013WXpreVl6UmxPVGhsTkRNM01XTTVNVFEyTTJWbE0yWXlNamcwWXc9PSIsImF1ZCI6WyIzUnpEU2tEUjlmZDlzNGpjb3pHbF9WOHRBTklhIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyZW5kcG9pbnRzXC90b2tlbiIsImlhdCI6MTQzMDQ1NjgzNDAxNH0.Fc4DO8A22euo04vnBoE87RVBtDQ-73Z2hNZ8_WpeKslkumhEuUVcf6y03D5HZBlGDUi8zC1SUHewg4WEE8HvI6wA59wp8BErK6pY3Zb02pWbJsPh7VBHwky2g5PtvKSsGiy0rd2tuehY-_dAy7LBKNSUOhkmGdLXkSSThuIQxKOHDAJKHCY4I_36B9OH1scs34EG9MKG4vSNdfdcf4mSg0KUD98Jdw_NS-T4pRZK_sCeT-1BBodYEabEVREHxfcDr7BGYugMiiWThVUzd4WIHD83bVwxXP17POzuo6dS_l78pBWZtBBMPKXqhd9VMNZpc-sR07DS7KkHoV6Fp3l0oA",
"access_token":"1c0c92c4e98e4371c91463ee3f2284c"}

This response contain JWT as well. Then we can invoke user info API as follows.
curl -k -v -H "Authorization: Bearer 1c0c92c4e98e4371c91463ee3f2284c" https://km.test.com/oauth2/userinfo?schema=openid

HTTP/1.1 200 OK
{"email":"sanjeewa@wso2.com","family_name":"malalgoda"}As you see we can get results for user details.

9 comments:

  1. Hi,
    I use the AM 1.8.0
    I'm trying to make here is written

    curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token

    But I keep getting scope: "default"

    like this:

    {
    "scope": "default",
    "token_type": "bearer",
    "expires_in": 2377,
    "refresh_token": "5ed24fcf5dd1ccda497487ee8f51c",
    "access_token": "e585676ad7561b8f50d7e5b5d70b6"
    }

    And the following request with that access_token:

    https://localhost:9443/oauth2/userinfo?schema=openid

    It returns to me:

    {
    "error": "insufficient_scope",
    "error_description": "Access token does not have the openid scope"
    }

    Please tell me what could be the problem

    Thanx!

    ReplyDelete
    Replies
    1. Hi Dmytro,

      I am also facing the same issue, but with WSO2 API Manager 1.9.1 release. How you fixed this issue ? Could you please provide steps ?

      Delete
  2. There was an issue in Scope issuer class and we fixed it after API Manager 1.8.0 release.
    There issue was scope validation logic unable to validate openid scope and set default scope to request. That is why you get scope as default in your response.
    This issue fixed in API Manager 1.9.0 and you may use that version.

    Thanks,
    sanjeewa.

    ReplyDelete
  3. Thanks for the answer,

    but I understand that the AM 1.9.0 has not yet released

    I tried 1.9.0-alpha (https://github.com/wso2/product-apim/releases/download/v1.9.0-Alpha/wso2am-1.9.0-SNAPSHOT.zip)

    and I got the same result :(

    ReplyDelete
  4. I think fix gone after that. I will check this and get back you.

    Thanks,
    sanjeewa.

    ReplyDelete
  5. Hi Sanjeewa,

    We're using WSO2 API Manager 1.9.1 release. We're getting following details / information correctly

    curl -k -d "grant_type=password&username=john&password=test00" -H "Authorization: Basic UGFwc25sMXM3eTViazlmb3huOW56cFF0Zm9rYTpFc0VFWFBvU1FLZlVuQzNiajlMZ2lVRXdiUXNh, Content-Type: application/x-www-form-urlencoded" https://192.168.0.114:8243/token

    {"scope":"default","token_type":"bearer","expires_in":291,"refresh_token":"99f66b978b67ffb937e037b4693fbb5","access_token":"673388870cdc4aef1abf36446b4d"}

    When I used curl -k -H "Authorization: Bearer 673388870cdc4aef1abf36446b4d" https://192.168.0.114:8243/oauth2/userinfo?schema=openid

    404Status reportNot FoundThe requested resource (/oauth2/userinfo?schema=openid) is not available.

    Could you please help me how to solve this issue ? Could you please update your blog with screen shots ?

    ReplyDelete
  6. Hello Sanjeewa,

    I was able to implement your suggested steps easily with WSO2 API Manager (APIM). But when I simply execute below command

    curl -k -v -H "Authorization: Bearer 1c0c92c4e98e4371c91463ee3f2284c" https://km.test.com/oauth2/userinfo?schema=openid

    I only see following details are coming
    {"email":"sayali@yahoo.com","family_name":"sayali shinde"}

    But I was expecting other details should come with user schema like subscriber,applicationid,applicationname,applicationtier etc because I did configure all these dialects (list of claims) in SP (service Provider). Please guide.

    ReplyDelete
  7. I am able to run this project successfully, but I need all my custom claims to be get appeared in the Openid user schema

    https://localhost:9443/oauth2/userinfo?schema=openid - For this URL I only see following information:
    {
    "phone_number":"3123213123",
    "email":"mkyong@test.com",
    "family_name":"Yong",
    "country":"Japan"
    }

    ReplyDelete
  8. Hi,
    All those claims defined in under same based claim URI.
    Can you please check claim configurations and user profile.

    Thanks,
    sanjeewa.

    ReplyDelete