When we calling an API, we request for an oauth token which we send with each API call.
The reason for introduce OpenID on top of oauth 2.0 is oauth 2.0 access token retrieving process does not provide any additional information about user who is generating access tokens. Oauth is only authorization mechanism and we cannot derive more information from that.
So to get more information about user we will use openId scope to get user access token.
In that case we will pass openid scope with token request. Then we will get JWT as a part of the response from API manager, which contains user information in addition to access token and refresh token. So we will have all required user information after token generation process and we can use it for next steps if we need to do anything specific to users.
Issue following command to request OpenID based OAuth token.
Request
curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded" https://apiw.test.com/token
Response
{"scope":"openid","token_type":"Bearer","expires_in":3600,
"refresh_token":"65af3dbea3294b1524832d3869361e3e",
"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0MzA0NTY4MzM5OTgsImV4cCI6MTQzMDQ2MDQzNDAxNCwic3ViIjoiYWRtaW5AY2FyYm9uLnN1cGVyIiwiYXpwIjoiM1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYSIsImF0X2hhc2giOiJNV013WXpreVl6UmxPVGhsTkRNM01XTTVNVFEyTTJWbE0yWXlNamcwWXc9PSIsImF1ZCI6WyIzUnpEU2tEUjlmZDlzNGpjb3pHbF9WOHRBTklhIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyZW5kcG9pbnRzXC90b2tlbiIsImlhdCI6MTQzMDQ1NjgzNDAxNH0.Fc4DO8A22euo04vnBoE87RVBtDQ-73Z2hNZ8_WpeKslkumhEuUVcf6y03D5HZBlGDUi8zC1SUHewg4WEE8HvI6wA59wp8BErK6pY3Zb02pWbJsPh7VBHwky2g5PtvKSsGiy0rd2tuehY-_dAy7LBKNSUOhkmGdLXkSSThuIQxKOHDAJKHCY4I_36B9OH1scs34EG9MKG4vSNdfdcf4mSg0KUD98Jdw_NS-T4pRZK_sCeT-1BBodYEabEVREHxfcDr7BGYugMiiWThVUzd4WIHD83bVwxXP17POzuo6dS_l78pBWZtBBMPKXqhd9VMNZpc-sR07DS7KkHoV6Fp3l0oA",
"access_token":"1c0c92c4e98e4371c91463ee3f2284c"}
This response contain JWT as well. Then we can invoke user info API as follows.
curl -k -v -H "Authorization: Bearer 1c0c92c4e98e4371c91463ee3f2284c" https://km.test.com/oauth2/userinfo?schema=openid
HTTP/1.1 200 OK
{"email":"sanjeewa@wso2.com","family_name":"malalgoda"}As you see we can get results for user details.
The reason for introduce OpenID on top of oauth 2.0 is oauth 2.0 access token retrieving process does not provide any additional information about user who is generating access tokens. Oauth is only authorization mechanism and we cannot derive more information from that.
So to get more information about user we will use openId scope to get user access token.
In that case we will pass openid scope with token request. Then we will get JWT as a part of the response from API manager, which contains user information in addition to access token and refresh token. So we will have all required user information after token generation process and we can use it for next steps if we need to do anything specific to users.
Issue following command to request OpenID based OAuth token.
Request
curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded" https://apiw.test.com/token
Response
{"scope":"openid","token_type":"Bearer","expires_in":3600,
"refresh_token":"65af3dbea3294b1524832d3869361e3e",
"id_token":"eyJhbGciOiJSUzI1NiJ9.eyJhdXRoX3RpbWUiOjE0MzA0NTY4MzM5OTgsImV4cCI6MTQzMDQ2MDQzNDAxNCwic3ViIjoiYWRtaW5AY2FyYm9uLnN1cGVyIiwiYXpwIjoiM1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYSIsImF0X2hhc2giOiJNV013WXpreVl6UmxPVGhsTkRNM01XTTVNVFEyTTJWbE0yWXlNamcwWXc9PSIsImF1ZCI6WyIzUnpEU2tEUjlmZDlzNGpjb3pHbF9WOHRBTklhIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyZW5kcG9pbnRzXC90b2tlbiIsImlhdCI6MTQzMDQ1NjgzNDAxNH0.Fc4DO8A22euo04vnBoE87RVBtDQ-73Z2hNZ8_WpeKslkumhEuUVcf6y03D5HZBlGDUi8zC1SUHewg4WEE8HvI6wA59wp8BErK6pY3Zb02pWbJsPh7VBHwky2g5PtvKSsGiy0rd2tuehY-_dAy7LBKNSUOhkmGdLXkSSThuIQxKOHDAJKHCY4I_36B9OH1scs34EG9MKG4vSNdfdcf4mSg0KUD98Jdw_NS-T4pRZK_sCeT-1BBodYEabEVREHxfcDr7BGYugMiiWThVUzd4WIHD83bVwxXP17POzuo6dS_l78pBWZtBBMPKXqhd9VMNZpc-sR07DS7KkHoV6Fp3l0oA",
"access_token":"1c0c92c4e98e4371c91463ee3f2284c"}
This response contain JWT as well. Then we can invoke user info API as follows.
curl -k -v -H "Authorization: Bearer 1c0c92c4e98e4371c91463ee3f2284c" https://km.test.com/oauth2/userinfo?schema=openid
HTTP/1.1 200 OK
{"email":"sanjeewa@wso2.com","family_name":"malalgoda"}As you see we can get results for user details.
Hi,
ReplyDeleteI use the AM 1.8.0
I'm trying to make here is written
curl -k -d "grant_type=password&username=admin&password=admin&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token
But I keep getting scope: "default"
like this:
{
"scope": "default",
"token_type": "bearer",
"expires_in": 2377,
"refresh_token": "5ed24fcf5dd1ccda497487ee8f51c",
"access_token": "e585676ad7561b8f50d7e5b5d70b6"
}
And the following request with that access_token:
https://localhost:9443/oauth2/userinfo?schema=openid
It returns to me:
{
"error": "insufficient_scope",
"error_description": "Access token does not have the openid scope"
}
Please tell me what could be the problem
Thanx!
Hi Dmytro,
DeleteI am also facing the same issue, but with WSO2 API Manager 1.9.1 release. How you fixed this issue ? Could you please provide steps ?
There was an issue in Scope issuer class and we fixed it after API Manager 1.8.0 release.
ReplyDeleteThere issue was scope validation logic unable to validate openid scope and set default scope to request. That is why you get scope as default in your response.
This issue fixed in API Manager 1.9.0 and you may use that version.
Thanks,
sanjeewa.
Thanks for the answer,
ReplyDeletebut I understand that the AM 1.9.0 has not yet released
I tried 1.9.0-alpha (https://github.com/wso2/product-apim/releases/download/v1.9.0-Alpha/wso2am-1.9.0-SNAPSHOT.zip)
and I got the same result :(
I think fix gone after that. I will check this and get back you.
ReplyDeleteThanks,
sanjeewa.
Hi Sanjeewa,
ReplyDeleteWe're using WSO2 API Manager 1.9.1 release. We're getting following details / information correctly
curl -k -d "grant_type=password&username=john&password=test00" -H "Authorization: Basic UGFwc25sMXM3eTViazlmb3huOW56cFF0Zm9rYTpFc0VFWFBvU1FLZlVuQzNiajlMZ2lVRXdiUXNh, Content-Type: application/x-www-form-urlencoded" https://192.168.0.114:8243/token
{"scope":"default","token_type":"bearer","expires_in":291,"refresh_token":"99f66b978b67ffb937e037b4693fbb5","access_token":"673388870cdc4aef1abf36446b4d"}
When I used curl -k -H "Authorization: Bearer 673388870cdc4aef1abf36446b4d" https://192.168.0.114:8243/oauth2/userinfo?schema=openid
404Status reportNot FoundThe requested resource (/oauth2/userinfo?schema=openid) is not available.
Could you please help me how to solve this issue ? Could you please update your blog with screen shots ?
Hello Sanjeewa,
ReplyDeleteI was able to implement your suggested steps easily with WSO2 API Manager (APIM). But when I simply execute below command
curl -k -v -H "Authorization: Bearer 1c0c92c4e98e4371c91463ee3f2284c" https://km.test.com/oauth2/userinfo?schema=openid
I only see following details are coming
{"email":"sayali@yahoo.com","family_name":"sayali shinde"}
But I was expecting other details should come with user schema like subscriber,applicationid,applicationname,applicationtier etc because I did configure all these dialects (list of claims) in SP (service Provider). Please guide.
I am able to run this project successfully, but I need all my custom claims to be get appeared in the Openid user schema
ReplyDeletehttps://localhost:9443/oauth2/userinfo?schema=openid - For this URL I only see following information:
{
"phone_number":"3123213123",
"email":"mkyong@test.com",
"family_name":"Yong",
"country":"Japan"
}
Hi,
ReplyDeleteAll those claims defined in under same based claim URI.
Can you please check claim configurations and user profile.
Thanks,
sanjeewa.