Wednesday, February 15, 2017

How to get all the default claims when using JWT - WSO2 API Manager

There are situations like we need to pass the enduser's attributes to the backend services when using WSO2 API Manager.  We can use Java Web Tokens (JWT) for that.

You can find the documentation for this in WSO2 site [1]

Here I am going to discuss on how we can get all default claims for JWT token since by just enabling the configuration EnableJWTGeneration it will not give you all claims. 

If you just enable above , the configuration will look like follows. 

   <JWTConfiguration>  
     <!-- Enable/Disable JWT generation. Default is false. -->  
     <EnableJWTGeneration>true</EnableJWTGeneration>  
     <!-- Name of the security context header to be added to the validated requests. -->  
     <JWTHeader>X-JWT-Assertion</JWTHeader>  
     <!-- Fully qualified name of the class that will retrieve additional user claims  
        to be appended to the JWT. If not specified no claims will be appended.If user wants to add all user claims in the  
        jwt token, he needs to enable this parameter.  
        The DefaultClaimsRetriever class adds user claims from the default carbon user store. -->  
     <!--ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass-->  
     <!-- The dialectURI under which the claimURIs that need to be appended to the  
        JWT are defined. Not used with custom ClaimsRetriever implementations. The  
        same value is used in the keys for appending the default properties to the  
        JWT. -->  
     <!--ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI-->  
     <!-- Signature algorithm. Accepts "SHA256withRSA" or "NONE". To disable signing explicitly specify "NONE". -->  
     <!--SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm-->  
     <!-- This parameter specifies which implementation should be used for generating the Token. JWTGenerator is the  
         default implementation provided. -->  
     <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>  
     <!-- This parameter specifies which implementation should be used for generating the Token. For URL safe JWT  
        Token generation the implementation is provided in URLSafeJWTGenerator -->  
     <!--<JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.URLSafeJWTGenerator</JWTGeneratorImpl>-->  
     <!-- Remove UserName from JWT Token -->  
     <!-- <RemoveUserNameFromJWTForApplicationToken>true</RemoveUserNameFromJWTForApplicationToken>-->  
   </JWTConfiguration>  


Then, By enabling wire logs[2], We can get the encrypted JWT Token as bellow when you invoke an API.


When we decode it, It will look like follows.



You can notice that, It is not showing the role claim. Basically, If you need to have all the default claims passed in this JWT token, You need to enable following two configurations in api-manager.xml



  <ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>  


 <ConsumerDialectURI>http://wso2.org/claims</ConsumerDialectURI>  

Once you enable them and restart the server, You will get the all the default claims in the token as bellow.



[1] https://docs.wso2.com/display/AM210/Passing+Enduser+Attributes+to+the+Backend+Using+JWT

[2] http://mytecheye.blogspot.com/2013/09/wso2-esb-all-about-wire-logs.html