Not getting JWT token (id_token) for grant_type 'client_credentials' in wso2

Question

I am using IS_BASE_URL/oauth2/token end point to get JWT token. but it return only access-token. Is there any work around to get JWT token for grant_type client_credentials and set configurable expire time of JWT_token base on client and secret key credential (service provider base)?.

Answer 1

In later IS versions (IS-5.4.0 onwards) we have a configuration in the file identity.xml file as below.

        <SupportedGrantType>
            <GrantTypeName>client_credentials</GrantTypeName>
            <GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.token.handlers.grant.ClientCredentialsGrantHandler</GrantTypeHandlerImplClass>
            <IsRefreshTokenAllowed>false</IsRefreshTokenAllowed>
            <IdTokenAllowed>false</IdTokenAllowed>
        </SupportedGrantType>

Here you have to mention IdTokenAllowed as true. Then you will get id token along with the access token for client_credential grant type.

At the moment we don't have a way to configure id token or JWT token expiry time per application instead only global configuration is there. You could set id token expiry time globally in identity.xml file inside the tag IDTokenExpiration (identity.xml file by default contains the tag IDTokenExpiration)

<IDTokenExpiration>3600</IDTokenExpiration>

Update:- From the latest identity server (IS-5.6.0) onwards you could configure id token expiry time per application. You could refer https://docs.wso2.com/display/IS560/Configuring+OAuth2-OpenID+Connect+Single-Sign-On for more information.

Answer 2

You need provide the scope as openid.

Sample curl request is as follows.

curl -k -d "grant_type=client_credentials&scope=openid" -H "Authorization: Basic ZjdJbk9mQ2dxRUZyckVna1hQa2dFU1BwUDk0YTpJZkhSZ0dsOHVzOXI4TlkybkxPN0tiQXQxQTRh" TOKEN_ENDPOINT