Reputation: 11
Wso2 apim 3.2 with Wso2 km 5.10
I have a wso2 apim 3.2 setup up with wso2km 5.10. I have configured the Apim to pass Enduser attributes to the backend but cannot get the role claim returned. apim and the km manager are on separate machines. I seem to get just the standard claims returned. I have enable the required sections of the deployment.toml and I'm not seeing what I have wrong any help would be appreciated.
[apim.jwt]<br/>
enable = true<br/>
claim_dialect = "http://wso2.org/claims"<br/>
claims_extractor_impl = "org.wso2.carbon.apimgt.impl.token.ExtendedDefaultClaimsRetriever"
here it what is returned.
{<br/>
"http://wso2.org/claims/apiname": "xxxxxxxx",<br/>
"http://wso2.org/claims/applicationtier": "Unlimited",<br/>
"http://wso2.org/claims/version": "1.0.0",<br/>
"http://wso2.org/claims/keytype": "PRODUCTION",<br/>
"iss": "wso2.org/products/am",<br/>
"http://wso2.org/claims/applicationname": "xxxxxx",<br/>
"http://wso2.org/claims/enduser": "xxxxxx",<br/>
"http://wso2.org/claims/enduserTenantId": "-1234",<br/>
"http://wso2.org/claims/applicationUUId": "348d1ff9-06f5-4f3f-aa94-83f32f4a1f2a",<br/>
"http://wso2.org/claims/subscriber": "xxxxxxx",<br/>
"azp": "NjYtixQB4VbFLeunCrj1U1ZYcfga",<br/>
"http://wso2.org/claims/tier": "Unlimited",<br/>
"scope": "openid",<br/>
"exp": 1601500346,<br/>
"http://wso2.org/claims/applicationid": "8",<br/>
"http://wso2.org/claims/usertype": "Application_User",<br/>
"http://wso2.org/claims/apicontext": "/xxxxxxxxxxx"<br/>
}
{
"sub": "[email protected]",
"aud": "eZi3HFaydfnHtlZRZDpzuz6N5pMa",
"nbf": 1602022037,
"azp": "eZi3HFaydfnHtlZRZDpzuz6N5pMa",
"scope": "am_application_scope default",
"iss": "https://xxxxxxxxxxxxxxxx",
"exp": 1602025637,
"iat": 1602022037,
"jti": "7845227d-6800-4ff2-9982-3d338e45abb6"
}
Upvotes: 0
Views: 285
Answers (1)
Reputation: 376
There are two ways to include user claims to the backend JWT
- Implement custom token generator
- Adding required claims to the JWT access token
Adding required claims to the JWT access token
With APIM 3.2.0 it supports only JWT access token for the new application it registers. To include any user claims to backend JWT, the required claims should be in the JWT access token since GW is responsible to generate backend JWT.
To include user claims to the JWT access token follow the below steps.
- Identify the service provider for the application from the management console
- Edit the service provide and configure requested claims under the Claim Configuration menu
- Generate an access token with openid scope
curl -k -X POST https://localhost:8243/token -d
"grant_type=client_credentials&scope=openid" -H"Authorization: Basic
VEJEMXJZazZpSWVlaTlnVzRNTENBYXNEQW9JYTpkRnJ0bVJjaklqUUtkSVVYeVY4aWxlZjBQNWdh"
- An access token will be issued with the requested claims
{
"sub": "[email protected]",
"aud": "TBD1rYk6iIeei9gW4MLCAasDAoIa",
"nbf": 1602047260,
"azp": "TBD1rYk6iIeei9gW4MLCAasDAoIa",
"scope": "am_application_scope openid",
"iss": "https://localhost:9443/oauth2/token",
"groups": [
"Internal/subscriber",
"Internal/creator",
"Application/apim_devportal",
"Application/admin_sample_PRODUCTION",
"Internal/publisher",
"Internal/everyone",
"Internal/devops",
"Application/apim_admin_portal",
"Application/admin_key1_PRODUCTION",
"admin",
"Internal/analytics",
"Application/apim_publisher"
],
"exp": 1602050860,
"iat": 1602047260,
"jti": "d74a617e-e976-42f4-8323-c1c2271d046e"
}
- Access an API with the above access token and backend JWT contains the required claims.
Upvotes: 2
Related Questions
- how can I update wso2 api manager to this version wso2am-3.2.0.117?
- WSO2 APIM 2.6.0 version is compatible with WSO2 IS 5.6.0
- WSO2 API Manager and Kerberos
- WSO2 API Manager 2.1.0 source code
- WSO2 APIM API invocation error
- WSO2 api manager configuration
- WSO2 APIM Authentication
- Using API Manager 1.9.1 with DAS 3
- WSO2 API Manager Requirements
- WSO2 API Manager 1.8 with WSO2 BAM 2.5 - Clustered Environment