A Custom Claim Provider for WSO2 Identity Server for populating ID token JWT claims from a Database
This extension populates OpenID connect ID token with additional claims from a RDBMS. This is useful when claims from none userstore source need to be inserted into the ID token.
Make sure followings are installed properly.
Clone this repository.
git clone https://github.com/ajanthan/wso2-is-custom-claim-provider.git
Go to wso2-is-custom-claim-provider directory and execute maven build command.
mvn clean install
The extension will be available in target directory on successful build. Copy the extension(custom-claim-provider-6.0.53.jar) to WSO2_IS_HOME/repository/components/dropins/.
In this guide we are going to use postgres database. Create a database user_role_db. Use dbscript/schema.sql to create table under the database. Execute dbscript/data.sql to populate with sample data.
Do the basic WSO2 identity server installation as mentioned in prerequisites. Download postgresql java driver and copy to WSO2_IS_HOME/repository/components/lib/.
Modify the host,port and database name in url,username and password in conf/roles-datasources.xml according to the postgres installation and Step 2. Copy the modified conf/roles-datasources.xml to WSO2_IS_HOME/repository/conf/datasources/. Finally restart the WSO2 Identity Server.
Create users alex and john from management console and assign default admin role. Create an OAuth/OpenID Connect service provider and get ClientID and ClientSecret for testing purpose.
Get ID token by invoking following command from a terminal after updating the parameters according to registered user alex and the service provider.
curl -k -d "grant_type=password&username=alex&password=Admin@123" -H "Authorization: Basic base64encode(clientID:ClientSecret)" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:8243/token
Response:
{"access_token":"5afaf543-f54f-3137-bc74-88acae182387","refresh_token":"5799f8c6-2470-3dbc-b3fa-506742aa876b","scope":"openid","id_token":"eyJ4NXQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJraWQiOiJOVEF4Wm1NeE5ETXlaRGczTVRVMVpHTTBNekV6T0RKaFpXSTRORE5sWkRVMU9HRmtOakZpTVEiLCJhbGciOiJSUzI1NiJ9.eyJhdF9oYXNoIjoiV2plRi1qb3d4UVR1ckJhZ3AwTVJyUSIsImF1ZCI6IkZGbFpnV3pwMGZQTUVfMjY5SldqZmZmcWZMa2EiLCJzdWIiOiJhbGV4IiwibmJmIjoxNTU1NTY1ODYxLCJhenAiOiJGRmxaZ1d6cDBmUE1FXzI2OUpXamZmZnFmTGthIiwiYW1yIjpbInBhc3N3b3JkIl0sImlzcyI6Imh0dHBzOlwvXC9sb2NhbGhvc3Q6OTQ0M1wvb2F1dGgyXC90b2tlbiIsInBlcm1pc3Npb24iOnsicmRiX3JvbGUiOnsiYWN0aW9uIjoicmVhZCJ9LCJzcGFya19yb2xlIjp7ImFjdGlvbiI6ImFkbWluLHJlYWQifX0sImV4cCI6MTU1NTU2OTQ2MSwiaWF0IjoxNTU1NTY1ODYxfQ.YoNyWOqr1rWHuBasNla4RAt7gJJbHU1Nv7RHg-XH9pmJ84fpY_7SxK86wpKvfD0z72GXjs9gz72rWVIyckcfvxrTVOeEKYTsr1ChX-LqRarsyRQwwoUy95VqxQae3ZCxkGQoPcF-Ai5YVgplagv_V7RrLKyIzCl4UPZXXoLURANG0DNnIYecg9zPAjxqB4pX6ZVJSlGl5jAdcQ208xUaKr_jg4Y1COhE_jJcqBLpFd-ezHKchbDd-8b-5vCAtX7mohXVlkXs65Y8VP9KGVyWcL7yWrLEojKgh9cclwxA9w25V8A_T1H7UvzfQK5gzNyttMLHoA8xAKUJVzGra7aDCg","token_type":"Bearer","expires_in":3600}
Followings will be the claim section of decoded ID token
{"at_hash": "WjeF-jowxQTurBagp0MRrQ","aud": "FFlZgWzp0fPME_269JWjfffqfLka","sub": "alex","nbf": 1555565861,"azp": "FFlZgWzp0fPME_269JWjfffqfLka","amr": ["password"],"iss": "https://localhost:9443/oauth2/token","permission": {"rdb_role": {"action": "read"},"spark_role": {"action": "admin,read"}},"exp": 1555569461,"iat": 1555565861}
Note that the permission claim is added by the custom claim provider.