Authorize the Service Provider token with using the username and password in WSO2IS?
Question
Hy Everyone, I was stuck while authorizing the service provider after its successful creation. Let me explain to you I created the service provider using this API set( https://is.docs.wso2.com/en/latest/apis/application-rest-api/#/Applications/createApplication ).
I added users to it. Once the successful creation of the service provider I get the clientId and secret key. After that I use that clientId and secret key to get the access and refresh token (cool so far), to get the access token and refresh token I use this curl request.
curl -u <client_id>:<secret_id> -k -d "grant_type=password&username=admin@easybazaar.co&password=admin" -H "Content-Type:application/x-www-form-urlencoded" https://<ip>/oauth2/token
once I have the access token I give it to the user (frontend team) to store it in his/her storage session. Now user wants to access some resources like the list of activities, he/she also sends that access token in the header of that request as a bearer token like;
curl -k http://localhost:8080/activities -H "Authorization: Bearer <access-token>
Now I want to authenticate that access token and check its validation and expiry. I explore the introspection API which requires the username and password, but the client doesn't provide it in each request.
curl -k -u <USERNAME>@<TENAND_DOMAIN>:<PASSWORD> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/introspect
So How can, I achieve it, is there any set of APIs available for this task? Any help will be appreciated.
I am not taking any username and password from the user to apply introspect APIs, should I take email in the token while creating the service Provider, so by using this email I will look into user inside my database and fetch the credentials and then hit the introspection APIs.
1 answers
solution1
0 2022-09-19 08:15:56
Seems like this is not there in older versions of IS and was introduced from IS 6.0.0 onwards. Found this migration issue .
If you are unable to migrate to IS 6.0.0, what I could recommend you is that, create a user with the permissions to introspect tokens only (this user will only be used for token introspection) and use that username and password to authenticate the introspect request.
Edit: For IS 6.0.0 you can use the following basic config.
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
secure = "true"
http_method = "all"
cross_tenant = true
allowed_auth_handlers="BasicClientAuthentication"
Or you can use the advanced configurations as follows.
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
secure = "true"
http_method = "all"
cross_tenant = true
cross_access_allowed_tenants="carbon.super"
allowed_auth_handlers="BasicClientAuthentication"
permissions=["/permission/admin/manage/identity/applicationmgt/view"]
scopes=["internal_application_mgt_view"]
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.