Skip to main content

Getting Started with OAuth 2.0 using WSO2 Identity Server 5.3.0 and Playground2 Sample

This blog post provides step by step instructions for trying out OAuth 2.0 using WSO2 Identity Server. Here I use Identity Server 5.3.0 which is the latest released version by the time of this writing. The official documentation for this is available in https://docs.wso2.com/display/IS530/OAuth+2.0+with+WSO2+Playground , however for a beginner, it does not provide all the instructions such as creating a Service Provider with necessary configuration. However, by following the steps below, you can simply setup Identity Server and the playground2 sample webapp and test the entire OAuth 2.0 flow.


Creating the Service Provider


First step is to create a service provider in Identity Server. This is required because when a client application talks to Identity Server via OAuth 2.0, Identity Server has to identify the client and the incoming traffic. We set this configuration inside the service provider.


Login to the Management Console of Identity Server and create a service provider. Here I give the name for the service provider as ‘playground2’.




Then, expand the ‘Inbound Authentication Configuration’ section in the service provider’s configuration and click on ‘Configure’ link which is listed under ‘OAuth/OpenID Connect Configuration’.


Set the configuration as shown in following image. As the Callback URL, we need to provide the URL of the client where Identity Server can send the responses (authorization code and access token will be sent by Identity Server to this URL of the client).


In my setup, I have deployed the playground2 sample in tomcat which runs in the localhost at port 8080. Therefore I provide the Callback URL as http://localhost:8080/playground2/oauth2client .


Then I can see the OAuth client key and the client secret generated by Identity Server.




Next step is to set the claim configuration of the service provider. By setting this, the playground2 client app will receive the user’s claims defined here when it requests for user’s profile information.


Here I add the claims using the Local Claim Dialect where the claim names received by playground2 app would follow the pattern http://wso2.org/claims/<claim name>. If you need to receive the claim names differently, you can define a custom claim dialect here.


Here I have added some claims to be received by the client as user profile information and I have defined the email address claim as the subject identifier which can be used to uniquely identify users in the client app’s end.




Creating a User for Testing


When testing the OAuth 2.0 grant types (flows), we need to authenticate with a user account (in grant types like authorization code) and then the client app can receive user claims defined in the profile. For that I am creating a user account here and setting the claims in the profile.


In the Management Console, go to Main -> Identity -> Users and Roles and click on Add. Then click on Add New User.


Give a username and password for the user account.




Here I grant admin role to the user since this is just a demonstration.
After adding the user, go to the User Profile.




Fill the values in the profile of the user.




By following the steps above, we have successfully configured Identity Server for trying out the OAuth 2.0 grant types.


Setting Up the Playground2 Sample OAuth 2.0 Client


Next step is to setup the OAuth 2.0 client application. The playground2 sample which is released with Identity Server 5.3.0 can be found in https://github.com/wso2/product-is/tree/v5.3.0/modules/samples/oauth2/playground2 . You can build the sample and get the .war file and deploy it in an application server like Apache Tomcat. Here I have deployed the application in tomcat which runs on port 8080 of localhost.


So, I can access the Playground2 app in browser in http://localhost:8080/playground2 .




Here I try out the Authorization Code grant type. Following similar steps, other grant types also can be tested easily.


As the Client Id, I enter the OAuth Client Key which I got when I created the Service Provider.


As the scope, I provide ‘openid’ since I need to retrieve the user claims in the profile.


The Callback URLof Playground2 app is http://localhost:8080/playground2/oauth2client . The Authorize Endpoint of Identity Server is https://localhost:9443/oauth2/authorize since the Identity Server runs on localhost at port 9443 in my environment.




After filling the above data and sending the authorize request to Identity Server, it prompts to login as I have not yet logged into Identity Server.




After authentication, I see the following screen to provide mandatory claims. (I have already added values for these claims in the profile of the user I logged in, so I’m not sure why it’s asked again).


Then we can see the user consent page where it shows that the client app needs the user’s permission to access the profile information of the users. So I approve this.




Now, Identity Server sends the authorization code to the Playground2 client through browser redirection. Here we need to provide the Access Token Endpoint of Identity Server, which is https://localhost:9443/oauth2/token . In addition to that, we need to provide the Client Secret which we received after creating the service provider.




After that, we can request for the access token from Identity Server, providing the authorization code.


Then the Identity Server sends the OAuth 2.0 access token. In order to request user’s profile claims, we need to send the request to the UserInfo endpoint of Identity Server. The URL is




Now the client app receives the claims of the user profile.




Comments

Popular posts from this blog

Fixing 'java RMI - ConnectException: Operation timed out' in WSO2 Enterprise Integrator 6.4

If you ever come across the below exception when running WSO2 Enterprise Integrator 6.4, here is the fix. This error occurs when you have multiple IP addresses from different networks configured in your etc/hosts as below. 10.xxx.x.xxx localhost 192.xxx.x.xxx localhost So simply, removing the unnecessary one and leaving the one of the network that you are currently connected to should resolve this issue. 10.xxx.x.xxx localhost

Student Information System - Java (SLIIT - ST2 PROJECT)

Student Information System (Github Project) This system is developed in Java and mySQL as a group project by me and 3 other members during a period of 1 month. The system allows the administrator to,  enroll students to the system  update enroll information  add/update course and degree program details  generate reports  create exams and edit relevant information  calculate gpa of the relevant exam  assign lecturers to courses  add lecturers/update details Lecturers to,  assign course grades  view their feedback  generate reports  view student / course / degree program details Students to,  view their profile  view their grading information  give feedback to lecturers   view lecturer / course / degree program details and other features. Below are some interfaces of the project. (Splash Screen) (Login) (Admin View) (Student Re...

SIMPLE BLACKJACK GAME IN JAVA (CONSOLE)

import java.util.Scanner; class BlackJack{     public static void main(String[] args)      {         int player_random1 = 100;         int player_random2 = 100;         while(player_random1 >= 12 || player_random2 >= 12  || player_random1 < 3 || player_random2 <3)         {             player_random1 = (int)(Math.random()*100);             player_random2 = (int)(Math.random()*100);         }                  int player_total = player_random1 + player_random2;                  System.out.println("You get a "+player_random1+" and a "+player_random2);         System.out.println("Your total is "+player_total); if(player_total==21)  ...