Tuesday, June 16, 2015

Custom OAuth Grant-Type Support in APIManager

    According to OAuth 2.0 Spec , there are four main grant-types support is available in an OAuth 2.0 authorization server. It supports custom grant type also. WSO2 IS supports OAuth 2.0 spec and it can act as OAuth 2.0 authorization server.

    WSO2 APIManager uses OAuth tokens for API Security. (APIManager uses IS OAuth component to achieve OAuth support). User can write his own gran-type support for API security.

    For this, he has to write; 

  1. GrantTypeHandler : Write the grant type implementation in the handler class. For this implementation user can use AuthorizationGrantHandler  interface or by extending AbstractAuthorizationGrantHandler
  2. GrantTypeValidator: This implementation will validates all the request which are sent to token endpoint. For this implementation, use the "AbstractValidator" class which is available in Amber library from Apache.

Eg: For example, If i want to authorize the requests based on certificates (e.g.;. Grant-type is "cert-auth",) 

package org.test.oauth;

import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;

import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;

public class CertificateGrantHandler extends AbstractAuthorizationGrantHandler{
public static final String CERTIFICATE = "sslclientcertb64";

    public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx)
            throws IdentityOAuth2Exception {

        boolean authStatus = false;
    OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO = tokReqMsgCtx.getOauth2AccessTokenReqDTO();
    String clientCert = null;
    // extract request parameters
        RequestParameter[] parameters = oAuth2AccessTokenReqDTO.getRequestParameters();

        // find out client certificate
        for(RequestParameter parameter : parameters){
                if(parameter.getValue() != null && parameter.getValue().length > 0){
                clientCert = parameter.getValue()[0];
    return authStatus;


package org.test.oauth;

import org.apache.amber.oauth2.common.validators.AbstractValidator;
import javax.servlet.http.HttpServletRequest;

public class CertificateGrantValidator  extends AbstractValidator {

    public OauthCertificateGrantValidator() {

        // mobile number must be in the request parameter

Add the new grant-type in the identity.xml of the APIManager.



Generate token using;
curl -k -d "grant_type=cert_auth&sslclientcertb64=" -H "Authorization: Basic , Content-Type: application/x-www-form-urlencoded" http://localhost:8280/token

Friday, June 12, 2015

Register Axis2 MessageBuilder Programmatically

For each  Content-type, we define message builders and formatters in the axis2 configuration(axis2.xml). Those Builders and Formatters are global configuration. In some cases, we need to handle  certain messages belong to a certain content-type  in different manner.

For example, We configure text/xml content-type messages to be handled by a message builder implementaion in axis2 configuration. But, if same content-ype messages to be handled in different manner in a different message flow, we can register MessageBuilder/Formatter programmatically in that particular message flow. This will not affect the normal message building process for the same content -type messages in other flows.

Registering PlainTextBuilder implementation to handle SOAP messages.

Builder messagebuilder = null;
Class c = Class.forName("org.apache.axis2.format.PlainTextBuilder");

Object obj = c.newInstance();
if (obj instanceof Builder) {
messagebuilder = (Builder) obj;
org.apache.axis2.context.MessageContext axis2MsgContext;
axis2MsgContext.getConfigurationContext().getAxisConfiguration().addMessageBuilder("text/xml", messagebuilder);