According to OAuth 2.0 Spec , there are four main grant-types support is available in an OAuth 2.0 authorization server. It supports custom grant type also. WSO2 IS supports OAuth 2.0 spec and it can act as OAuth 2.0 authorization server.
WSO2 APIManager uses OAuth tokens for API Security. (APIManager uses IS OAuth component to achieve OAuth support). User can write his own gran-type support for API security.
For this, he has to write;
- GrantTypeHandler : Write the grant type implementation in the handler class. For this implementation user can use AuthorizationGrantHandler interface or by extending AbstractAuthorizationGrantHandler
- GrantTypeValidator: This implementation will validates all the request which are sent to token endpoint. For this implementation, use the "AbstractValidator" class which is available in Amber library from Apache.
Eg: For example, If i want to authorize the requests based on certificates (e.g.;. Grant-type is "cert-auth",)
OauthHandler:
package org.test.oauth;
import org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception;
import org.wso2.carbon.identity.oauth2.model.RequestParameter;
import org.wso2.carbon.identity.oauth2.token.OAuthTokenReqMessageContext;
import org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler;
import org.wso2.carbon.identity.oauth2.dto.OAuth2AccessTokenReqDTO;
public class CertificateGrantHandler extends AbstractAuthorizationGrantHandler{
public static final String CERTIFICATE = "sslclientcertb64";
@Override
public boolean validateGrant(OAuthTokenReqMessageContext tokReqMsgCtx)
throws IdentityOAuth2Exception {
boolean authStatus = false;
OAuth2AccessTokenReqDTO oAuth2AccessTokenReqDTO = tokReqMsgCtx.getOauth2AccessTokenReqDTO();
String clientCert = null;
// extract request parameters
RequestParameter[] parameters = oAuth2AccessTokenReqDTO.getRequestParameters();
// find out client certificate
for(RequestParameter parameter : parameters){
if(CERTIFICATE.equals(parameter.getKey())){
if(parameter.getValue() != null && parameter.getValue().length > 0){
clientCert = parameter.getValue()[0];
}
}
}
return authStatus;
}
}
Validator:
package org.test.oauth;
import org.apache.amber.oauth2.common.validators.AbstractValidator;
import javax.servlet.http.HttpServletRequest;
public class CertificateGrantValidator extends AbstractValidator {
public OauthCertificateGrantValidator() {
// mobile number must be in the request parameter
requiredParams.add(OauthCertificateGrantHandler.CERTIFICATE);
}
}
Validator:
package org.test.oauth;
import org.apache.amber.oauth2.common.validators.AbstractValidator;
import javax.servlet.http.HttpServletRequest;
public class CertificateGrantValidator extends AbstractValidator
public OauthCertificateGrantValidator() {
// mobile number must be in the request parameter
requiredParams.add(OauthCertificateGrantHandler.CERTIFICATE);
}
}
Add the new grant-type in the identity.xml of the APIManager.
eg:
curl -k -d "grant_type=cert_auth&sslclientcertb64=" -H "Authorization: Basic , Content-Type: application/x-www-form-urlencoded" http://localhost:8280/token
<SupportedGrantType>
<GrantTypeName>cert_auth</GrantTypeName>
<GrantTypeHandlerImplClass>org.test.oauth.CertificateGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeValidatorImplClass>org.test.oauth.CertificateGrantValidator</GrantTypeValidatorImplClass>
</SupportedGrantType>
Generate token using;<GrantTypeName>cert_auth</GrantTypeName>
<GrantTypeHandlerImplClass>org.test.oauth.CertificateGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeValidatorImplClass>org.test.oauth.CertificateGrantValidator</GrantTypeValidatorImplClass>
</SupportedGrantType>
curl -k -d "grant_type=cert_auth&sslclientcertb64=" -H "Authorization: Basic , Content-Type: application/x-www-form-urlencoded" http://localhost:8280/token