

Obtaining User Profile Information with OpenID Connect

OpenID Connect is an authentication protocol that is a simple identity layer on top of the OAuth 2.0 protocol. It allows clients to verify the identity of the end-user based on the authentication performed by an authorization server, as well as to obtain basic profile information about the end-user in an interoperable and REST-like manner.

You can use WSO2 API Manager to obtain information required to interact with the OpenID provider, including its OAuth 2.0 endpoint locations. The openid scope needs to be passed when generating the access token, in order to obtain the latter mentioned information. API Manager will send a JSON Web Token (JWT), which contains information about the user who generates the token, as part of the response to this request. You can configure the information that is returned with the JWT access token.

You can obtain the actual user information using any of the following options.

• Decoding the id_token
• Invoking the userinfo endpoint
• Invoking the openid-configuration endpoint

Decoding the id_token

Follow the instructions below to obtain user profile information with OpenID connect with WSO2 API Manager.

1. Obtain a token using password grant type and openid scope. For more information on token generation with password grant type, see Password Grant Type. The format of the curl command and a sample is given below :

   Format

   curl -k -d "grant_type=password&username=<USERNAME>&password=<PASSWORD>&scope=openid" -H "Authorization: Basic <BASE64 ENCODED CONSUMER_KEY:CONSUMER_SECRET>, Content-Type: application/x-www-form-urlencoded" https://<GATEWAY_HOSTNAME>:<PORT>/token

   Example

   curl -k -d "grant_type=password&username=testuser&password=testuserpassword&scope=openid" -H "Authorization: Basic M1J6RFNrRFI5ZmQ5czRqY296R2xfVjh0QU5JYTpXeElqSkFJd0dqRWVYOHdHZGFfcGM1Wl94RjRh, Content-Type: application/x-www-form-urlencoded" https://apim.wso2.com:8243/token
   

2. You will receive a response in the format shown below. Note that the id_token parameter contains the JWT related to user information.

   {
     "access_token": "83705add-d77e-3cc8-9b6a-53d210ed3fed",
     "refresh_token": "4b283fb8-942f-316d-ba90-44b4c76ae419",
     "scope": "openid",
     "id_token": "eyJ4NXQiOiJObUptT0dVeE16WmxZak0yWkRSaE5UWmxZVEExWXpkaFpUUmlPV0UwTldJMk0ySm1PVGMxWkEiLCJraWQiOiJkMGVjNTE0YTMyYjZmODhjMGFiZDEyYTI4NDA2OTliZGQzZGViYTlkIiwiYWxnIjoiUlMyNTYifQ.eyJhdF9oYXNoIjoiY1hoV0l2SXdSYlBnVDBBTG1hekpIUSIsImFjciI6InVybjptYWNlOmluY29tbW9uOmlhcDpzaWx2ZXIiLCJzdWIiOiJzdWJzY3JpYmVyQGNhcmJvbi5zdXBlciIsImF1ZCI6WyJLb05EbGVTckYzbmFYV3doYXZhbzRiQm9NWWNhIl0sImF6cCI6IktvTkRsZVNyRjNuYVhXd2hhdmFvNGJCb01ZY2EiLCJvcmdhbml6YXRpb24iOiJXU08yIiwiaXNzIjoiaHR0cHM6XC9cLzE3Mi4xNi4yLjExMTo5NDQzXC9vYXV0aDJcL3Rva2VuIiwiZXhwIjoxNTExOTUwNDEzLCJpYXQiOjE1MTE5NDY4MTMsImVtYWlsIjoic3ViMUBnbWFpbC5jb20ifQ.gdj0jn4PX5R4j5Y0ZNyEwi2G-NPq3_iW89NqkRxeszdcMLvDP-ncRWMaYyUYc-bQqADekTdQUC6ACSVUlJBKau3Oy8uu-AO8pajIm-hWEX_PBqoMRtFztxggmKFaL6G0rdRBIu8LzL5lbX2cTKss_zYwNmcPDsKDWdQDmL089Wg",
     "token_type": "Bearer",
     "expires_in": 3600
   }

3. By decoding the id_token , a payload similar to the following can be obtained, with user information such as email, organization, etc. For an online tool to decode the JWT, go to https://jwt.io/

   {
     "at_hash": "cXhWIvIwRbPgT0ALmazJHQ",
     "acr": "urn:mace:incommon:iap:silver",
     "sub": "[email protected]",
     "aud": [
        "KoNDleSrF3naXWwhavao4bBoMYca"
     ],
     "azp": "KoNDleSrF3naXWwhavao4bBoMYca",
     "organization": "WSO2",
     "iss": "https://172.16.2.111:9443/oauth2/token",
     "exp": 1511950413,
     "iat": 1511946813,
     "email": "[email protected]"
   }

Invoking the userinfo endpoint

You can obtain user information as a payload by invoking the userinfo endpoint with the access token obtained in step 1. The format of the curl command and a sample is given below

Format

curl -k -v -H "Authorization: Bearer <ACCESS_TOKEN>" https://<GATEWAY_HOSTNAME>:<PORT>/userinfo

Example

curl -k -v -H "Authorization: Bearer 83705add-d77e-3cc8-9b6a-53d210ed3fed" https://apim.wso2.com:8243/userinfo

The response will be a JSON payload as shown below:

{
  "sub": "[email protected]",
  "organization": "WSO2",
  "email": "[email protected]"
}

Securing JWT Validation in User Info and Token Introspection Endpoints

In order to enhance the security of your deployment and mitigate potential vulnerabilities like the "Broken JWT (None Algorithm attack)," it is crucial to enable JWT validation in both the user info and token introspection endpoints. This procedure ensures that JWT tokens are effectively identified and validated, bolstering the security of your API Manager deployment.

Note that from API Manager 4.0.0, this feature is enabled by default. However, if you are using APIM 3.2.0, you need to manually enable this feature following the steps outlined above.

To enable the server to identify JWT tokens and perform validation in the user info endpoint and token introspection endpoints, follow these steps:

1. Open the configuration file for OAuth settings.
2. Locate the section labeled [oauth].
3. Add the following configuration property to enable JWT token validation during introspection:

   enable_jwt_token_validation_during_introspection = true

   Once this feature is enabled, the server will validate the token using the available JWT token validator. By default, the Default JWT token validator is utilized. However, please be aware of the following considerations:
   • If your server issues custom JWT tokens that don't conform to the available JWT token validator's requirements (e.g., lacking mandatory claims), enabling this feature might disrupt the existing flow.
   • For instance, the default JWT token validator expects the "jti" claim to be present in the token. If your custom token issuer omits this claim, enabling this feature might result in introspection breaking.
   • To avoid such scenarios, ensure a compatible JWT token validator is deployed in your system before enabling this feature. Evaluate your JWT token issuance and validation setup before enabling this feature to prevent any disruptions in token introspection.

Invoking the openid-configuration endpoint

You need to invoke the openid-configuration endpoint as follows to obtain the openid-configuration information as a payload. The format of the cURL command and a sample is given below.

Format

curl -v -k https://<GATEWAY_HOSTNAME>:<PORT>/oidcdiscovery/.well-known/openid-configuration

Example

curl -v -k https://localhost:8243/oidcdiscovery/.well-known/openid-configuration

The response will be a JSON payload as shown below:

{
    "scopes_supported": [
        "address",
        "phone",
        "email",
        "profile",
        "openid"
    ],
    "check_session_iframe": "https://localhost:9443/oidc/checksession",
    "issuer": "https://localhost:9443/oauth2/token",
    "authorization_endpoint": "https://localhost:9443/oauth2/authorize",
    "claims_supported": [
        "formatted",
        "name",
        "phone_number",
        "given_name",
        "picture",
        "region",
        "street_address",
        "postal_code",
        "zoneinfo",
        "locale",
        "profile",
        "locality",
        "sub",
        "updated_at",
        "email_verified",
        "nickname",
        "middle_name",
        "email",
        "family_name",
        "website",
        "birthdate",
        "address",
        "preferred_username",
        "phone_number_verified",
        "country",
        "gender",
        "iss",
        "acr"
    ],
    "token_endpoint": "https://localhost:9443/oauth2/token",
    "response_types_supported": [
        "id_token token",
        "code",
        "id_token",
        "token"
    ],
    "end_session_endpoint": "https://localhost:9443/oidc/logout",
    "userinfo_endpoint": "https://localhost:9443/oauth2/userinfo",
    "jwks_uri": "https://localhost:9443/oauth2/jwks",
    "subject_types_supported": [
        "pairwise"
    ],
    "id_token_signing_alg_values_supported": [
        "RS256"
    ],
    "registration_endpoint": "https://localhost:9443/identity/connect/register"
}

Note

By default, only the username (sub claim) information will be available in the response. You can customize the user information returned in the id_token by configuring the user claims for the corresponding Service Provider generated for the Application created in API DevPortal.

In order to modify the service provider, you can login to APIM Management console(https://localhost:9443/carbon), locate the relevant service provider(The corresponding service provider generated for a given application created in API DevPortal will be in <username>_<application-name>_<environment> format. ie: john_pizzashackapp_PRODUCTION) and follow the steps given in Service Provider Claim Configuration to configure the required user claims.

Top