Scopes and Claim Management in WSO2 IS
🧬 Introduction
The /oauth2/authorization and /oauth2/token endpoints allow the client to specify the scope of the access request using the scope query parameter. In OIDC, you can pass space-delimited strings as scopes to retrieve a set of user claims. These user claims are pieces of information about users like first name and last name. The WSO2 IS supports the following OIDC scopes out of the box.
openidprofileemailphonegroupsaddress
In the previous article, when we requested details from the /oauth2/userinfo endpoint with the Access Token we were only able to get the sub value from the ID Token. Also, the ID Token did not have any user claims values in there.
🫧 Getting User Claims with Scopes & Claims
To get the user claims you have to first check whether they are included in the OIDC scopes. To do that, open the management console, find the OIDC Scopes, and click on List.
Then you will see the in-built OIDC scopes there.
Click on the openid claim and you will see that there are no claims added to it yet. Add the following claims there.
emailgiven_namefamily_name
Now, go to the Service Provider(SP) created in the previous article and click on Claim Configuration(Service Providers → List → playground_2). Then add the following claims.
http://wso2.org/claims/emailaddresshttp://wso2.org/claims/lastnamehttp://wso2.org/claims/givenname
After that, add the http://wso2.org/oidc/claim as the Service Provider Claim Dialect.
Go to the Users and Roles section in the Management Console and click on Add → Add New Users to create a new user with a username and password. Then click on the List → Users and click on User Profile → default. After that provide values for First Name, Last Name, and Email.
Now follow the below steps to get the Access and ID Tokens.
- Get Authorization Code
↳ Type the following URL in the browser. On the authentication page verify yourself and give consent to access the claims you have configured in the SP configurations. Finally, get the Authorization Code from the query parametercodehttps://localhost:9443/oauth2/authorize?response_type=code&client_id=provided_client_id0001&redirect_uri=http://localhost:8080/playground2/oauth2client&scope=openid - Get the Access and ID Tokens
↳ Execute the following cURL command. Make sure to replace the code value with the code value you got by executing the previous instruction.curl -v -X POST --basic -u provided_client_id0001:provided_client_secret0001 -H "Content-Type:application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=authorization_code&code=9c5ead5b-1ee5-34c9-98fe-f99a1490778f&redirect_uri=http://localhost:8080/playground2/oauth2client" https://localhost:9443/oauth2/token
Since you have the Access and ID Token, you can note the claims in the ID Token or the /oauth2/userinfo endpoint.
If you go to the https://jwt.io/ website you can check the decode the ID Token and find the claims associated with the ID Token.
And, you can send the following cURL request to /oauth2/userinfo endpoint to get the user claims associated with the ID Token as well. Make sure to replace the Access Token. (The random string after the word Bearer)
curl -k -v -H "Authorization: Bearer 1f0c6f59-ee78-3c7c-9d50-ab129dd5e25f " https://localhost:9443/oauth2/userinfo
In the next article, we will check how you can create a custom OIDC scope and use it to get user claims. After that, we will continue looking at the other grant types.
