
following using claims.
{ "exp": -677328449, "azp": "asdbUY31SEQtDpCi7aCsZSj96P0a", "sub": "admin@carbon.super", "aud": "asdbUY31SEQtDpCi7aCsZSj96P0a", "iss": "https:\/\/localhost:9443\/oauth2endpoints\/token", "iat": -680928449 }
You can find an article in [1] which explains how to retrieve the ID Token and decode it to get the encoded information.
Note: This customization source code is only applicable for WSO2 IS 5.0.0. There are library changes in WSO2 IS 5.1.0.
1. First we have to write a custom handler which implements CustomClaimsCallbackHandler. SAMLAssertionClaimsCallback [2] is used as the default custom handler.
2. I have written a sample [3] which embeds the claims to the ID Token.
public void handleCustomClaims(IDTokenBuilder builder, OAuthTokenReqMessageContext requestMsgCtx) { String userName = requestMsgCtx.getAuthorizedUser(); String tenantDomain = MultitenantUtils.getTenantDomain(userName); userName = MultitenantUtils.getTenantAwareUsername(userName); RealmService realmService = OAuthComponentServiceHolder.getRealmService(); UserStoreManager userStoreManager = null; String emailClaim = "http://wso2.org/claims/emailaddress"; String roleClaim = "http://wso2.org/claims/role"; String role = null; String email = null; try { int tenantId = realmService.getTenantManager().getTenantId(tenantDomain); userStoreManager = realmService.getTenantUserRealm(tenantId).getUserStoreManager(); // Get relevant values for the claim email = userStoreManager.getUserClaimValue(userName, emailClaim, null); role = userStoreManager.getUserClaimValue(userName, roleClaim, null); } catch (UserStoreException e) { log.error(e); } log.info("Email - " + email); log.info("Username - " + userName); log.info("Tenant Domain - " + tenantDomain); log.info("Role - "+role); // Add claims to the ID token builder.setClaim(emailClaim, email); builder.setClaim(roleClaim, role); }
3. Create the jar file of the custom handler by using “mvn clean install” command.
4. Copy the jar file to <WSO2_IS_HOME>/repository/components/lib directory.
5. Modify the <WSO2_IS_HOME>/repository/conf/identity.xml as follows.
Modify the “IDTokenCustomClaimsCallBackHandler” in “OpenIDConnect” with the fully qualified class name of the custom handler.
<IDTokenCustomClaimsCallBackHandler>org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback</IDTokenCustomClaimsCallBackHandler>
6. Start the WSO2 IS Server.
7. Follow [1] and get the ID Token. Once you decode the ID Token you can get the output as follows.
{ "exp": -576469630, "azp": "cXBqu0nmkTZnutzfA08AiwcPi20a", "sub": "admin@carbon.super", "aud": "cXBqu0nmkTZnutzfA08AiwcPi20a", "iss": "https:\/\/localhost:9443\/oauth2endpoints\/token", "http:\/\/wso2.org\/claims\/role": "admin,Internal\/test for testIS,Internal\/default,Internal\/defaultfortest,Internal\/everyone", "http:\/\/wso2.org\/claims\/emailaddress": "admin@wso2.com", "iat": -580069630 }
[1] – http://reddragonspace.blogspot.com/2016/04/id-token-in-openid-in-wso2-identity.html