This grant handler allows users to obtain OAuth tokens from WSO2 Identity by exchanging an SSH certificate of type ssh-ed25519-cert-v01@openssh.com.
- Clone the repository with
git clone https://github.com/gayashanbc/x509-ed25519-grant-handler.git
. - Build using Maven
mvn clean install
.
You can find the wso2is-identity-samples-oauth2-ssh-ed25519-cert-v01-grant-1.0.0.jar
inside the target
folder of the project root directory.
-
Copy
wso2is-identity-samples-oauth2-ssh-ed25519-cert-v01-grant-1.0.0.jar
to<IS_HOME>/repository/components/dropins
directory. -
Append the following configuration to
deployment.toml
file located in<IS_HOME>/repository/conf
.[[oauth.custom_grant_type]] name="x509" grant_handler="org.wso2.sample.identity.oauth2.grant.ed25519.X509GrantHandler" grant_validator="org.wso2.sample.identity.oauth2.grant.ed25519.X509GrantValidator" [oauth.custom_grant_type.properties] IdTokenAllowed=true
-
Restart WSO2 IS.
-
Configure a service provider to test the sample under OpenId connect configurations.
-
You will be able to see "x509" as a grant type under supported grant types and enable it.
-
Click update on service provider configurations.
-
Once the service provider is saved, you will be redirected to the
Service Provider Details
page. Here, expand theInbound Authentication Configuration
section and click theOAuth/OpenID Connect Configuration
section. Copy the values ofOAuth Client Key
andOAuth Client Secret
shown here.
Executing the following sample cURL request to try out the grant handler after replacing <OAuth Client Key>
and <OAuth Client Secret>
with the respective values.
Note: A user matching the principal in the presented certificate should exist in WSO2 Identity Server.
curl -kv \
--data-urlencode "grant_type=x509" \
--data-urlencode "scope=openid" \
--data-urlencode "x509=ssh-ed25519-cert-v01@openssh.com AAAA...aErf/+Dw== user@host" \
https://localhost:9443/oauth2/token \
-u <OAuth Client Key>:<OAuth Client Secret>
Modify the log4j2.properties
file located in <IS_HOME>/repository/conf
as follows.
-
Append
, org-wso2-sample-identity-oauth2-grant-ed25519
to the value ofloggers
property. -
Append the following configurations.
logger.org-wso2-sample-identity-oauth2-grant-ed25519.name=org.wso2.sample.identity.oauth2.grant.ed25519 logger.org-wso2-sample-identity-oauth2-grant-ed25519.level=DEBUG