WSO2 API JWT roles missing











up vote
1
down vote

favorite












we are using WSO2 API Manager version 2.5 and Identity Server 5.6 where the IS is the key manager for the API Manager.



I enabled JWT in the IS config.
Added a custom claim dialect with userid and roles (as we do not need everything the local claim includes and it leads to errors in backend because the header is to big)



When I call an API the JWT is generated and passed on. However - the roles claim is not working in my custom dialect.
When I use the local claim dialect for JWT the roles are included in the token.



My Config: 



 <JWTConfiguration>

    <JWTHeader>X-JWT-Assertion</JWTHeader

    <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>

    <ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>

    <ConsumerDialectURI>http://ourdomain.com/jwt</ConsumerDialectURI>

    <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>

    <EnableJWTGeneration>true</EnableJWTGeneration>

</JWTConfiguration>


The http://ourdomain.com/jwt dialect looks like this:



http://ourdomain.com/jwt/uid

    Claim URI   http://ourdomain.com/jwt/uid

    Mapped Local Claim  http://wso2.org/claims/our/uid

http://ourdomain.com/jwt/fullname

    Claim URI   http://ourdomain.com/jwt/fullname

    Mapped Local Claim  http://wso2.org/claims/fullname

http://ourdomain.com/jwt/accountNr

    Claim URI   http://ourdomain.com/jwt/accountNr

    Mapped Local Claim  http://wso2.org/claims/accountNr

http://ourdomain.com/jwt/role

    Claim URI   http://ourdomain.com/jwt/role

    Mapped Local Claim  http://wso2.org/claims/role


This is the resulting JWT content:



{

  "http://ourdomain.com/jwt/version": "1.0.0",

  "http://ourdomain.com/jwt/applicationid": "90",

  "http://ourdomain.com/jwt/keytype": "SANDBOX",

  "http://ourdomain.com/jwt/uid": "123",

  "http://ourdomain.com/jwt/enduser": "mail.address@ourdomain.com@carbon.super",

  "http://ourdomain.com/jwt/subscriber": "EXTERNAL/subscriber@ourdomain.com",

  "iss": "wso2.org/products/am",

  "http://ourdomain.com/jwt/fullname": "Mail Address",

  "http://ourdomain.com/jwt/applicationtier": "Unlimited",

  "http://ourdomain.com/jwt/applicationname": "application",

  "http://ourdomain.com/jwt/enduserTenantId": "-1234",

  "http://ourdomain.com/jwt/tier": "Unlimited",

  "http://ourdomain.com/jwt/usertype": "APPLICATION_USER",

  "http://ourdomain.com/jwt/accountNr": [

    "123451",

    "123452",

    "123453"

  ],

  "http://ourdomain.com/jwt/apicontext": "/heimdall/1.0.0",

  "exp": 1541605849

}


Any leads where I'm mistaken? Do I have to write a custom token generator?






wso2 jwt wso2is wso2-am







share|improve this question


























    up vote
    1
    down vote

    favorite












    we are using WSO2 API Manager version 2.5 and Identity Server 5.6 where the IS is the key manager for the API Manager.



    I enabled JWT in the IS config.
    Added a custom claim dialect with userid and roles (as we do not need everything the local claim includes and it leads to errors in backend because the header is to big)



    When I call an API the JWT is generated and passed on. However - the roles claim is not working in my custom dialect.
    When I use the local claim dialect for JWT the roles are included in the token.



    My Config: 



     <JWTConfiguration>
    
    <JWTHeader>X-JWT-Assertion</JWTHeader
    
    <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>
    
    <ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
    
    <ConsumerDialectURI>http://ourdomain.com/jwt</ConsumerDialectURI>
    
    <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
    
    <EnableJWTGeneration>true</EnableJWTGeneration>
    
</JWTConfiguration>


    The http://ourdomain.com/jwt dialect looks like this:



    http://ourdomain.com/jwt/uid
    
    Claim URI   http://ourdomain.com/jwt/uid
    
    Mapped Local Claim  http://wso2.org/claims/our/uid
    
http://ourdomain.com/jwt/fullname
    
    Claim URI   http://ourdomain.com/jwt/fullname
    
    Mapped Local Claim  http://wso2.org/claims/fullname
    
http://ourdomain.com/jwt/accountNr
    
    Claim URI   http://ourdomain.com/jwt/accountNr
    
    Mapped Local Claim  http://wso2.org/claims/accountNr
    
http://ourdomain.com/jwt/role
    
    Claim URI   http://ourdomain.com/jwt/role
    
    Mapped Local Claim  http://wso2.org/claims/role


    This is the resulting JWT content:



    {
    
  "http://ourdomain.com/jwt/version": "1.0.0",
    
  "http://ourdomain.com/jwt/applicationid": "90",
    
  "http://ourdomain.com/jwt/keytype": "SANDBOX",
    
  "http://ourdomain.com/jwt/uid": "123",
    
  "http://ourdomain.com/jwt/enduser": "mail.address@ourdomain.com@carbon.super",
    
  "http://ourdomain.com/jwt/subscriber": "EXTERNAL/subscriber@ourdomain.com",
    
  "iss": "wso2.org/products/am",
    
  "http://ourdomain.com/jwt/fullname": "Mail Address",
    
  "http://ourdomain.com/jwt/applicationtier": "Unlimited",
    
  "http://ourdomain.com/jwt/applicationname": "application",
    
  "http://ourdomain.com/jwt/enduserTenantId": "-1234",
    
  "http://ourdomain.com/jwt/tier": "Unlimited",
    
  "http://ourdomain.com/jwt/usertype": "APPLICATION_USER",
    
  "http://ourdomain.com/jwt/accountNr": [
    
    "123451",
    
    "123452",
    
    "123453"
    
  ],
    
  "http://ourdomain.com/jwt/apicontext": "/heimdall/1.0.0",
    
  "exp": 1541605849
    
}


    Any leads where I'm mistaken? Do I have to write a custom token generator?






    wso2 jwt wso2is wso2-am







    share|improve this question
























      up vote
      1
      down vote

      favorite









      up vote
      1
      down vote

      favorite











      we are using WSO2 API Manager version 2.5 and Identity Server 5.6 where the IS is the key manager for the API Manager.



      I enabled JWT in the IS config.
      Added a custom claim dialect with userid and roles (as we do not need everything the local claim includes and it leads to errors in backend because the header is to big)



      When I call an API the JWT is generated and passed on. However - the roles claim is not working in my custom dialect.
      When I use the local claim dialect for JWT the roles are included in the token.



      My Config: 



       <JWTConfiguration>
      
    <JWTHeader>X-JWT-Assertion</JWTHeader
      
    <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>
      
    <ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
      
    <ConsumerDialectURI>http://ourdomain.com/jwt</ConsumerDialectURI>
      
    <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
      
    <EnableJWTGeneration>true</EnableJWTGeneration>
      
</JWTConfiguration>


      The http://ourdomain.com/jwt dialect looks like this:



      http://ourdomain.com/jwt/uid
      
    Claim URI   http://ourdomain.com/jwt/uid
      
    Mapped Local Claim  http://wso2.org/claims/our/uid
      
http://ourdomain.com/jwt/fullname
      
    Claim URI   http://ourdomain.com/jwt/fullname
      
    Mapped Local Claim  http://wso2.org/claims/fullname
      
http://ourdomain.com/jwt/accountNr
      
    Claim URI   http://ourdomain.com/jwt/accountNr
      
    Mapped Local Claim  http://wso2.org/claims/accountNr
      
http://ourdomain.com/jwt/role
      
    Claim URI   http://ourdomain.com/jwt/role
      
    Mapped Local Claim  http://wso2.org/claims/role


      This is the resulting JWT content:



      {
      
  "http://ourdomain.com/jwt/version": "1.0.0",
      
  "http://ourdomain.com/jwt/applicationid": "90",
      
  "http://ourdomain.com/jwt/keytype": "SANDBOX",
      
  "http://ourdomain.com/jwt/uid": "123",
      
  "http://ourdomain.com/jwt/enduser": "mail.address@ourdomain.com@carbon.super",
      
  "http://ourdomain.com/jwt/subscriber": "EXTERNAL/subscriber@ourdomain.com",
      
  "iss": "wso2.org/products/am",
      
  "http://ourdomain.com/jwt/fullname": "Mail Address",
      
  "http://ourdomain.com/jwt/applicationtier": "Unlimited",
      
  "http://ourdomain.com/jwt/applicationname": "application",
      
  "http://ourdomain.com/jwt/enduserTenantId": "-1234",
      
  "http://ourdomain.com/jwt/tier": "Unlimited",
      
  "http://ourdomain.com/jwt/usertype": "APPLICATION_USER",
      
  "http://ourdomain.com/jwt/accountNr": [
      
    "123451",
      
    "123452",
      
    "123453"
      
  ],
      
  "http://ourdomain.com/jwt/apicontext": "/heimdall/1.0.0",
      
  "exp": 1541605849
      
}


      Any leads where I'm mistaken? Do I have to write a custom token generator?






      wso2 jwt wso2is wso2-am







      share|improve this question













      we are using WSO2 API Manager version 2.5 and Identity Server 5.6 where the IS is the key manager for the API Manager.



      I enabled JWT in the IS config.
      Added a custom claim dialect with userid and roles (as we do not need everything the local claim includes and it leads to errors in backend because the header is to big)



      When I call an API the JWT is generated and passed on. However - the roles claim is not working in my custom dialect.
      When I use the local claim dialect for JWT the roles are included in the token.



      My Config: 



       <JWTConfiguration>
      
    <JWTHeader>X-JWT-Assertion</JWTHeader
      
    <JWTGeneratorImpl>org.wso2.carbon.apimgt.keymgt.token.JWTGenerator</JWTGeneratorImpl>
      
    <ClaimsRetrieverImplClass>org.wso2.carbon.apimgt.impl.token.DefaultClaimsRetriever</ClaimsRetrieverImplClass>
      
    <ConsumerDialectURI>http://ourdomain.com/jwt</ConsumerDialectURI>
      
    <SignatureAlgorithm>SHA256withRSA</SignatureAlgorithm>
      
    <EnableJWTGeneration>true</EnableJWTGeneration>
      
</JWTConfiguration>


      The http://ourdomain.com/jwt dialect looks like this:



      http://ourdomain.com/jwt/uid
      
    Claim URI   http://ourdomain.com/jwt/uid
      
    Mapped Local Claim  http://wso2.org/claims/our/uid
      
http://ourdomain.com/jwt/fullname
      
    Claim URI   http://ourdomain.com/jwt/fullname
      
    Mapped Local Claim  http://wso2.org/claims/fullname
      
http://ourdomain.com/jwt/accountNr
      
    Claim URI   http://ourdomain.com/jwt/accountNr
      
    Mapped Local Claim  http://wso2.org/claims/accountNr
      
http://ourdomain.com/jwt/role
      
    Claim URI   http://ourdomain.com/jwt/role
      
    Mapped Local Claim  http://wso2.org/claims/role


      This is the resulting JWT content:



      {
      
  "http://ourdomain.com/jwt/version": "1.0.0",
      
  "http://ourdomain.com/jwt/applicationid": "90",
      
  "http://ourdomain.com/jwt/keytype": "SANDBOX",
      
  "http://ourdomain.com/jwt/uid": "123",
      
  "http://ourdomain.com/jwt/enduser": "mail.address@ourdomain.com@carbon.super",
      
  "http://ourdomain.com/jwt/subscriber": "EXTERNAL/subscriber@ourdomain.com",
      
  "iss": "wso2.org/products/am",
      
  "http://ourdomain.com/jwt/fullname": "Mail Address",
      
  "http://ourdomain.com/jwt/applicationtier": "Unlimited",
      
  "http://ourdomain.com/jwt/applicationname": "application",
      
  "http://ourdomain.com/jwt/enduserTenantId": "-1234",
      
  "http://ourdomain.com/jwt/tier": "Unlimited",
      
  "http://ourdomain.com/jwt/usertype": "APPLICATION_USER",
      
  "http://ourdomain.com/jwt/accountNr": [
      
    "123451",
      
    "123452",
      
    "123453"
      
  ],
      
  "http://ourdomain.com/jwt/apicontext": "/heimdall/1.0.0",
      
  "exp": 1541605849
      
}


      Any leads where I'm mistaken? Do I have to write a custom token generator?






      wso2 jwt wso2is wso2-am




      wso2 jwt wso2is wso2-am






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Nov 8 at 11:10









      Mat

      635




      635





























          active

          oldest

          votes











          Your Answer






          StackExchange.ifUsing("editor", function () {
          StackExchange.using("externalEditor", function () {
          StackExchange.using("snippets", function () {
          StackExchange.snippets.init();
          });
          });
          }, "code-snippets");

          StackExchange.ready(function() {
          var channelOptions = {
          tags: "".split(" "),
          id: "1"
          };
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function() {
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled) {
          StackExchange.using("snippets", function() {
          createEditor();
          });
          }
          else {
          createEditor();
          }
          });

          function createEditor() {
          StackExchange.prepareEditor({
          heartbeatType: 'answer',
          convertImagesToLinks: true,
          noModals: true,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: 10,
          bindNavPrevention: true,
          postfix: "",
          imageUploader: {
          brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
          contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
          allowUrls: true
          },
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          });


          }
          });














           

          draft saved


          draft discarded


















          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53206553%2fwso2-api-jwt-roles-missing%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown






























          active

          oldest

          votes













          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes
















           

          draft saved


          draft discarded



















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function () {
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fstackoverflow.com%2fquestions%2f53206553%2fwso2-api-jwt-roles-missing%23new-answer', 'question_page');
          }
          );

          Post as a guest















          Required, but never shown





















































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown

































          Required, but never shown














          Required, but never shown












          Required, but never shown







          Required, but never shown







          -