Monday, May 4, 2015

[WSO2 AM/IS] SAML2 bearer tokens with OAuth2



1. Download the latest version of WSO2 API Manager (AM)1.8.0 (http://wso2.com/api-management/).

2. Download the latest version of WSO2 Identity Server(IS) 5.0.0 and apply the Service Pack(http://wso2.com/products/identity-server/).

3. I'm going to run  AM in port off set 0 and IS in 1 (change <Offset>in carbon.xml).

Change the HostName and MgtHostName in the carbon.xml file of the IS.
<HostName>is.wso2.com</HostName>
<MgtHostName>is.wso2.com</MgtHostName>

4.Change the HostName and MgtHostName in the carbon.xml file of the AM
<HostName>am.wso2.com</HostName>
<MgtHostName>am.wso2.com</MgtHostName> 


Share the user stores and mount registry spaces.


i. In default product , AM has  JDBC user store manager and IS has embedded read write LDAP server. (check the user-mgt.xml file under the <HOME>/repository/conf)

ii. Open the user-mgt.xml file in IS and disable the default ReadWriteLDAPUserStoreManager.

iii.  Enable the JDBCUserStoreManager.

<UserStoreManager class="org.wso2.carbon.user.core.jdbc.JDBCUserStoreManager">
            <Property name="TenantManager">org.wso2.carbon.user.core.tenant.JDBCTenantManager</Property>
            <Property name="ReadOnly">false</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="IsEmailUserName">false</Property>
            <Property name="DomainCalculation">default</Property>
            <Property name="PasswordDigest">SHA-256</Property>
            <Property name="StoreSaltedPassword">true</Property>
            <Property name="ReadGroups">true</Property>
            <Property name="WriteGroups">true</Property>
            <Property name="UserNameUniqueAcrossTenants">false</Property>
            <Property name="PasswordJavaRegEx">^[\S]{5,30}$</Property>
            <Property name="PasswordJavaScriptRegEx">^[\S]{5,30}$</Property>
            <Property name="UsernameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
            <Property name="UsernameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="RolenameJavaRegEx">^[^~!#$;%^*+={}\\|\\\\&lt;&gt;,\'\"]{3,30}$</Property>
            <Property name="RolenameJavaScriptRegEx">^[\S]{3,30}$</Property>
            <Property name="UserRolesCacheEnabled">true</Property>
            <Property name="MaxRoleNameListLength">100</Property>
            <Property name="MaxUserNameListLength">100</Property>
            <Property name="SharedGroupEnabled">false</Property>
            <Property name="SCIMEnabled">false</Property>
        </UserStoreManager>
iv)  Create database (shareddb) for user store and configure in master-datasource.xml file.
<datasource>
            <name>WSO2_UM_DB</name>
            <description>The datasource used for registry and user manager</description>
            <jndiConfig>
                <name>jdbc/WSO2CarbonDB_SHARE</name>
            </jndiConfig>
            <definition type="RDBMS">
                <configuration>
                    <url>jdbc:mysql://<host>:<port>/shareddb</url>
                    <username>root</username>
                    <password>root</password>
                    <driverClassName>com.mysql.jdbc.Driver</driverClassName>
                    <maxActive>50</maxActive>
                    <maxWait>60000</maxWait>
                    <testOnBorrow>true</testOnBorrow>
                    <validationQuery>SELECT 1</validationQuery>
                    <validationInterval>30000</validationInterval>
                </configuration>
            </definition>
</datasource> 
v) Change the JNDI name in dataSource property in user-mgt.xml file.

<Property name="dataSource">jdbc/WSO2CarbonDB_SHARE</Property> 

vi) Do the  steps (iv) and (v) in AM.

vi) Open the registry.xml in IS and add the mount configurations.

<dbConfig name="wso2registry_shared">
        <dataSource>jdbc/WSO2CarbonDB_SHARE</dataSource>
</dbConfig>

<remoteInstance url="https://localhost:9443/registry">
        <id>instanceid</id>
        <dbConfig>wso2registry_shared</dbConfig>
        <readOnly>false</readOnly>
        <enableCache>true</enableCache>
        <registryRoot>/</registryRoot>
        <cacheId>root@jdbc:mysql://<host>:<port>/shareddb</cacheId>
</remoteInstance>
<mount path="/_system/config" overwrite="true">
        <instanceId>instanceid</instanceId>
        <targetPath>/_system/isnodes</targetPath>
</mount>
<mount path="/_system/governance" overwrite="true">
        <instanceId>instanceid</instanceId>
        <targetPath>/_system/governance</targetPath>
</mount>
vii) Open the registry.xml of the AM and add the mount configurations.

<dbConfig name="wso2registry_shared">
        <dataSource>jdbc/WSO2CarbonDB_SHARE</dataSource>
    </dbConfig>

<remoteInstance url="https://localhost:9443/registry">
        <id>instanceid</id>
        <dbConfig>wso2registry_shared</dbConfig>
        <readOnly>false</readOnly>
        <enableCache>true</enableCache>
        <registryRoot>/</registryRoot>
       <cacheId>root@jdbc:mysql://<host>:<port>/shareddb</cacheId>
</remoteInstance>
<mount path="/_system/config" overwrite="true">
        <instanceId>instanceid</instanceId>
        <targetPath>/_system/amnodes</targetPath>
</mount>
<mount path="/_system/governance" overwrite="true">
        <instanceId>instanceid</instanceId>
        <targetPath>/_system/governance</targetPath>
</mount>


(You need to start the servers with -Dsetup parameter to generate tables in shareddb.)

Configure Identity Provider 


1.  Logged in to the AM and add the WSO2 IS as an Identity provider.

i) You need the  public certificate of the Identity server. You can export that from default wso2carbon.jks file  using the following key tool command.

Go to the wso2is-5.0.0/repository/resources/security location from command window and execute the bellow command.
keytool -export -alias wso2carbon  -keystore wso2carbon.jks -storepass wso2carbon -file carbonjks.pem 
Identity provider Name*               = WSO2_IS
Identity Provider Public Certificate* = Browse and select the carbonjks.pem file
Enable SAML2 with SSO                 = checked
Identity Provider Entity Id           = WSO2_IDP
Service Provider Entity Id            = WSO2_AM
SSO URL                               = https://is.wso2.com:9444/samlsso
Alias                                 = https://am.wso2.com:9443/oauth2/token


Configure Service Providers

 


1. Open the identity.xml  in  IS (wso2is-5.0.0/repository/conf), and change the  following two parameters as bellow.
<EntityId>WSO2_IDP</EntityId>
<IdentityProviderURL>https://is.wso2.com:9444/samlsso</IdentityProviderURL>
2. Enable the DEBUG logs in IS to capture the SAML response. Open the log4j.properties file in wso2is-5.0.0/repository/conf and add the following DEBUG package.
log4j.logger.org.wso2.carbon.identity=DEBUG
3. Restart the IS server.

4. Logged in to the identity Server and add the store  as a service provider.
Service Provider Name = AM_STORE 


5. Configure the "SAML2 web SSO  Configuration".



Assertion Consumer URL                     = https://am.wso2.com:9443/store/jagg/jaggery_acs.jag
Use fully qualified username in the NameID = checked
Enable Response Signing                    = checked
Enable Assertion Signing                   = checked
Enable Single Logout                       = checked
Enable Audience Restriction                = checked 
Add the Audience                           = https://am.wso2.com:9443/oauth2/token
Enable Recipient Validation                = checked
Add the Recipient                          = https://am.wso2.com:9443/oauth2/token
 6. Logged in to the identity server and add the management console  as service provider.

Assertion Consumer URL                     = https://am.wso2.com:9443/acs
Use fully qualified username in the NameID = checked
Enable Response Signing                    = checked
Enable Assertion Signing                   = checked
Enable Single Logout                       = checked
Enable Audience Restriction                = checked 
Add the Audience                           = https://am.wso2.com:9443/oauth2/token
Enable Recipient Validation                = checked
Add the Recipient                          = https://am.wso2.com:9443/oauth2/token




Configure SAML2SSOAuthenticator in AM

 

1.  Open the authenticators.xml file under  wso2am-1.8.0/repository/conf/security and configure SAML2SSOAuthenticator as bellow.
<Authenticator name="SAML2SSOAuthenticator" disabled="false">
        <Priority>0</Priority>
        <Config>
            <Parameter name="LoginPage">/carbon/admin/login.jsp</Parameter>
            <Parameter name="ServiceProviderID">WSO2_AM</Parameter>
            <Parameter name="IdentityProviderSSOServiceURL">https://is.wso2.com:9444/samlsso</Parameter>
            <Parameter name="NameIDPolicyFormat">urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified</Parameter>

            <!-- <Parameter name="IdPCertAlias">wso2carbon</Parameter> -->
            <!-- <Parameter name="ResponseSignatureValidationEnabled">false</Parameter> -->
            <!-- <Parameter name="LoginAttributeName"></Parameter> -->
            <!-- <Parameter name="RoleClaimAttribute"></Parameter> -->
            <!-- <Parameter name="AttributeValueSeparator">,</Parameter> -->

            <!-- <Parameter name="JITUserProvisioning">true</Parameter> -->
            <!-- <Parameter name="ProvisioningDefaultUserstore">PRIMARY</Parameter> -->
            <!-- <Parameter name="ProvisioningDefaultRole">admin</Parameter> -->
            <!-- <Parameter name="IsSuperAdminRoleRequired">true</Parameter> -->
        </Config>

        <!-- If this authenticator should skip any URI from authentication, specify it under "SkipAuthentication"
        <SkipAuthentication>
            <UrlContains></UrlContains>
        </SkipAuthentication> -->

        <!-- If this authenticator should skip any URI from session validation, specify it under "SkipAuthentication
        <SkipSessionValidation>
            <UrlContains></UrlContains>
        </SkipSessionValidation> -->
    </Authenticator> 

2. Open the site.json file under wso2am-1.8.0/repository/deployment/server/jaggeryapps/store/site/conf and configure the ssoConfiguration as bellow for store application.

        "enabled" : "true",
        "issuer" : "API_STORE",
        "identityProviderURL" : "https://is.wso2.com:9444/samlsso",
        "keyStorePassword" : "wso2carbon",
        "identityAlias" : "wso2carbon",
        "responseSigningEnabled":"true",
        "keyStoreName" :"/home/ajith/wso2am-1.8.0/repository/resources/security/wso2carbon.jks"

3. Restart the AM server.

Generate SAML Assertion

1. When you try to access   store (https://am.wso2.com:9443/store) url it will redirect to Identity Server.


2. When you logged in to the store you should see the SAML response (64bit encoded) print as debug log in Identity Server side (in wso2carbon.log file).


3. You can decode  that 64bit encoded text to get the SAML response. (https://www.base64decode.org/)

<?xml version="1.0" encoding="UTF-8"?>
<saml2p:Response Destination="https://am.wso2.com:9443/store/jagg/jaggery_acs.jag" ID="kmiklfhjnmildgbdeaopcghdnkighhhplmlddffb" InResponseTo="dnhgclfhfjjlllnmjfboklkkeeeijcdomhacjgfc" IssueInstant="2015-05-03T04:08:24.643Z" Version="2.0" xmlns:saml2p="urn:oasis:names:tc:SAML:2.0:protocol"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion">WSO2_IDP</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#kmiklfhjnmildgbdeaopcghdnkighhhplmlddffb"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>faIOp/bxRf9Qe2GcT1cMIps77n0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>Jac8fOJKdb4UOxvYd8McjidNGmTH2HKMUiaPWN0551xvIFCTLCoR4iD3tYxLpdHJJpJGznKOZFN5NwHYA9d7S1oH7L4HDfhf4LqBww+538glSwCxGTpIA07sOsozCGCgP41QXcMugqJanP252rTUQJD+fUnJHpuxaPMxEJ5hy0E=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2p:Status><saml2p:StatusCode Value="urn:oasis:names:tc:SAML:2.0:status:Success"/></saml2p:Status><saml2:Assertion ID="fecbjhnbjladdihfokcopndojkpbaddhbofnmckd" IssueInstant="2015-05-03T04:08:24.643Z" Version="2.0" xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">WSO2_IDP</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#fecbjhnbjladdihfokcopndojkpbaddhbofnmckd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>nFwyKCsaek+M2IgXv6cBKhKkxl0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>QheQIxioLpDwMg5yQtjHT38eATc7ldte4vHCduNxw3fXNarRiaSAktZpRflPLbFYjaGt7wWu5LTypT54AsiKfGilbc25bkB6BKIBbxbfucpSIHKW1qYbUPmw4QYFccv4DCwj+PffbSR5MgqO94n/0LoF3ExqHa4+tb+kIO0sQb4=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="dnhgclfhfjjlllnmjfboklkkeeeijcdomhacjgfc" NotOnOrAfter="2015-05-03T04:13:24.643Z" Recipient="https://am.wso2.com:9443/store/jagg/jaggery_acs.jag"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="dnhgclfhfjjlllnmjfboklkkeeeijcdomhacjgfc" NotOnOrAfter="2015-05-03T04:13:24.643Z" Recipient="https://am.wso2.com:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2015-05-03T04:08:24.643Z" NotOnOrAfter="2015-05-03T04:13:24.643Z"><saml2:AudienceRestriction><saml2:Audience>API_STORE</saml2:Audience><saml2:Audience>https://am.wso2.com:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2015-05-03T04:08:24.644Z" SessionIndex="79e867d8-0aee-488e-b3e1-6c2db01a256d"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion></saml2p:Response>


 

Create Application and  Generate Consumer Key/Secret


1. Create a new application (eg TestApp) and subscribed to that application.



 

 Generate OAuth Token -Type1



1.Now you can  generate OAuth token using the bellow command.

curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Base 64 URL encoded SAML assertion>&scope=PRODUCTION" -H "Authorization: Basic <base64Encode(consumer Key:consumer Secret)>, Content-Type: application/x-www-form-urlencoded" https://am.wso2.com:9443/oauth2/token

<Base 64 URL encoded SAML assertion>

You can get the SAML response as mentioned in above steps . Then capture only the SAML assertion (<saml2:Assertion> element) and get the 64bit URL encoded text using that  SAML assertion http://kjur.github.io/jsjws/tool_b64uenc.html

<base64encode(consumer Key:consumer Secret)>

You can use this site (https://www.base64encode.org/) to encode  consumer Key:consumer Secret
eg

curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=PHNhbWwyOkFzc2VydGlvbiBJRD0iZHBvcG1qb3BoamlhY2hma29mZmhwb2htbG9uam9vZmNtanBmcHBibSIgSXNzdWVJbnN0YW50PSIyMDE1LTA1LTAzVDA0OjMxOjAxLjg5NFoiIFZlcnNpb249IjIuMCIgeG1sbnM6c2FtbDI9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphc3NlcnRpb24iPjxzYW1sMjpJc3N1ZXIgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6bmFtZWlkLWZvcm1hdDplbnRpdHkiPldTTzJfSURQPC9zYW1sMjpJc3N1ZXI-PGRzOlNpZ25hdHVyZSB4bWxuczpkcz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnIyI-PGRzOlNpZ25lZEluZm8-PGRzOkNhbm9uaWNhbGl6YXRpb25NZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxLzEwL3htbC1leGMtYzE0biMiLz48ZHM6U2lnbmF0dXJlTWV0aG9kIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI3JzYS1zaGExIi8-PGRzOlJlZmVyZW5jZSBVUkk9IiNkcG9wbWpvcGhqaWFjaGZrb2ZmaHBvaG1sb25qb29mY21qcGZwcGJtIj48ZHM6VHJhbnNmb3Jtcz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMC8wOS94bWxkc2lnI2VudmVsb3BlZC1zaWduYXR1cmUiLz48ZHM6VHJhbnNmb3JtIEFsZ29yaXRobT0iaHR0cDovL3d3dy53My5vcmcvMjAwMS8xMC94bWwtZXhjLWMxNG4jIi8-PC9kczpUcmFuc2Zvcm1zPjxkczpEaWdlc3RNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjc2hhMSIvPjxkczpEaWdlc3RWYWx1ZT5HcXdvWUJGVFZZL29zVEg0ZVV6cXM3dVFwZ2M9PC9kczpEaWdlc3RWYWx1ZT48L2RzOlJlZmVyZW5jZT48L2RzOlNpZ25lZEluZm8-PGRzOlNpZ25hdHVyZVZhbHVlPk1NdkNTOElUR205MDZGRzEzakdRdFNlb0h2VWlDb1I5SmYrTXBRMVlnQVk2WVdaVjhtY3p2M0dKdEx4N2xYRmtQdkFhZENlNU1xMTM1L29hWklydEhQL25TaFpnTDN1bkhLaWJWdU1odnZXbE9tN3hIM0ZRTFRCNFk5aTEyZmlrK1Ryc1lOeHhnT3JLQjkrTkJnTTgrY2J2cDFPR2x5K2dvcW04ZzNZVzJrVT08L2RzOlNpZ25hdHVyZVZhbHVlPjxkczpLZXlJbmZvPjxkczpYNTA5RGF0YT48ZHM6WDUwOUNlcnRpZmljYXRlPk1JSUNOVENDQVo2Z0F3SUJBZ0lFUzM0M2dqQU5CZ2txaGtpRzl3MEJBUVVGQURCVk1Rc3dDUVlEVlFRR0V3SlZVekVMTUFrR0ExVUVDQXdDUTBFeEZqQVVCZ05WQkFjTURVMXZkVzUwWVdsdUlGWnBaWGN4RFRBTEJnTlZCQW9NQkZkVFR6SXhFakFRQmdOVkJBTU1DV3h2WTJGc2FHOXpkREFlRncweE1EQXlNVGt3TnpBeU1qWmFGdzB6TlRBeU1UTXdOekF5TWpaYU1GVXhDekFKQmdOVkJBWVRBbFZUTVFzd0NRWURWUVFJREFKRFFURVdNQlFHQTFVRUJ3d05UVzkxYm5SaGFXNGdWbWxsZHpFTk1Bc0dBMVVFQ2d3RVYxTlBNakVTTUJBR0ExVUVBd3dKYkc5allXeG9iM04wTUlHZk1BMEdDU3FHU0liM0RRRUJBUVVBQTRHTkFEQ0JpUUtCZ1FDVXAvb1YxdldjOC9Ua1FTaUF2VG91c016T000YXNCMmlsdHIyUUtvem5pNWFWRnU4MThNcE9MWklyOExNblR6V2xsSnZ2YUE1UkFBZHBiRUNiKzQ4RmpiQmUwaHNlVWRONUhwd3ZuSC9EVzhaY2NHdms1M0k2T3JxN2hMQ3YxWkh0dU9Db2tnaHovQVRyaHlQcStRa3RNZlhuUlM0SHJLR0pUenhhQ2NVN09RSURBUUFCb3hJd0VEQU9CZ05WSFE4QkFmOEVCQU1DQlBBd0RRWUpLb1pJaHZjTkFRRUZCUUFEZ1lFQVc1d1BSN2NyMUxBZHErSXJSNDRpUWxSRzVJVENaWFk5aEkwUHlnTFAyckhBTmgrUFlmVG14YnVPbnlrTkd5aE02RmpGTGJXMnVaSFFUWTFqTXJQcHJqT3JteUs1c2pKUk80ZDFEZUdIVC9ZbklqczlKb2dSS3Y0WEhFQ3dMdElWZEFiSWRXSEV0VlpKeU1Ta3RjeXlzRmN2dWhQUUs4UWMvRS9XcTh1SFNDbz08L2RzOlg1MDlDZXJ0aWZpY2F0ZT48L2RzOlg1MDlEYXRhPjwvZHM6S2V5SW5mbz48L2RzOlNpZ25hdHVyZT48c2FtbDI6U3ViamVjdD48c2FtbDI6TmFtZUlEIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6MS4xOm5hbWVpZC1mb3JtYXQ6ZW1haWxBZGRyZXNzIj5hZG1pbjwvc2FtbDI6TmFtZUlEPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iZ2RkbmZsb2dpcGVscGVvaGdjYmVnZGlsZmRpaWtsZWlqZGZvb2hvaCIgTm90T25PckFmdGVyPSIyMDE1LTA1LTAzVDA0OjM2OjAxLjg5NFoiIFJlY2lwaWVudD0iaHR0cHM6Ly9hbS53c28yLmNvbTo5NDQzL3N0b3JlL2phZ2cvamFnZ2VyeV9hY3MuamFnIi8-PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI-PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0iZ2RkbmZsb2dpcGVscGVvaGdjYmVnZGlsZmRpaWtsZWlqZGZvb2hvaCIgTm90T25PckFmdGVyPSIyMDE1LTA1LTAzVDA0OjM2OjAxLjg5NFoiIFJlY2lwaWVudD0iaHR0cHM6Ly9hbS53c28yLmNvbTo5NDQzL29hdXRoMi90b2tlbiIvPjwvc2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbj48L3NhbWwyOlN1YmplY3Q-PHNhbWwyOkNvbmRpdGlvbnMgTm90QmVmb3JlPSIyMDE1LTA1LTAzVDA0OjMxOjAxLjg5NFoiIE5vdE9uT3JBZnRlcj0iMjAxNS0wNS0wM1QwNDozNjowMS44OTRaIj48c2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48c2FtbDI6QXVkaWVuY2U-QVBJX1NUT1JFPC9zYW1sMjpBdWRpZW5jZT48c2FtbDI6QXVkaWVuY2U-aHR0cHM6Ly9hbS53c28yLmNvbTo5NDQzL29hdXRoMi90b2tlbjwvc2FtbDI6QXVkaWVuY2U-PC9zYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjwvc2FtbDI6Q29uZGl0aW9ucz48c2FtbDI6QXV0aG5TdGF0ZW1lbnQgQXV0aG5JbnN0YW50PSIyMDE1LTA1LTAzVDA0OjMxOjAxLjg5NFoiIFNlc3Npb25JbmRleD0iZGJhMTYwMDktYTA4Zi00MzQ5LWE1NzAtMDdjYzMzZDlkOWUwIj48c2FtbDI6QXV0aG5Db250ZXh0PjxzYW1sMjpBdXRobkNvbnRleHRDbGFzc1JlZj51cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YWM6Y2xhc3NlczpQYXNzd29yZDwvc2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY-PC9zYW1sMjpBdXRobkNvbnRleHQ-PC9zYW1sMjpBdXRoblN0YXRlbWVudD48L3NhbWwyOkFzc2VydGlvbj4&scope=PRODUCTION" -H "Authorization: Basic RmdwUktWTnVMVmpRR2twWDNmZnNwazhNVllzYTo5ZUg0VmtiWXd4RkVqcjhKX25ra0k5dTR6TWNh, Content-Type: application/x-www-form-urlencoded" https://am.wso2.com:9443/oauth2/token


The output would be;

{"scope":"PRODUCTION","token_type":"Bearer","expires_in":3299,"refresh_token":"9b1354db82ce8a2eaf2b66ff965a3da","access_token":"74cac5b8259d15f39c4be9352655a969"}




 Generate OAuth Token -Type2

 

1. You can use the this tool to get the 64bit URL encoded SAML assertion and generate the OAuth token. (This is developed by WSO2 IS team)

2. Unzip the SAML2AssertionCreator.zip file and execute the following command inside that SAML2AssertionCreator directory.
java -jar SAML2AssertionCreator.jar <Identity_Provider_Entity_Id> <user_name> <recipient> <requested_audience> <Identity_Provider_JKS_file> <Identity_Provider_JKS_password> <Identity_Provider_certificate_alias>  <private_key_password>

eg:

java -jar SAML2AssertionCreator.jar WSO2_IDP admin https://am.wso2.com:9443/oauth2/token https://am.wso2.com:9443/oauth2/token /home/ajith/wso2/blog/wso2is-5.0.0/repository/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon

3. Now you will get  64bit url encoded SAML2 assertion.

4. Execute the following command to get OAuth token.

curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<64bit encoded SAML Assertion>&scope=PRODUCTION" -H "Authorization: Basic <base64Encode(ConsumerKey:Consumer:Secret)>, Content-Type: application/x-www-form-urlencoded" https://am.wso2.com:9443/oauth2/token