0

We've requirement of generating access token without using user's password. User's email, client's id & secret can be provided. This will be internally used within a specific client.

What's the best way of fulfilling this requirement. Should be change the implementation in Password Grant Handler or Can have some implementation. If Custom grant type is implemented, We don't want it to be exposed in open-id configuration.

WSO2 IS v5.10.0

Community
  • 1
  • 1
Abhishek Kandi
  • 15
  • 6

1 Answers1

1

The main purpose of accesstoken is to provide authorization of a user's resource on behalf of a user. That is why WSO2 IS prompt the login page to authenticate the user and get users' consent. When an application gets accesstoken on behalf of a user, the user should be authenticated using some mechanism and should be aware of it, provided scopes, requested claims, etc.

The Client Credentials grant is used when applications request an access token to access their own resources, not on behalf of a user. If you don't want to access the resources of users (APIs of users), then you can go with client-credential grant type.

Incase, if you want to access users' resources and don't want them to enter password or If you don't want the default authentication by IS, then you can use social logins (Eg: google, facebook) and login using those federated authenticators. In that case, users will not be explicitly prompted to enter a password to IS login page. Then will be logged in via those google or facebook. https://is.docs.wso2.com/en/5.10.0/learn/configuring-federated-authentication/

Piraveena Paralogarajah
  • 1,475
  • 2
  • 9
  • 18
  • I need to generate access token for user authorization so client credential won't be useful for my usecase. Will Custom OAuth2 Grant type not work for this usecase ?? – Abhishek Kandi Apr 20 '21 at 05:33
  • Just generating the access token based on the user name is not secure. Although it achievable using custom grant types this won't serve the purpose of authentication – Inthirakumaaran Apr 21 '21 at 07:41
  • @Inthirakumaaran This user actually gets authenticated in External Idp which returns the authorization_code using which we're generate that External system's access token & we also want to generate WSO2 IS token but we don't have user's password at this stage so planned to use this custom grant type. We could add one IDP in WSO2 IS which can be configured as Federated authenticator, which will authenticate user & provide WSO2_IS token but we also want to retain the external system's access token. Also open to any other solution if you could suggest. – Abhishek Kandi Apr 21 '21 at 11:51
  • Accesstoken provided by IS cannot be used to access the resources protected by the federated IDP's resources – Piraveena Paralogarajah Apr 22 '21 at 03:08
  • Right @PiraveenaParalogarajah! We want to access 2 types of resources, one which are protected by Federated Idp & Other resources(Our own APIs) which are protected by WSO2 Idp. – Abhishek Kandi Apr 22 '21 at 05:30
  • @PiraveenaParalogarajah is there a way to send this federated Idp's accesstoken as one of the custom claim in WSO2's IDP's accesstoken? – Abhishek Kandi Apr 22 '21 at 07:06
  • @AbhishekKandi passing access token as a custom claim is a security risk. I don't think it is a recommended way – Piraveena Paralogarajah Apr 22 '21 at 12:53
  • @PiraveenaParalogarajah If I had to do it. How can I do it ?? As a security measure we will encrypt and send it to mitigate the risk. – Abhishek Kandi Apr 22 '21 at 12:57