Skip to content

Extension Points for OAuth

This topic includes a list of all the WSO2 Identity Server extension points related to OAuth and OpenID Connect (OIDC).

Implementing an OAuth Extension

Any OAuth extension listed below can be implemented, by implementing an interface or extending an abstract class as defined under each extension point.

  1. When the implementation is done, package your classes as a .jar file and place it in the <IS_HOME>/repository/component/lib directory.

  2. Next, configure your extension in the <IS_HOME>/repository/conf/deployment.toml file referring to the Configuration section of the respective extension point below.

  3. Restart the server to effect changes.

OAuth Grant Handler

Usage This extension point is useful when you want to support an OAuth flow that is different from standard grant types. This extension point validates the grant, scopes, and access delegation.
Interface org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationGrantHandler
Abstract Class org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler
Sample See Writing a Custom OAuth 2.0 Grant Type for a sample implementation of this extension point.

OAuth Grant Validator


This extension point can be used to implement a grant validator that validates the grant request sent to the ' /oauth2/token ' endpoint. Request parameters and headers can be validated by implementing this extension point.

If a new grant type is being implemented and defined with a new grant type identifier with the OAuth Grant Handler extension, you must also implement a grant validator and register that against the same grant type identifier from the deployment.toml .

If a supported grant type is to be modified you may implement a grant validator if needed, otherwise supported grant type validators can be reused.

Abstract Class org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractValidator

Client Authentication Handler

Usage This extension point can be used when the client credential authentication needs to be customized when issuing tokens. By default WSO2 Identity Server validates the client id and secret.
Interface org.wso2.carbon.identity.core.handler.AbstractIdentityHandler
Abstract Class org.wso2.carbon.identity.oauth2.client.authentication.AbstractOAuthClientAuthenticator
Default Implementation



OAuth Token Generator

Usage This extension point can be used to change the access token, refresh token, authorization code generation logic as preferred. By default a UUID will be generated as the token value.
Interface org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer
Default Implementation


Other Available Implementations org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer

OAuth Callback Handler

Usage This extension point is provided to verify whether the authenticated user is the rightful owner of the resource. There can be multiple active OAuthCallbackHandler implementations at a given time. In run-time, each and every authorization callback handler is invoked to see whether it can handle the given callback. Then the callback with the highest priority is chosen. After handling the callback, the Identity Server can set whether the given callback is authorized or not.
Interface org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandler
Abstract Class org.wso2.carbon.identity.oauth.callback.AbstractOAuthCallbackHandler
Default Implementation org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler

Token Persistence Processor


This extension point can be used to process keys and secrets just before storing them in the database. For example you may need to persist encrypted tokens in the database, in which you can use this extension to encrypt tokens before storing them in the database and to decrypt when retrieving back from database.

If a token persistence processor is to be engaged, it is recommended to configure the respective token processor with the very first configuration of the product. Otherwise already persisted data may need to be migrated to the new format later.

Interface org.wso2.carbon.identity.oauth.tokenprocessor.TokenPersistenceProcessor
Default Implementation


Use this if you want to store access tokens, refresh tokens, authorization codes, and client secrets as plain text values. By default, WSO2 Identity Server hashes access tokens, refresh tokens, authorization codes, and client secrets using two UUIDs and HMAC-SHA1 hash function, which is known to resist the strongest attack known against HMAC. With the default implementation you can use a valid token until it is either revoked or becomes invalid.

Other Available Implementations

Use this if you want to store access tokens, refresh tokens, authorization codes, and client secrets in an encrypted format using the OEAP (RSA/ECB/OAEPwithSHA1andMGF1Padding) algorithm. With this implementation you can use a valid token until it is either revoked or becomes invalid.


OAuth2 token encryption protects OAuth2 access tokens, refresh tokens, consumer secrets, and authorization codes. To enable OAuth token encryption, configure the token_persistance_processor as shown below in the <IS_HOME>/repository/conf/deployment.toml file:

Once you configure the token_persistance_processor in the deployment.toml file, and restart WSO2 Identity Server, RSA encryption with RSA/ECB/OAEPwithSHA1andMGF1Padding cipher transformation will be enabled by default.


Use this if you want to store access tokens, refresh tokens, authorization codes and client secrets as hashed values based on a define hashing algorithm. This implementation provides extra protection to vulnerabilities because a new access token is issued for every access token request. If necessary you can also use a valid token until it is either revoked or becomes invalid.


For more information on OAuth token hashing, and for instructions on how to enable OAuth token hashing, see Setting Up OAuth Token Hashing.


OAuth2 Token Validator


This extension point can be used if token validation and scope validation needs to be customized when invoking the token validation endpoint . Token validators can be registered per token type such as ' bearer '.
A default implementation that supports for 'bearer' token type is available.

Interface org.wso2.carbon.identity.oauth2.validators.OAuth2TokenValidator
Default implementation org.wso2.carbon.identity.oauth2.validators.DefaultOAuth2TokenValidator

AuthorizationContext Token Generator


This extension point can be used to customize the token that can be generated relevant to the authorization context by invoking the token validation endpoint .
By default, a JWT token generation implementation is supported with following properties encoded to each token validation request.

  • subscriber, applicationName, apiContext, version, tier, and endUserName
  • Additional properties can be encoded by engaging a claims retriever .
  • The JWT header and body are base64 encoded separately and concatenated with a dot

Finally the token is signed using SHA256 with RSA algorithm.

Interface org.wso2.carbon.identity.oauth2.authcontext.AuthorizationContextTokenGenerator
Default Implementation org.wso2.carbon.identity.oauth2.authcontext.JWTTokenGenerator

Claims Retriever


This extension point can be used if additional claims or properties needs to be engaged to the JWT token generated in the token validation response as explained in extension point above .
The default implementation reads user claim values from the default Carbon user store.

Interface org.wso2.carbon.identity.oauth2.authcontext.ClaimsRetriever
Default Implementation org.wso2.carbon.identity.oauth2.authcontext.DefaultClaimsRetriever

Response Type Handler


This is intended to perform access delegation, scope validation and to issue tokens based on token type such as ' code ', ' token ' etc. Multiple implementations can be registered upon the token type.
This extension can be used if a specific token type needs to be supported or customized.

Interface org.wso2.carbon.identity.oauth2.authz.handlers.ResponseTypeHandler
Abstract Class org.wso2.carbon.identity.oauth2.authz.handlers.AbstractResponseTypeHandler
Available Implementations



UserInfo Access Token Validator


This extension point can be used if access token validation, when accessing ' /oauth2/userinfo ' resource, needs to be changed.
By default, the access token issued is validated against the token validation service and ' scope ' request parameter is validated to have ' openid ' scope.

Interface org.wso2.carbon.identity.oauth.user.UserInfoAccessTokenValidator
Default implementation org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoISAccessTokenValidator

UserInfo Claim Retriever


This extension point can be used if the user claim set returned when invoking ' /oauth2/userinfo ' resource needs to be modified.

Interface org.wso2.carbon.identity.oauth.user.UserInfoClaimRetriever
Default implementation org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoUserStoreClaimRetriever

UserInfo Request Validator


This extension point can be used if the request validation logic, for requests initiated for ' /oauth2/userinfo ', needs to be changed.

The default behavior is validating the schema and authorization header according to the specification .

Interface org.wso2.carbon.identity.oauth.user.UserInfoRequestValidator
Default implementation org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInforRequestDefaultValidator

UserInfo Response Builder


This extension point can be used if the user info response returned when accessing ' /oauth2/userinfo ' resource needs to be changed.
Implementations supporting both JSON and JWT response formats are available. By default JSON format supported implementation is configured.

Interface org.wso2.carbon.identity.oauth.user.UserInfoResponseBuilder
Default Implementation org.wso2.carbon.identity.oauth.endpoint.user.impl.UserInfoJSONResponseBuilder
Other Available Implementations



Adding a custom GrantTypeValidatorImplClass


This can be used to add a custom GrantTypeValidatorImplClass to the refresh_token grant type