Skip to content

OAuth Token Hashing

WSO2 Identity Server (WSO2 IS) allows you to enable OAuth2 token hashing to protect OAuth2 access tokens, refresh tokens, consumer secrets, and authorization codes.

Note

  • Token hashing is only required if there are long lived tokens.

  • If you want to enable this feature, WSO2 recommends using a fresh WSO2 Identity Server distribution.

  • To use this feature with an existing database, you may need to perform data migration before you enable the feature. If you have to perform data migration before you enable this feature, Contact us.


Set up OAuth token hashing

  1. Add the following configurations to the deployment.toml file found in the <IS_HOME>/repository/conf folder.

    • Add the following token persistence processor to enable token hashing:

      [oauth.extensions]
      token_persistence_processor = "org.wso2.carbon.identity.oauth.tokenprocessor.HashingPersistenceProcessor"

    • Add the following property and set it to true to enable hashing.

      [oauth]
      hash_tokens_and_secrets = true

    • Add the following configuration to specify the algorithm to use for hashing:

      [oauth]
      hash_token_algorithm = "SHA-256"

      Tip

      WSO2 Identity Server allows you to use hashing algorithms supported by MessageDigest. For more information on hashing algorithms supported by MessageDigest, see MessageDigest Algorithms.

      The default algorithm for hashing is SHA-256.

  2. Run the appropriate database command to remove the CONN_APP_KEY constraint from the IDN_OAUTH2_ACCESS_TOKEN table.

    For example, if you are using an H2 database, you need to run the following command:

    ALTER TABLE IDN_OAUTH2_ACCESS_TOKEN DROP CONSTRAINT IF EXISTS CON_APP_KEY

    Tip

    In general, for a specified consumer key, user, and scope, there can be only one active access token. The CON_APP_KEY constraint in the IDN_OAUTH2_ACCESS_TOKEN table enforces this by allowing only one active access token to exist for specified consumer key, user, and scope values.

    With regard to hashing, a new access token is issued for every access token request. Therefore, for a given consumer key, user, and scope, there can be multiple active access tokens. To allow existence of multiple active access tokens, you need to remove the CONN_APP_KEY constraint from the IDN_OAUTH2_ACCESS_TOKEN table.


Register a service provider

To register your application as a service provider in the WSO2 Identity Server:

  1. Log in to the WSO2 Identity Server Management Console using administrator credentials.

  2. Go to Main > Identity > Service Providers > Add.

  3. Enter a Service Provider Name. Optionally, enter a Description.

  4. Click Register.


Configure the service provider

Make the following changes to the created service provider.

  1. Expand Inbound Authentication Configuration > OAuth/OpenID Connect Configuration and click Configure.

  2. Enter the Callback Url.

    Note

    The Callback Url is the exact location in the service provider's application to which an access token will be sent. This URL should be the URL of the page that the user is redirected to after successful authentication.

  3. Click Add. Note the OAuth Client Key and OAuth Client Secret that appear.

Tip

To configure more advanced configurations, see OAuth/OpenID Connect Configurations.

Tip

The Consumer Secret value is displayed in plain text only once. Therefore, be sure to copy and save it for later use.

You have successfully set up OAuth token hashing. Now all of the OAuth2 access tokens, refresh tokens, consumer secrets, and authorization codes will be hashed in the database.

Top