Configure JWT bearer grant¶

You can add a trusted token issuer to exchange JWT assertion with an OAuth 2.0 access token to access protected resources on behalf of the resource owner.

Learn how to configure the OAuth 2.0 JWT bearer grant flow in WSO2 Identity Server. Refer JWT bearer grant for more information on how the flow works.

Follow this guide for instructions.

Register a trusted token issuer¶

To exchange a third-party token for an WSO2 Identity Server token, you need to register the third-party token issuer as a trusted token issuer in your WSO2 Identity Server organization.

To register a trusted token issuer:

On the WSO2 Identity Server console, go to Connections.
Click New Connections and click Create on the Trusted Token Issuer.

Enter the following details of the trusted token issuer:

Parameter	Description
Trusted token issuer name	A unique name for the new trusted token issuer.
Issuer	A unique issuer value of the trusted token issuer. This is the value of the `iss` claim in the JWT token generated from the configured identity provider. Example: `https://third-party-token-issuers.io/oauth2/token`
Alias	The name by which the trusted token issuer knows WSO2 Identity Server. The `aud` claim of the token should include the WSO2 Identity Server organization's issuer value. If the `aud` claim doesn't include the organization's issuer value, the system validates the alias value you assign here against the `aud` claim. Example: `https://third-party-token-issuers.io/oauth2/token`

Click Next and provide the mode of certificate configuration.
- JWKS endpoint: The JWKS endpoint of the trusted token issuer.
  Note
  
  For JWKS endpoints, the default read timeout equals 1000 milliseconds. To update this value, add the following parameter to the deployment.toml file in the <PRODUCT_HOME>/conf/repository directory.
```
[oauth.jwks_endpoint]
read_timeout = <value in milliseconds>
```
- Use PEM certificate: Upload or paste the public certificate of the trusted token issuer in the PEM format.
  Convert .crt, .cer or .der to the .pem format using OpenSSL
  Convert CRT to PEM
```
openssl x509 -in cert.crt -out cert.pem
```
  Convert CER to PEM:
```
openssl x509 -in cert.cer -out cert.pem
```
  Convert DER to PEM:
```
openssl x509 -in cert.der -out cert.pem
```
Click Finish to add the new trusted token issuer.

Enable JWT bearer grant in your app¶

Before you begin

You need to register Standard-based OIDC application application types with WSO2 Identity Server.

To enable JWT bearer grant in your application:

On the WSO2 Identity Server Console, go to Applications.
Open your application from the list and go to the Protocol tab.
Add JWT Bearer under the Allowed grant types.
Click Update to save the configurations.

Try it out¶

Follow the steps given below.

Get the JWT token received from the third-party token issuer.
The application sends the access request to the token endpoint in WSO2 Identity Server with the following:
- JWT bearer grant type.
- JWT assertion created by the third-party token issuer.
- Service provider's client ID and client secret.

Execute the following cURL command to exchange the third-party token for an WSO2 Identity Server token.

curl -v -k -X POST {{ base_url }}/oauth2/token \
--header "Authorization: Basic <Base64Encoded(CLIENT_ID:CLIENT_SECRET)>" \
--header "Content-Type:application/x-www-form-urlencoded" \
--data-urlencode "grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer" \
--data-urlencode "assertion=<jwt_token>"

Upon successful execution, you will receive the exchanged token issued by WSO2 Identity Server.

Note

While configuring the JWT bearer grant type, the iat validating time period can also be configured in the deployment.toml file in the <IS_HOME>/repository/conf as shown below. The default value is 30 minutes.

 [oauth.grant_type.jwt]
 enable_iat_validation="true"
 iat_validity_period=30

Refer to JWT Bearer grant for more information on how the flow works.