|
| 1 | +# Configure a custom token issuer |
| 2 | + |
| 3 | +This guide explains how to configure token issuers in {{ product_name }}. A token issuer determines the format and structure of the tokens generated by the authorization server. |
| 4 | + |
| 5 | +## Understand token issuers |
| 6 | + |
| 7 | +{{ product_name }} provides two out-of-the-box token issuers: |
| 8 | + |
| 9 | +- **OauthTokenIssuer** (default): Generates opaque access tokens (UUID-based). |
| 10 | +- **JWTTokenIssuer**: Generates self-contained JWT access tokens. |
| 11 | + |
| 12 | +You can configure either of these issuers as the default token generator. Or, you can implement and register a custom token issuer. |
| 13 | + |
| 14 | +## Configure the default token issuer |
| 15 | + |
| 16 | +You can set the default token issuer using the `token_generator` configuration. This configuration replaces the `self_contained` configuration used in previous versions. |
| 17 | + |
| 18 | +To set the default token issuer: |
| 19 | + |
| 20 | +1. Open the `deployment.toml` file found in the `<IS_HOME>/repository/conf/` directory. |
| 21 | + |
| 22 | +2. Add the following configuration: |
| 23 | + |
| 24 | + ```toml |
| 25 | + [oauth.extensions] |
| 26 | + token_generator = "org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer" |
| 27 | + ``` |
| 28 | + |
| 29 | + !!! note |
| 30 | + By default, {{ product_name }} uses `OauthTokenIssuer` (which generates opaque tokens). The example above shows how to switch to `JWTTokenIssuer` for generating JWT access tokens. |
| 31 | + |
| 32 | +3. Restart the server to apply the changes. |
| 33 | + |
| 34 | +After this configuration, the authorization server generates tokens using the specified issuer for all token requests. |
| 35 | + |
| 36 | +--- |
| 37 | + |
| 38 | +## Register a custom token issuer |
| 39 | + |
| 40 | +If you want to use a custom token issuer, you must register it under `SupportedTokenTypes`. This registration allows {{ product_name }} to recognize and use your custom implementation. |
| 41 | + |
| 42 | +### Prerequisites |
| 43 | + |
| 44 | +Write a custom token issuer by implementing the `org.wso2.carbon.identity.oauth2.token.OauthTokenIssuer` interface or extending an existing token issuer class such as `org.wso2.carbon.identity.oauth2.token.JWTTokenIssuer`. |
| 45 | + |
| 46 | +### Register the custom issuer |
| 47 | + |
| 48 | +To register a custom token issuer: |
| 49 | + |
| 50 | +1. Package your custom implementation as a JAR file. |
| 51 | + |
| 52 | +2. Place the JAR file in the `<IS_HOME>/repository/components/lib/` directory. |
| 53 | + |
| 54 | +3. Open the `deployment.toml` file. |
| 55 | + |
| 56 | +4. Add the following configuration to register your custom token issuer: |
| 57 | + |
| 58 | + ```toml |
| 59 | + [[oauth.extensions.token_types]] |
| 60 | + name = "CustomTokenIssuer" |
| 61 | + issuer = "org.wso2.carbon.identity.extensions.CustomTokenIssuer" |
| 62 | + persist_access_token_alias = true |
| 63 | + ``` |
| 64 | + |
| 65 | + !!! info |
| 66 | + - The `name` parameter defines a unique identifier for this token type. |
| 67 | + - The `issuer` parameter specifies the fully qualified class name of your custom token issuer. |
| 68 | + - The `persist_access_token_alias` parameter (optional) determines whether to persist the token alias. |
| 69 | + |
| 70 | +5. Restart the server to apply the changes. |
| 71 | + |
| 72 | +After this configuration, {{ product_name }} recognizes your custom token issuer. |
| 73 | + |
| 74 | +--- |
| 75 | + |
| 76 | +## Register a custom issuer as the JWT token issuer |
| 77 | + |
| 78 | +To replace the default JWT token issuer with your custom implementation, register it with the name `JWT`. |
| 79 | + |
| 80 | +To register a custom issuer as the JWT token issuer: |
| 81 | + |
| 82 | +1. Open the `deployment.toml` file. |
| 83 | + |
| 84 | +2. Add the following configuration: |
| 85 | + |
| 86 | + ```toml |
| 87 | + [[oauth.extensions.token_types]] |
| 88 | + name = "JWT" |
| 89 | + issuer = "org.wso2.carbon.identity.extensions.CustomJWTTokenIssuer" |
| 90 | + ``` |
| 91 | + |
| 92 | +3. Restart the server to apply the changes. |
| 93 | + |
| 94 | +After this configuration, your custom issuer generates JWT tokens when an application requests them. |
| 95 | + |
| 96 | +--- |
| 97 | + |
| 98 | +## Set a custom issuer as the default token issuer |
| 99 | + |
| 100 | +To make your custom token issuer the default for all token requests server-wide, register it with the name `Default` and set it in the `token_generator` configuration. |
| 101 | + |
| 102 | +To set a custom issuer as the default token issuer: |
| 103 | + |
| 104 | +1. Open the `deployment.toml` file. |
| 105 | + |
| 106 | +2. Add the following configuration: |
| 107 | + |
| 108 | + ```toml |
| 109 | + [oauth.extensions] |
| 110 | + token_generator = "org.wso2.carbon.identity.extensions.CustomJWTTokenIssuer" |
| 111 | + |
| 112 | + [[oauth.extensions.token_types]] |
| 113 | + name = "Default" |
| 114 | + issuer = "org.wso2.carbon.identity.extensions.CustomJWTTokenIssuer" |
| 115 | + ``` |
| 116 | + |
| 117 | + !!! note "Why register as 'Default'?" |
| 118 | + Registering your custom token issuer with the name `Default` in `SupportedTokenTypes` ensures that {{ product_name }} recognizes it as the primary token issuer. This registration aligns with the behavior expected by the OAuth framework. |
| 119 | + |
| 120 | +3. Restart the server to apply the changes. |
| 121 | + |
| 122 | +After this configuration, your custom token issuer acts as the default issuer for all token requests server-wide. |
0 commit comments