Working with Request Object in WSO2 Identity Server

  1. request parameter (Passed by value)
  2. request_uri parameter (Passed by reference)

How to Test a Request Object Passed by value Flow

Step 01

  • Add two new external claims(customClaim1 & customClaim2). Here we create two claims under oidc dialect and map those claims to local claims.
  • Navigate to Main -> claims -> Add -> Add External Claims
Dialect URI : 
External Claim URI : customClaim1
Mapped Local Claim:
Dialect URI :
External Claim URI : customClaim2
Mapped Local Claim:
  1. Navigate to IS-Home>repository>resources>security
  2. Execute the below command
openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 365 -out certificate.pem
  • Navigate to Main -> Service Provider -> Add and create a service provider.
  • In the Basic Information section, select the Application Certificate as Upload SP certificate.
  • Inside the text box, upload the public certificate you obtained for the service provider.
  • Navigate to Inbound Authentication Configuration.
  • Select OAuth/OpenID Connet Configuration.
  • Select Configure button, add callback URL and update the SP(http://localhost:8080/playground2/oauth2client)
  • Edit the service provider that you created above, expand Claim Configuration > Use local Claim Dialect.
  • Navigate to Main -> Users and Roles and Add new user
  • Create a new user as Alex.
  • Then update his profile.
  • Now in his user profile, you will be asked to enter email address, challenge question1, challenge question2, and country.
“client_id”: “<client-id>”,
“sub”: “<client-id>”,
“aud”: [
“claims”: {
“userinfo”: {
“given_name”: {
“essential”: true
“nickname”: null,
“email”: {
“essential”: true
“customClaim2”: {
“essential”: true
“id_token”: {
“gender”: null,
“birthdate”: {
“essential”: true
“customClaim1”: {
“essential”: true
“iss”: “<client-id>”,
“exp”: 1633415557,
“iat”: 1633411957,
“jti”: “1003”
  • Modify client_id and update it with your service providers client id.
  • Open and select the algorithm as RS256
  • Paste the payload into payload section.
  • In the VERIFY SIGNATURE section , delete every thing inside those text boxes and paste the public certificate and private key of the Service provider.
  • Do a authorize request using a browser and obtain a authorization code, response_type=code.
https://localhost:9443/oauth2/authorize?scope=openid&response_type=code&redirect_uri=http%3A%2F%2Flocalhost%3A8080%2Fplayground2%2Foauth2client&client_id=e_govr0VxJqqiNLAY4LQijXbkOQa &request=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJjbGllbnRfaWQiOiJlX2dvdnIwVnhKcXFpTkxBWTRMUWlqWGJrT1FhICIsInN1YiI6ImVfZ292cjBWeEpxcWlOTEFZNExRaWpYYmtPUWEgIiwiYXVkIjpbImh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIl0sImNsYWltcyI6eyJ1c2VyaW5mbyI6eyJnaXZlbl9uYW1lIjp7ImVzc2VudGlhbCI6dHJ1ZX0sIm5pY2tuYW1lIjpudWxsLCJlbWFpbCI6eyJlc3NlbnRpYWwiOnRydWV9LCJjdXN0b21jbGFpbTIiOnsiZXNzZW50aWFsIjp0cnVlfX0sImlkX3Rva2VuIjp7ImdlbmRlciI6bnVsbCwiYmlydGhkYXRlIjp7ImVzc2VudGlhbCI6dHJ1ZX0sImN1c3RvbWNsYWltMSI6eyJlc3NlbnRpYWwiOnRydWV9fX0sImlzcyI6ImVfZ292cjBWeEpxcWlOTEFZNExRaWpYYmtPUWEgIiwiZXhwIjoxNTUzNDIyNTM3LCJpYXQiOjE1MTY3ODMyNzgsImp0aSI6IjEwMDMifQ.YputORL4oMi6Va8moERGUXL4VedC1ttr8RHZLeKR6eea61T2sqlnziPF6zBJQON9o6j6t1nDNYzrxkNbzbv6oGbz3KT8opbwuQBcMwTIzBv92uaR97c6Gdzwkd9odRsqadHfPV_RrN5dLNR8NMoQiJ-nMfQ_eZtfWqJva8IPO0j93wSce6-JFpe9cQA_k2izZ-BBMN7Ju52QfobvR_npqb-UjWj3r3yKOtnZXJvsn2xNAWiZ5LpsT19aWXmB8iHnEOELYKbAXSJUZGJY-tNMdhw2JzTPtnkxVuFoCjnqZCDArgv11a4_eOVv6FBL0qjD5V3imS_TjN8sWRv6_hvAYA
  • Using the code we obtained, we can get a access token and id token.
curl -k -v — user <client_id>:<client_secret> -d “grant_type=authorization_code&code=<code>&redirect_uri=http://localhost:8080/playground2/oauth2client&scope= “ https://localhost:9443/oauth2/token
  • We can use the playground app as well to obtain the access token in place of curl command
  • As we have requested customclaim1 in the id_token, it will be sent in the id_token.
  • Using curl command below, obtain user information from user info endpoint. You can use the playground app and talk to user info EP as well in place of using curl command
Requestcurl -k -H "Authorization: Bearer <access_token>" https://localhost:9443/oauth2/userinfoResponse{“country”:”Sri Lanka”, “sub”:”alex”, “email”:””, “customclaim2”:”What is your father’s name?”}

Troubleshooting Request Object Expired Error.

In any case if you get a error as follows

How To Test Enable Request Object Signature Validation

There is a config in the registered service provider as Enable Request Object Signature Validation.

If you are working with Request Object Feature on IS version 5.12.0 or above

When we use openid as the scope, it won't return any claims in the id token which we marked as essential:true under id_token in the request object payload.
To return the claims in the id token, we need to add those claims in a separate custom oidc scope and give that custom scope in the scope parameter in the API call. Please Refer



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Shanika Wickramasinghe

Shanika Wickramasinghe

Senior Software Engineer and Freelance Technical Writer. I write about any Computer Science related topic.