Just in time Provisioning

Just in time provisioning (JIT) is provisioning users to the Identity Server when user tries to log into an application through federated IDP such as Google, Facebook, GitHub, etc. Before look into JIT provisioning, let’s get a brief idea about provisioning types available in the WSO2 Identity Server provisioning framework.


Through this article, I’m going to take a deep dive into time based one time password which is commonly known as TOTP. First thing first. Let’s start with the basics

What is two factor authentication?

The following factors are the three commonly accepted authentication factors, used to prove your identity when logging into a service.

If hackers remotely steal your knowledge factor (e.g. password), then they still shouldn’t be able to get into your account because they won’t…


Photo by Glen Carrie on Unsplash

Nowadays all almost all of us have a Facebook account. So if we can log in to an application with our Facebook credentials other than using separate user IDs and passwords, it will make our life easier. WSO2 identity server has the capability to allow users to log into the applications with Facebook credentials.

Through this blog, I will guide you on how to integrate the WSO2 Identity Server with Facebook via configuring the Facebook developer app.

Let’s configure the Facebook app…

First, we need to configure the Facebook developer app. For that go to https://developers.facebook.com/apps/


Through this blog, I’m going to guide you on how to write a custom federated authenticator for the WSO2 Identity Server to authenticate a user with an external system. So the external system can be any Identity provider such as Facebook, Twitter, Google and Yahoo. In this blog, I’m using another Identity Server as a federated authenticator which is called as a partner identity server throughout this blog. It is possible to use the extension points available in the WSO2 Identity Server to create custom federated authenticators.

Let’s write the custom federated authenticator


Nowadays data privacy has gained a massive attention and crucial value which results to have many data regulations for users to take the ownership of their own data to control how businesses utilizing those data. Therefor to accommodate this increased user awareness, businesses needs to provide a significant transparency towards collecting the consumer data and the way those data going to be used. At this point consent management steal the spotlight which defines the strategy to gain the consumer’s consent to manage, use, store or share the consumer’s data. …


As I promised in my Cumulative Risk-Based Adaptive Authentication blog, here I will explain the role of the WSO2 IS Analytics when implementing a Risk based adaptive authentication usease. Through this blog, I hope to give you a deeper understanding of the capabilities that WSO2 IS Analytics provides you to support risk-based adaptive authentication.

If you have read my previous blogs, now you already know that adaptive authentication is a method for selecting the right authentication factors depending on a user’s risk profile and tendencies for adapting the type of authentication to the situation. So, I’m going to explore how…


WSO2 Identity Server can be configured to provision users to marketing solutions via outbound provisioning connectors. Solutions supporting SCIM can be directly integrated with Identity Server. For solutions that have proprietary APIs, the product supports configuring one or more outbound provisioning connectors. Provisioning requests can be sent to the marketing solutions to create/convert leads using the WSO2 Enterprise Integrator (EI). The integrator provides a number of pre-built connectors (eg: Hubspot, Pardot, Marketo) which can be used to integrate with marketing solutions.

If your business uses or is willing to use enterprise marketing software such as Hubspot or Salesforce, WSO2 IAM…


Photo by Christin Hume on Unsplash

In WSO2 Identity Server, we can write custom claim provider as an OSGI service to add new claims to ID token in OpenID Connect protocol. According to the current implementation, we have an extension point to write a custom claim provider which can be plugged in to inject claims into ID Token. Through this blog, I will share how to write a custom claim provider.

How to write custom claim provider

ClaimProvider interface has two methods. So anyone can implement this interface and publish the service as follows.

First methods can be used when the ID Token request comes from Authorize…


Photo by Fotis Fotopoulos on Unsplash

OAuth 2.0 Token Introspection defines a protocol that allows authorized protected resources to query the authorization server to determine the set of metadata for a given token that was presented to them by an OAuth Client. You can refer WSO2 documentation of “Invoke the OAuth Introspection Endpoint” to get more detail on invoking OAuth 2.0 Token Introspection.

Recently, I wrote a Custom Introspection Data provider to inject some claims to introspection response. Let me share my experience in writing a Custom Introspection Data provider and how to try out it.

The following config needs to be added to the deployment.toml…


WSO2 Identity Server 5.10.0 supports the OAuth 2.0 device authorization grant which is designed for Internet-connected devices such as smart TVs, media consoles, digital picture frames, and printers, etc. It enables OAuth clients on such devices to obtain user authorization to access protected resources by using a user agent on a separate device.

Let’s get to know about the device authorization grant flow…

Device Code Grant Flow

As shown in the above figure, the client first requests access from the authorization server and includes its client identifier in the request. There, the client ID” is a required parameter and the scope parameter is optional.

Gangani Chamika

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store