OpenId Connect with WSO2 Identity Server

Identity Server supports for the OpenId connect core specification which can be found from here. If you like to try out the openid connect with Identity Server, you can find the sample from here. You can even modify the source and rebuild the web application as you like.

Please note:  In this blog post,  sample is created with Authorization code grant type… But  WSO2IS supports for password grant type to retrieve an id_token with openid connect request,  Please find more details from here.

Let go through steps.

Step 1. Register an OAuth application in Identity Server.

Important :  If you are using WSO2APIM,  You do not need this step.  Once you subscribe to application, API Store would register an OAuth subscription automatically.

Go to service provider configuration page and register a SP application

Configure OAuth/OpenId-Connect setting




Here, “Callback Url” must be the web application’s call back url.

If you deployed the web application in Apache Tomcat, it would be


OAuth consumer key and secret are generated for you.


Step 2. Deploy sample web application in Apache Tomcat (or any Application Server).  You can download the sample web application from here

If Apache Tomcat, you can just copy the openidconnect.war in to <TOMCAT>/webapps directory.

Step 3. Configure web.xml file according to your Identity Server’s configurations.

You can find the web.xml file <TOMCAT>/webapps/openidconnect/WEB-INF/web.xml

There are three parameters

1. authorizationServerUrl –> Url of Identity Server which would be


2. consumerKey – Generated consumer key

3. consumerSecret – Generated consumer secret

4. callBackUrl – Call back url of the web application. This must be same what you have configure in Identity Server as callback url which is


Step 4. Restart the web server (Tomcat) and Try to access the web application




Step 5. Try to login to your web application and then you would be redirected to Identity Server.

Step 6. You can retrieve the user information of the server by calling /userinfo endpoint as well.

Note: WSO2 Identity Server 5.0.0/5.1.0 does not support for session management profile of the OpenId-Connect. It is supported from WSO2IS 5.2.0.  Therefore if we are using WSO2IS 5.0.0/5.1.0 with this web application,  we need to do some different way to achieve the logout. Web application is calling the  /commonauth url with some parameters. If it is mentioned as example.  Here, sessionDataKey can be any random value. commonAuthCallerPath is the redirection url and relyingParty is registered SP application name which is registered in the WSO2IS



Above is applicable to WSO2IS 5.0.0.   In WSO2IS 5.1.0, there is small change in the url.  It must be as follows. Here, ommonAuthCallerPath is the redirection url and relyingParty is registered SP application name which is registered in the WSO2IS.  Basically in WSO2IS 5.1.0, you do not want to send the sessionDataKey




Discuss this article on Stack Overflow


  1. Thanks for this article. One point of comment though, tested the logout with WSO2 IS 5.1.0. Looking at the WSO2 source code and setting logging to DEBUG level, it seems to work a bit different than you describe, ended up with the following URL:


    – The ‘sessionDataKey’ is omitted because it is derived from the ‘commonAuthId’ cookie for the user when not provided
    – ‘12345’ is the ‘clientId’, so ‘relyingParty’ should not the registered SP application name. I am unsure what the exact effect of the ‘relyingParty’ parameter is, so its value might not make a difference depending on the WSO2 configuration

Leave a Reply

Your email address will not be published. Required fields are marked *