Hi all,
When I tried with OIDC Federation with two IS 5.9.0 servers, it was not
working. It is because, the primary IS is sending its certificate to the
federatedIDP and the federated IDP tries to authenticate the client with
two authenticators, MututalTLSAuthenticator and BasicAuthClientAuthenticator.
I have Created a git issue <https://github.com/wso2/product-is/issues/6013>
to track this.
Here the client (primary IS) is sending the certificate to the federated
IDP in. Since there is an x509 certificate sent by the client during SSL
handshake, the MutualTLSAuthenticator in the federatedIDP tries to
authenticate the client. This issue prevails in 5.9.0-m1 onwards. But
IS5.8.0 is not sending the certificate to the federated IDP. So the OIDC
federations successfully happen in IS 5.8.0.
When tries to find the root cause of sending the certificate during SSL
handshake, we found that is because of some configurations in the new
config model. Because, when we remove the deployment.toml file in a fresh
5.9.0-m5 pack, this issue is not happening.
When we brute force to find the root cause, we found this issue comes with
the new registry.xml file in IS 5.9.0-m5. The following config is not
present the registry.xml file in 5.9.0-m5. But It is found in IS 5.8.0.
<indexingConfiguration>
<startIndexing>false</startIndexing>
<startingDelayInSeconds>35</startingDelayInSeconds>
<indexingFrequencyInSeconds>5</indexingFrequencyInSeconds>
<!--number of resources submit for given indexing thread -->
<batchSize>40</batchSize>
<!--number of worker threads for indexing -->
<indexerPoolSize>40</indexerPoolSize>
<!-- location storing the time the indexing took place-->
<lastAccessTimeLocation>/_system/local/repository/components/org.wso2.carbon.registry/indexing/lastaccesstime</lastAccessTimeLocation>
<!-- the indexers that implement the indexer interface for a
relevant media type/(s) -->
<indexers>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.MSExcelIndexer"
mediaTypeRegEx="application/vnd.ms-excel"/>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.MSPowerpointIndexer"
mediaTypeRegEx="application/vnd.ms-powerpoint"/>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.MSWordIndexer"
mediaTypeRegEx="application/msword"/>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.PDFIndexer"
mediaTypeRegEx="application/pdf"/>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.XMLIndexer"
mediaTypeRegEx="application/xml"/>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.XMLIndexer"
mediaTypeRegEx="application/(.)+\+xml"/>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.PlainTextIndexer"
mediaTypeRegEx="application/swagger\+json"/>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.PlainTextIndexer"
mediaTypeRegEx="application/(.)+\+json"/>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.PlainTextIndexer"
mediaTypeRegEx="text/(.)+"/>
<indexer
class="org.wso2.carbon.registry.indexing.indexer.PlainTextIndexer"
mediaTypeRegEx="application/x-javascript"/>
</indexers>
<exclusions>
<exclusion
pathRegEx="/_system/config/repository/dashboards/gadgets/swfobject1-5/.*[.]html"/>
<exclusion
pathRegEx="/_system/local/repository/components/org[.]wso2[.]carbon[.]registry/mount/.*"/>
</exclusions>
</indexingConfiguration>
When we add that particular config in registry.xml in IS-5.9.0 (after
removing the deployment.toml file), the issue is resolved. After adding
this config in client IS, the client is not sending its certificate to the
federated IDP.
So my question is, Why this particular config impact on sending the
certificate? Are there any connections between this particular config and
the SSL handshake between the IS and a federated IDP?
Your help is highly appreciated.
Thanks,
Piraveena
*Piraveena Paralogarajah*
Software Engineer | WSO2 Inc.
*(m)* +94776099594 | *(e)* [email protected]
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
