Hi,
With the API Manager 3.0.0 release, we are going to add OIDC authenticator
to the API Manager as we already had that capability in directly through
the site.json configuration.
However to try the scenario, I have followed the document[1].
Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below error
during the authorization code exchange.
[2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication failed
exception!
org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
invalid_request, The client MUST NOT use more than one authentication
method in each
at
org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
at
This error occurred due to engaging the MutualTLSAuthenticator in the token
exchange flow. Below check returns list of authenticators greater than one
due to engaging this authenticator. It seems during the token exchange
flow, we send the certificate in the header which lead to trigger the
MutualTLSAuthenticator enable checks and add to the authenticator list. If
I removed the mutual authenticator jar, this started to work.
// Will return an invalid request response if multiple authentication
mechanisms are engaged irrespective of
// whether the grant type is confidential or not.
if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The
client MUST NOT use more than one " +
"authentication method in each", tokenReqDTO);
setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx,
isRefreshRequest);
return tokenRespDTO;
}
Generally people will configure ODIC with external provider and won't
encounter this kind of problem. For testing if tried with our IS as OIDC
provider, this will leads to trigger the above error.
Is it required to engage mutual tls authenticator when certificate present?
Can't we ship it by default setting to false?
[1]
https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect
Thanks,
Harsha
--
*Harsha Kumara*
Technical Lead, WSO2 Inc.
Mobile: +94775505618
Email: [email protected]
Blog: harshcreationz.blogspot.com
GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
