It seems the logic of checking authenticator list greater than 1 should be correct?
On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara <[email protected]> wrote: > Hi, > > With the API Manager 3.0.0 release, we are going to add OIDC authenticator > to the API Manager as we already had that capability in directly through > the site.json configuration. > > However to try the scenario, I have followed the document[1]. > > Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below error > during the authorization code exchange. > > [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication failed > exception! > org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: > invalid_request, The client MUST NOT use more than one authentication > method in each > at > org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615) > ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?] > at > > This error occurred due to engaging the MutualTLSAuthenticator in the > token exchange flow. Below check returns list of authenticators greater > than one due to engaging this authenticator. It seems during the token > exchange flow, we send the certificate in the header which lead to trigger > the MutualTLSAuthenticator enable checks and add to the authenticator list. > If I removed the mutual authenticator jar, this started to work. > > // Will return an invalid request response if multiple authentication > mechanisms are engaged irrespective of > // whether the grant type is confidential or not. > if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) { > tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The client > MUST NOT use more than one " + > "authentication method in each", tokenReqDTO); > setResponseHeaders(tokReqMsgCtx, tokenRespDTO); > triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, > isRefreshRequest); > return tokenRespDTO; > } > > > Generally people will configure ODIC with external provider and won't > encounter this kind of problem. For testing if tried with our IS as OIDC > provider, this will leads to trigger the above error. > > Is it required to engage mutual tls authenticator when certificate > present? Can't we ship it by default setting to false? > > [1] > https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect > > Thanks, > Harsha > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: [email protected] Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
