As we can configure multiple authenticators, and add them based on canAuthenticate method response, why we need to return above error if multiple authenticators engaged?
On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara <[email protected]> wrote: > It seems the logic of checking authenticator list greater than 1 should be > correct? > > On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara <[email protected]> wrote: > >> Hi, >> >> With the API Manager 3.0.0 release, we are going to add OIDC >> authenticator to the API Manager as we already had that capability in >> directly through the site.json configuration. >> >> However to try the scenario, I have followed the document[1]. >> >> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below error >> during the authorization code exchange. >> >> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication >> failed exception! >> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: >> invalid_request, The client MUST NOT use more than one authentication >> method in each >> at >> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615) >> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?] >> at >> >> This error occurred due to engaging the MutualTLSAuthenticator in the >> token exchange flow. Below check returns list of authenticators greater >> than one due to engaging this authenticator. It seems during the token >> exchange flow, we send the certificate in the header which lead to trigger >> the MutualTLSAuthenticator enable checks and add to the authenticator list. >> If I removed the mutual authenticator jar, this started to work. >> >> // Will return an invalid request response if multiple authentication >> mechanisms are engaged irrespective of >> // whether the grant type is confidential or not. >> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) { >> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The client >> MUST NOT use more than one " + >> "authentication method in each", tokenReqDTO); >> setResponseHeaders(tokReqMsgCtx, tokenRespDTO); >> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, >> isRefreshRequest); >> return tokenRespDTO; >> } >> >> >> Generally people will configure ODIC with external provider and won't >> encounter this kind of problem. For testing if tried with our IS as OIDC >> provider, this will leads to trigger the above error. >> >> Is it required to engage mutual tls authenticator when certificate >> present? Can't we ship it by default setting to false? >> >> [1] >> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect >> >> Thanks, >> Harsha >> -- >> >> *Harsha Kumara* >> >> Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: [email protected] >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: [email protected] Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
