Hi Harsha, In the oauth spec [1], it mandates that client should not use more than one authentication mechanism per request. Hence, we have that validation here.
[1] https://tools.ietf.org/html/rfc6749#section-2.3 Thanks, On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara <hars...@wso2.com> wrote: > As we can configure multiple authenticators, and add them based on > canAuthenticate method response, why we need to return above error if > multiple authenticators engaged? > > On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara <hars...@wso2.com> wrote: > >> It seems the logic of checking authenticator list greater than 1 should >> be correct? >> >> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara <hars...@wso2.com> wrote: >> >>> Hi, >>> >>> With the API Manager 3.0.0 release, we are going to add OIDC >>> authenticator to the API Manager as we already had that capability in >>> directly through the site.json configuration. >>> >>> However to try the scenario, I have followed the document[1]. >>> >>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below >>> error during the authorization code exchange. >>> >>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication >>> failed exception! >>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: >>> invalid_request, The client MUST NOT use more than one authentication >>> method in each >>> at >>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615) >>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?] >>> at >>> >>> This error occurred due to engaging the MutualTLSAuthenticator in the >>> token exchange flow. Below check returns list of authenticators greater >>> than one due to engaging this authenticator. It seems during the token >>> exchange flow, we send the certificate in the header which lead to trigger >>> the MutualTLSAuthenticator enable checks and add to the authenticator list. >>> If I removed the mutual authenticator jar, this started to work. >>> >>> // Will return an invalid request response if multiple authentication >>> mechanisms are engaged irrespective of >>> // whether the grant type is confidential or not. >>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) { >>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The >>> client MUST NOT use more than one " + >>> "authentication method in each", tokenReqDTO); >>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO); >>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, >>> isRefreshRequest); >>> return tokenRespDTO; >>> } >>> >>> >>> Generally people will configure ODIC with external provider and won't >>> encounter this kind of problem. For testing if tried with our IS as OIDC >>> provider, this will leads to trigger the above error. >>> >>> Is it required to engage mutual tls authenticator when certificate >>> present? Can't we ship it by default setting to false? >>> >>> [1] >>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect >>> >>> Thanks, >>> Harsha >>> -- >>> >>> *Harsha Kumara* >>> >>> Technical Lead, WSO2 Inc. >>> Mobile: +94775505618 >>> Email: hars...@wso2.coim >>> Blog: harshcreationz.blogspot.com >>> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> >> *Harsha Kumara* >> >> Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: hars...@wso2.coim >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: hars...@wso2.coim > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- Sathya Bandara Senior Software Engineer Blog: https://medium.com/@technospace WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list Dev@wso2.org http://wso2.org/cgi-bin/mailman/listinfo/dev
