So if so our OpenIDConnectAuthenticator shouldn't set certificate in the request during the authorization code exchange?
On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara <[email protected]> wrote: > Hi Harsha, > > In the oauth spec [1], it mandates that client should not use more than > one authentication mechanism per request. Hence, we have that validation > here. > > [1] https://tools.ietf.org/html/rfc6749#section-2.3 > > Thanks, > > On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara <[email protected]> wrote: > >> As we can configure multiple authenticators, and add them based on >> canAuthenticate method response, why we need to return above error if >> multiple authenticators engaged? >> >> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara <[email protected]> wrote: >> >>> It seems the logic of checking authenticator list greater than 1 should >>> be correct? >>> >>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara <[email protected]> wrote: >>> >>>> Hi, >>>> >>>> With the API Manager 3.0.0 release, we are going to add OIDC >>>> authenticator to the API Manager as we already had that capability in >>>> directly through the site.json configuration. >>>> >>>> However to try the scenario, I have followed the document[1]. >>>> >>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below >>>> error during the authorization code exchange. >>>> >>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication >>>> failed exception! >>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: >>>> invalid_request, The client MUST NOT use more than one authentication >>>> method in each >>>> at >>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615) >>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?] >>>> at >>>> >>>> This error occurred due to engaging the MutualTLSAuthenticator in the >>>> token exchange flow. Below check returns list of authenticators greater >>>> than one due to engaging this authenticator. It seems during the token >>>> exchange flow, we send the certificate in the header which lead to trigger >>>> the MutualTLSAuthenticator enable checks and add to the authenticator list. >>>> If I removed the mutual authenticator jar, this started to work. >>>> >>>> // Will return an invalid request response if multiple authentication >>>> mechanisms are engaged irrespective of >>>> // whether the grant type is confidential or not. >>>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) { >>>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The >>>> client MUST NOT use more than one " + >>>> "authentication method in each", tokenReqDTO); >>>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO); >>>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, >>>> isRefreshRequest); >>>> return tokenRespDTO; >>>> } >>>> >>>> >>>> Generally people will configure ODIC with external provider and won't >>>> encounter this kind of problem. For testing if tried with our IS as OIDC >>>> provider, this will leads to trigger the above error. >>>> >>>> Is it required to engage mutual tls authenticator when certificate >>>> present? Can't we ship it by default setting to false? >>>> >>>> [1] >>>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect >>>> >>>> Thanks, >>>> Harsha >>>> -- >>>> >>>> *Harsha Kumara* >>>> >>>> Technical Lead, WSO2 Inc. >>>> Mobile: +94775505618 >>>> Email: [email protected] >>>> Blog: harshcreationz.blogspot.com >>>> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> >>> *Harsha Kumara* >>> >>> Technical Lead, WSO2 Inc. >>> Mobile: +94775505618 >>> Email: [email protected] >>> Blog: harshcreationz.blogspot.com >>> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> >> *Harsha Kumara* >> >> Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: [email protected] >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > Sathya Bandara > Senior Software Engineer > Blog: https://medium.com/@technospace > WSO2 Inc. http://wso2.com > Mobile: (+94) 715 360 421 <+94%2071%20411%205032> > > <+94%2071%20411%205032> > -- *Harsha Kumara* Technical Lead, WSO2 Inc. Mobile: +94775505618 Email: [email protected] Blog: harshcreationz.blogspot.com GET INTEGRATION AGILE Integration Agility for Digitally Driven Business
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
