If client secret is used for client authentication with POST request to the token endpoint, then its not required to send the certificate.
On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara <[email protected]> wrote: > So if so our OpenIDConnectAuthenticator shouldn't set certificate in the > request during the authorization code exchange? > > On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara <[email protected]> wrote: > >> Hi Harsha, >> >> In the oauth spec [1], it mandates that client should not use more than >> one authentication mechanism per request. Hence, we have that validation >> here. >> >> [1] https://tools.ietf.org/html/rfc6749#section-2.3 >> >> Thanks, >> >> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara <[email protected]> wrote: >> >>> As we can configure multiple authenticators, and add them based on >>> canAuthenticate method response, why we need to return above error if >>> multiple authenticators engaged? >>> >>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara <[email protected]> wrote: >>> >>>> It seems the logic of checking authenticator list greater than 1 should >>>> be correct? >>>> >>>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara <[email protected]> wrote: >>>> >>>>> Hi, >>>>> >>>>> With the API Manager 3.0.0 release, we are going to add OIDC >>>>> authenticator to the API Manager as we already had that capability in >>>>> directly through the site.json configuration. >>>>> >>>>> However to try the scenario, I have followed the document[1]. >>>>> >>>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below >>>>> error during the authorization code exchange. >>>>> >>>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication >>>>> failed exception! >>>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: >>>>> invalid_request, The client MUST NOT use more than one authentication >>>>> method in each >>>>> at >>>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615) >>>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?] >>>>> at >>>>> >>>>> This error occurred due to engaging the MutualTLSAuthenticator in the >>>>> token exchange flow. Below check returns list of authenticators greater >>>>> than one due to engaging this authenticator. It seems during the token >>>>> exchange flow, we send the certificate in the header which lead to trigger >>>>> the MutualTLSAuthenticator enable checks and add to the authenticator >>>>> list. >>>>> If I removed the mutual authenticator jar, this started to work. >>>>> >>>>> // Will return an invalid request response if multiple authentication >>>>> mechanisms are engaged irrespective of >>>>> // whether the grant type is confidential or not. >>>>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) { >>>>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The >>>>> client MUST NOT use more than one " + >>>>> "authentication method in each", tokenReqDTO); >>>>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO); >>>>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, >>>>> isRefreshRequest); >>>>> return tokenRespDTO; >>>>> } >>>>> >>>>> >>>>> Generally people will configure ODIC with external provider and won't >>>>> encounter this kind of problem. For testing if tried with our IS as OIDC >>>>> provider, this will leads to trigger the above error. >>>>> >>>>> Is it required to engage mutual tls authenticator when certificate >>>>> present? Can't we ship it by default setting to false? >>>>> >>>>> [1] >>>>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect >>>>> >>>>> Thanks, >>>>> Harsha >>>>> -- >>>>> >>>>> *Harsha Kumara* >>>>> >>>>> Technical Lead, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Email: [email protected] >>>>> Blog: harshcreationz.blogspot.com >>>>> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> >>>> *Harsha Kumara* >>>> >>>> Technical Lead, WSO2 Inc. >>>> Mobile: +94775505618 >>>> Email: [email protected] >>>> Blog: harshcreationz.blogspot.com >>>> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> >>> *Harsha Kumara* >>> >>> Technical Lead, WSO2 Inc. >>> Mobile: +94775505618 >>> Email: [email protected] >>> Blog: harshcreationz.blogspot.com >>> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> Sathya Bandara >> Senior Software Engineer >> Blog: https://medium.com/@technospace >> WSO2 Inc. http://wso2.com >> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >> >> <+94%2071%20411%205032> >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- Sathya Bandara Senior Software Engineer Blog: https://medium.com/@technospace WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
