We came across a similar issue where the OIDC federated authenticator sets the certificate by default to the request [1]. This has occurred due to a change to registry.xml with new config model. When the changes were reverted it worked as expected [2]. Maybe the same issue exists with APIM?
[1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5" [2] https://github.com/wso2/product-is/issues/6013 On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara <[email protected]> wrote: > Yes that's correct. I'm using the openid authenticator, so it sets the > certificate by default to the header, hence multiple authenticators getting > triggered..But mutual SSL is handled at the transport layer and even with > mutual authentication, client id and secret will be present in the request. > I feel there is something wrong with the logic. > > On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara <[email protected]> wrote: > >> If client secret is used for client authentication with POST request to >> the token endpoint, then its not required to send the certificate. >> >> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara <[email protected]> wrote: >> >>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in the >>> request during the authorization code exchange? >>> >>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara <[email protected]> wrote: >>> >>>> Hi Harsha, >>>> >>>> In the oauth spec [1], it mandates that client should not use more than >>>> one authentication mechanism per request. Hence, we have that validation >>>> here. >>>> >>>> [1] https://tools.ietf.org/html/rfc6749#section-2.3 >>>> >>>> Thanks, >>>> >>>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara <[email protected]> wrote: >>>> >>>>> As we can configure multiple authenticators, and add them based on >>>>> canAuthenticate method response, why we need to return above error if >>>>> multiple authenticators engaged? >>>>> >>>>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara <[email protected]> >>>>> wrote: >>>>> >>>>>> It seems the logic of checking authenticator list greater than 1 >>>>>> should be correct? >>>>>> >>>>>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi, >>>>>>> >>>>>>> With the API Manager 3.0.0 release, we are going to add OIDC >>>>>>> authenticator to the API Manager as we already had that capability in >>>>>>> directly through the site.json configuration. >>>>>>> >>>>>>> However to try the scenario, I have followed the document[1]. >>>>>>> >>>>>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below >>>>>>> error during the authorization code exchange. >>>>>>> >>>>>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication >>>>>>> failed exception! >>>>>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: >>>>>>> invalid_request, The client MUST NOT use more than one authentication >>>>>>> method in each >>>>>>> at >>>>>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615) >>>>>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?] >>>>>>> at >>>>>>> >>>>>>> This error occurred due to engaging the MutualTLSAuthenticator in >>>>>>> the token exchange flow. Below check returns list of authenticators >>>>>>> greater >>>>>>> than one due to engaging this authenticator. It seems during the token >>>>>>> exchange flow, we send the certificate in the header which lead to >>>>>>> trigger >>>>>>> the MutualTLSAuthenticator enable checks and add to the authenticator >>>>>>> list. >>>>>>> If I removed the mutual authenticator jar, this started to work. >>>>>>> >>>>>>> // Will return an invalid request response if multiple authentication >>>>>>> mechanisms are engaged irrespective of >>>>>>> // whether the grant type is confidential or not. >>>>>>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) { >>>>>>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The >>>>>>> client MUST NOT use more than one " + >>>>>>> "authentication method in each", tokenReqDTO); >>>>>>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO); >>>>>>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, >>>>>>> isRefreshRequest); >>>>>>> return tokenRespDTO; >>>>>>> } >>>>>>> >>>>>>> >>>>>>> Generally people will configure ODIC with external provider and >>>>>>> won't encounter this kind of problem. For testing if tried with our IS >>>>>>> as >>>>>>> OIDC provider, this will leads to trigger the above error. >>>>>>> >>>>>>> Is it required to engage mutual tls authenticator when certificate >>>>>>> present? Can't we ship it by default setting to false? >>>>>>> >>>>>>> [1] >>>>>>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect >>>>>>> >>>>>>> Thanks, >>>>>>> Harsha >>>>>>> -- >>>>>>> >>>>>>> *Harsha Kumara* >>>>>>> >>>>>>> Technical Lead, WSO2 Inc. >>>>>>> Mobile: +94775505618 >>>>>>> Email: [email protected] >>>>>>> Blog: harshcreationz.blogspot.com >>>>>>> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Harsha Kumara* >>>>>> >>>>>> Technical Lead, WSO2 Inc. >>>>>> Mobile: +94775505618 >>>>>> Email: [email protected] >>>>>> Blog: harshcreationz.blogspot.com >>>>>> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Harsha Kumara* >>>>> >>>>> Technical Lead, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Email: [email protected] >>>>> Blog: harshcreationz.blogspot.com >>>>> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Sathya Bandara >>>> Senior Software Engineer >>>> Blog: https://medium.com/@technospace >>>> WSO2 Inc. http://wso2.com >>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>> >>>> <+94%2071%20411%205032> >>>> >>> >>> >>> -- >>> >>> *Harsha Kumara* >>> >>> Technical Lead, WSO2 Inc. >>> Mobile: +94775505618 >>> Email: [email protected] >>> Blog: harshcreationz.blogspot.com >>> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> Sathya Bandara >> Senior Software Engineer >> Blog: https://medium.com/@technospace >> WSO2 Inc. http://wso2.com >> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >> >> <+94%2071%20411%205032> >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- Sathya Bandara Senior Software Engineer Blog: https://medium.com/@technospace WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
