That PR was not merged. Instead the missing registry configs were re-added [1]
[1] https://github.com/wso2/product-is/pull/6076 On Fri, Sep 20, 2019 at 8:35 PM Harsha Kumara <[email protected]> wrote: > Since this either should handle at client side and mandate not to send the > certificate or we have to disable the handler. Looks like we have disabled > the handler by default in > https://github.com/wso2/carbon-identity-framework/pull/2336/files > > But I don't see it in the wso2is-5.9.0-alpha4-SNAPSHOT. Was it revert > again? > > Thanks, > Harsha > > On Fri, Sep 20, 2019 at 7:53 PM Harsha Kumara <[email protected]> wrote: > >> Thanks a lot @Sathya Bandara <[email protected]> That should be the issue. >> I will check and update the thread. >> >> Thanks, >> Harsha >> >> On Fri, Sep 20, 2019 at 7:14 PM Sathya Bandara <[email protected]> wrote: >> >>> We came across a similar issue where the OIDC federated authenticator >>> sets the certificate by default to the request [1]. This has occurred due >>> to a change to registry.xml with new config model. When the changes were >>> reverted it worked as expected [2]. Maybe the same issue exists with APIM? >>> >>> [1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5" >>> [2] https://github.com/wso2/product-is/issues/6013 >>> >>> On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara <[email protected]> wrote: >>> >>>> Yes that's correct. I'm using the openid authenticator, so it sets the >>>> certificate by default to the header, hence multiple authenticators getting >>>> triggered..But mutual SSL is handled at the transport layer and even with >>>> mutual authentication, client id and secret will be present in the request. >>>> I feel there is something wrong with the logic. >>>> >>>> On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara <[email protected]> wrote: >>>> >>>>> If client secret is used for client authentication with POST request >>>>> to the token endpoint, then its not required to send the certificate. >>>>> >>>>> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara <[email protected]> >>>>> wrote: >>>>> >>>>>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in >>>>>> the request during the authorization code exchange? >>>>>> >>>>>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> Hi Harsha, >>>>>>> >>>>>>> In the oauth spec [1], it mandates that client should not use more >>>>>>> than one authentication mechanism per request. Hence, we have that >>>>>>> validation here. >>>>>>> >>>>>>> [1] https://tools.ietf.org/html/rfc6749#section-2.3 >>>>>>> >>>>>>> Thanks, >>>>>>> >>>>>>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> As we can configure multiple authenticators, and add them based on >>>>>>>> canAuthenticate method response, why we need to return above error if >>>>>>>> multiple authenticators engaged? >>>>>>>> >>>>>>>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> It seems the logic of checking authenticator list greater than 1 >>>>>>>>> should be correct? >>>>>>>>> >>>>>>>>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> Hi, >>>>>>>>>> >>>>>>>>>> With the API Manager 3.0.0 release, we are going to add OIDC >>>>>>>>>> authenticator to the API Manager as we already had that capability in >>>>>>>>>> directly through the site.json configuration. >>>>>>>>>> >>>>>>>>>> However to try the scenario, I have followed the document[1]. >>>>>>>>>> >>>>>>>>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got >>>>>>>>>> below error during the authorization code exchange. >>>>>>>>>> >>>>>>>>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler >>>>>>>>>> Authentication failed exception! >>>>>>>>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: >>>>>>>>>> invalid_request, The client MUST NOT use more than one authentication >>>>>>>>>> method in each >>>>>>>>>> at >>>>>>>>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615) >>>>>>>>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?] >>>>>>>>>> at >>>>>>>>>> >>>>>>>>>> This error occurred due to engaging the MutualTLSAuthenticator in >>>>>>>>>> the token exchange flow. Below check returns list of authenticators >>>>>>>>>> greater >>>>>>>>>> than one due to engaging this authenticator. It seems during the >>>>>>>>>> token >>>>>>>>>> exchange flow, we send the certificate in the header which lead to >>>>>>>>>> trigger >>>>>>>>>> the MutualTLSAuthenticator enable checks and add to the >>>>>>>>>> authenticator list. >>>>>>>>>> If I removed the mutual authenticator jar, this started to work. >>>>>>>>>> >>>>>>>>>> // Will return an invalid request response if multiple >>>>>>>>>> authentication mechanisms are engaged irrespective of >>>>>>>>>> // whether the grant type is confidential or not. >>>>>>>>>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) { >>>>>>>>>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, >>>>>>>>>> "The client MUST NOT use more than one " + >>>>>>>>>> "authentication method in each", tokenReqDTO); >>>>>>>>>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO); >>>>>>>>>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, >>>>>>>>>> isRefreshRequest); >>>>>>>>>> return tokenRespDTO; >>>>>>>>>> } >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Generally people will configure ODIC with external provider and >>>>>>>>>> won't encounter this kind of problem. For testing if tried with our >>>>>>>>>> IS as >>>>>>>>>> OIDC provider, this will leads to trigger the above error. >>>>>>>>>> >>>>>>>>>> Is it required to engage mutual tls authenticator when >>>>>>>>>> certificate present? Can't we ship it by default setting to false? >>>>>>>>>> >>>>>>>>>> [1] >>>>>>>>>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect >>>>>>>>>> >>>>>>>>>> Thanks, >>>>>>>>>> Harsha >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Harsha Kumara* >>>>>>>>>> >>>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>>> Mobile: +94775505618 >>>>>>>>>> Email: [email protected] >>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> *Harsha Kumara* >>>>>>>>> >>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>> Mobile: +94775505618 >>>>>>>>> Email: [email protected] >>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>> >>>>>>>>> GET INTEGRATION AGILE >>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> >>>>>>>> *Harsha Kumara* >>>>>>>> >>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>> Mobile: +94775505618 >>>>>>>> Email: [email protected] >>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>> >>>>>>>> GET INTEGRATION AGILE >>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> Sathya Bandara >>>>>>> Senior Software Engineer >>>>>>> Blog: https://medium.com/@technospace >>>>>>> WSO2 Inc. http://wso2.com >>>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>>> >>>>>>> <+94%2071%20411%205032> >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> >>>>>> *Harsha Kumara* >>>>>> >>>>>> Technical Lead, WSO2 Inc. >>>>>> Mobile: +94775505618 >>>>>> Email: [email protected] >>>>>> Blog: harshcreationz.blogspot.com >>>>>> >>>>>> GET INTEGRATION AGILE >>>>>> Integration Agility for Digitally Driven Business >>>>>> >>>>> >>>>> >>>>> -- >>>>> Sathya Bandara >>>>> Senior Software Engineer >>>>> Blog: https://medium.com/@technospace >>>>> WSO2 Inc. http://wso2.com >>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>> >>>>> <+94%2071%20411%205032> >>>>> >>>> >>>> >>>> -- >>>> >>>> *Harsha Kumara* >>>> >>>> Technical Lead, WSO2 Inc. >>>> Mobile: +94775505618 >>>> Email: [email protected] >>>> Blog: harshcreationz.blogspot.com >>>> >>>> GET INTEGRATION AGILE >>>> Integration Agility for Digitally Driven Business >>>> >>> >>> >>> -- >>> Sathya Bandara >>> Senior Software Engineer >>> Blog: https://medium.com/@technospace >>> WSO2 Inc. http://wso2.com >>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>> >>> <+94%2071%20411%205032> >>> >> >> >> -- >> >> *Harsha Kumara* >> >> Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: [email protected] >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > > > -- > > *Harsha Kumara* > > Technical Lead, WSO2 Inc. > Mobile: +94775505618 > Email: [email protected] > Blog: harshcreationz.blogspot.com > > GET INTEGRATION AGILE > Integration Agility for Digitally Driven Business > -- Sathya Bandara Senior Software Engineer Blog: https://medium.com/@technospace WSO2 Inc. http://wso2.com Mobile: (+94) 715 360 421 <+94%2071%20411%205032> <+94%2071%20411%205032>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
