Hi Harsha, We observed this error in IS 5.9.0-m3 pack and we fixed it in 5.9.0-m6. In 5.7.0 and Before IS-5.7, we didn't ship mutualtls authenticator by default. In 5.9.0-m3 pack, since we ship this mutualtls authenticator, that authenticator gets enabled. So we suspected, it may be the cause and sent this PR [1] to fix the issue. But In IS5.8.0 also we ships this authenticator bydefault and suspected some other things can be the root cause of this issue. In IS 5.9.0-m3 , primary IS's certificate was sent to the federated IDP by default and mutualtls authenticator also tried to authenticate the primary IS. OIDC federation failed since basicclientauthenticator and mutualtls authenticator tried to authenticate.
We found some configs were missing in registry.xml and it caused this issue. Later we added those missing configs in product-is. [1]https://github.com/wso2/carbon-identity-framework/pull/2336/ <https://github.com/wso2/carbon-identity-framework/pull/2336/files> [2]Error when invoking OIDC federated Authenticator in IS 5.9.0-m5 [3]Some configs in registry.xml file are not found in the new config model in IS-5.9.0 Thanks, Piraveena *Piraveena Paralogarajah* Software Engineer | WSO2 Inc. *(m)* +94776099594 | *(e)* [email protected] On Sat, Sep 21, 2019 at 12:20 AM Sathya Bandara <[email protected]> wrote: > That PR was not merged. Instead the missing registry configs were re-added > [1] > > [1] https://github.com/wso2/product-is/pull/6076 > > On Fri, Sep 20, 2019 at 8:35 PM Harsha Kumara <[email protected]> wrote: > >> Since this either should handle at client side and mandate not to send >> the certificate or we have to disable the handler. Looks like we have >> disabled the handler by default in >> https://github.com/wso2/carbon-identity-framework/pull/2336/files >> >> But I don't see it in the wso2is-5.9.0-alpha4-SNAPSHOT. Was it revert >> again? >> >> Thanks, >> Harsha >> >> On Fri, Sep 20, 2019 at 7:53 PM Harsha Kumara <[email protected]> wrote: >> >>> Thanks a lot @Sathya Bandara <[email protected]> That should be the >>> issue. I will check and update the thread. >>> >>> Thanks, >>> Harsha >>> >>> On Fri, Sep 20, 2019 at 7:14 PM Sathya Bandara <[email protected]> wrote: >>> >>>> We came across a similar issue where the OIDC federated authenticator >>>> sets the certificate by default to the request [1]. This has occurred due >>>> to a change to registry.xml with new config model. When the changes were >>>> reverted it worked as expected [2]. Maybe the same issue exists with APIM? >>>> >>>> [1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5" >>>> [2] https://github.com/wso2/product-is/issues/6013 >>>> >>>> On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara <[email protected]> wrote: >>>> >>>>> Yes that's correct. I'm using the openid authenticator, so it sets the >>>>> certificate by default to the header, hence multiple authenticators >>>>> getting >>>>> triggered..But mutual SSL is handled at the transport layer and even with >>>>> mutual authentication, client id and secret will be present in the >>>>> request. >>>>> I feel there is something wrong with the logic. >>>>> >>>>> On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara <[email protected]> >>>>> wrote: >>>>> >>>>>> If client secret is used for client authentication with POST request >>>>>> to the token endpoint, then its not required to send the certificate. >>>>>> >>>>>> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara <[email protected]> >>>>>> wrote: >>>>>> >>>>>>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in >>>>>>> the request during the authorization code exchange? >>>>>>> >>>>>>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara <[email protected]> >>>>>>> wrote: >>>>>>> >>>>>>>> Hi Harsha, >>>>>>>> >>>>>>>> In the oauth spec [1], it mandates that client should not use more >>>>>>>> than one authentication mechanism per request. Hence, we have that >>>>>>>> validation here. >>>>>>>> >>>>>>>> [1] https://tools.ietf.org/html/rfc6749#section-2.3 >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara <[email protected]> >>>>>>>> wrote: >>>>>>>> >>>>>>>>> As we can configure multiple authenticators, and add them based on >>>>>>>>> canAuthenticate method response, why we need to return above error if >>>>>>>>> multiple authenticators engaged? >>>>>>>>> >>>>>>>>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara <[email protected]> >>>>>>>>> wrote: >>>>>>>>> >>>>>>>>>> It seems the logic of checking authenticator list greater than 1 >>>>>>>>>> should be correct? >>>>>>>>>> >>>>>>>>>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara <[email protected]> >>>>>>>>>> wrote: >>>>>>>>>> >>>>>>>>>>> Hi, >>>>>>>>>>> >>>>>>>>>>> With the API Manager 3.0.0 release, we are going to add OIDC >>>>>>>>>>> authenticator to the API Manager as we already had that capability >>>>>>>>>>> in >>>>>>>>>>> directly through the site.json configuration. >>>>>>>>>>> >>>>>>>>>>> However to try the scenario, I have followed the document[1]. >>>>>>>>>>> >>>>>>>>>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got >>>>>>>>>>> below error during the authorization code exchange. >>>>>>>>>>> >>>>>>>>>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler >>>>>>>>>>> Authentication failed exception! >>>>>>>>>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: >>>>>>>>>>> invalid_request, The client MUST NOT use more than one >>>>>>>>>>> authentication >>>>>>>>>>> method in each >>>>>>>>>>> at >>>>>>>>>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615) >>>>>>>>>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?] >>>>>>>>>>> at >>>>>>>>>>> >>>>>>>>>>> This error occurred due to engaging the MutualTLSAuthenticator >>>>>>>>>>> in the token exchange flow. Below check returns list of >>>>>>>>>>> authenticators >>>>>>>>>>> greater than one due to engaging this authenticator. It seems >>>>>>>>>>> during the >>>>>>>>>>> token exchange flow, we send the certificate in the header which >>>>>>>>>>> lead to >>>>>>>>>>> trigger the MutualTLSAuthenticator enable checks and add to the >>>>>>>>>>> authenticator list. If I removed the mutual authenticator jar, this >>>>>>>>>>> started >>>>>>>>>>> to work. >>>>>>>>>>> >>>>>>>>>>> // Will return an invalid request response if multiple >>>>>>>>>>> authentication mechanisms are engaged irrespective of >>>>>>>>>>> // whether the grant type is confidential or not. >>>>>>>>>>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) { >>>>>>>>>>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, >>>>>>>>>>> "The client MUST NOT use more than one " + >>>>>>>>>>> "authentication method in each", tokenReqDTO); >>>>>>>>>>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO); >>>>>>>>>>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, >>>>>>>>>>> isRefreshRequest); >>>>>>>>>>> return tokenRespDTO; >>>>>>>>>>> } >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Generally people will configure ODIC with external provider and >>>>>>>>>>> won't encounter this kind of problem. For testing if tried with our >>>>>>>>>>> IS as >>>>>>>>>>> OIDC provider, this will leads to trigger the above error. >>>>>>>>>>> >>>>>>>>>>> Is it required to engage mutual tls authenticator when >>>>>>>>>>> certificate present? Can't we ship it by default setting to false? >>>>>>>>>>> >>>>>>>>>>> [1] >>>>>>>>>>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect >>>>>>>>>>> >>>>>>>>>>> Thanks, >>>>>>>>>>> Harsha >>>>>>>>>>> -- >>>>>>>>>>> >>>>>>>>>>> *Harsha Kumara* >>>>>>>>>>> >>>>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>>>> Mobile: +94775505618 >>>>>>>>>>> Email: [email protected] >>>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>>> >>>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> -- >>>>>>>>>> >>>>>>>>>> *Harsha Kumara* >>>>>>>>>> >>>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>>> Mobile: +94775505618 >>>>>>>>>> Email: [email protected] >>>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>>> >>>>>>>>>> GET INTEGRATION AGILE >>>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> -- >>>>>>>>> >>>>>>>>> *Harsha Kumara* >>>>>>>>> >>>>>>>>> Technical Lead, WSO2 Inc. >>>>>>>>> Mobile: +94775505618 >>>>>>>>> Email: [email protected] >>>>>>>>> Blog: harshcreationz.blogspot.com >>>>>>>>> >>>>>>>>> GET INTEGRATION AGILE >>>>>>>>> Integration Agility for Digitally Driven Business >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> -- >>>>>>>> Sathya Bandara >>>>>>>> Senior Software Engineer >>>>>>>> Blog: https://medium.com/@technospace >>>>>>>> WSO2 Inc. http://wso2.com >>>>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>>>> >>>>>>>> <+94%2071%20411%205032> >>>>>>>> >>>>>>> >>>>>>> >>>>>>> -- >>>>>>> >>>>>>> *Harsha Kumara* >>>>>>> >>>>>>> Technical Lead, WSO2 Inc. >>>>>>> Mobile: +94775505618 >>>>>>> Email: [email protected] >>>>>>> Blog: harshcreationz.blogspot.com >>>>>>> >>>>>>> GET INTEGRATION AGILE >>>>>>> Integration Agility for Digitally Driven Business >>>>>>> >>>>>> >>>>>> >>>>>> -- >>>>>> Sathya Bandara >>>>>> Senior Software Engineer >>>>>> Blog: https://medium.com/@technospace >>>>>> WSO2 Inc. http://wso2.com >>>>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>>>> >>>>>> <+94%2071%20411%205032> >>>>>> >>>>> >>>>> >>>>> -- >>>>> >>>>> *Harsha Kumara* >>>>> >>>>> Technical Lead, WSO2 Inc. >>>>> Mobile: +94775505618 >>>>> Email: [email protected] >>>>> Blog: harshcreationz.blogspot.com >>>>> >>>>> GET INTEGRATION AGILE >>>>> Integration Agility for Digitally Driven Business >>>>> >>>> >>>> >>>> -- >>>> Sathya Bandara >>>> Senior Software Engineer >>>> Blog: https://medium.com/@technospace >>>> WSO2 Inc. http://wso2.com >>>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032> >>>> >>>> <+94%2071%20411%205032> >>>> >>> >>> >>> -- >>> >>> *Harsha Kumara* >>> >>> Technical Lead, WSO2 Inc. >>> Mobile: +94775505618 >>> Email: [email protected] >>> Blog: harshcreationz.blogspot.com >>> >>> GET INTEGRATION AGILE >>> Integration Agility for Digitally Driven Business >>> >> >> >> -- >> >> *Harsha Kumara* >> >> Technical Lead, WSO2 Inc. >> Mobile: +94775505618 >> Email: [email protected] >> Blog: harshcreationz.blogspot.com >> >> GET INTEGRATION AGILE >> Integration Agility for Digitally Driven Business >> > -- > Sathya Bandara > Senior Software Engineer > Blog: https://medium.com/@technospace > WSO2 Inc. http://wso2.com > Mobile: (+94) 715 360 421 <+94%2071%20411%205032> > > <+94%2071%20411%205032> >
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
