[Dev] Urgent maintenance on https://maven.wso2.org/nexus/

2019-09-20 Thread Isuru Rupasinghe 
Hi All,

Due to an urgent maintenance, we will be shutting down nexus master. During
this period all users will be unable to access nexus (
https://maven.wso2.org/nexus/).


*Date :20th September 2019 *
*Time: 11.00 AM IST to 2:00 PM IST*.
*Affected Parties: All External and Internal Users*

Thanks & Regards,
-- 
*Isuru Rupasinghe*





*Systems EngineerWSO2 Inc.: http://wso2.com
lean.enterprise.middle-wareOn-Call Number - +94 76 841
4562mobile: +94 77 590 4545*
*office: +94 11 214 5345 / +94 11 7**43 5800 ext: 1005739*


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Urgent maintenance on https://maven.wso2.org/nexus/

2019-09-20 Thread Isuru Rupasinghe 
Hi All,

The maintenance task is successfully completed.

Thanks & Regards,

On Fri, Sep 20, 2019 at 12:39 PM Isuru Rupasinghe  wrote:

> Hi All,
>
> Due to an urgent maintenance, we will be shutting down nexus master.
> During this period all users will be unable to access nexus (
> https://maven.wso2.org/nexus/).
>
>
> *Date :20th September 2019 *
> *Time: 11.00 AM IST to 2:00 PM IST*.
> *Affected Parties: All External and Internal Users*
>
> Thanks & Regards,
> --
> *Isuru Rupasinghe*
>
>
>
>
>
> *Systems EngineerWSO2 Inc.: http://wso2.com
> lean.enterprise.middle-wareOn-Call Number - +94 76 841
> 4562mobile: +94 77 590 4545*
> *office: +94 11 214 5345 / +94 11 7**43 5800 ext: 1005739*
>
> 
>


-- 
*Isuru Rupasinghe*





*Systems EngineerWSO2 Inc.: http://wso2.com
lean.enterprise.middle-wareOn-Call Number - +94 76 841
4562mobile: +94 77 590 4545*
*office: +94 11 214 5345 / +94 11 7**43 5800 ext: 1005739*


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] [IS] Removing IDN_ARTIFACT_STORE table from SQL scripts

2019-09-20 Thread Janak Amarasena 
Hi All,
The IDN_ARTIFACT_STORE is a new table and was used to store the user store
configurations in the database. Since the feature for storing user store
configurations in the database will not be sent in IS590 we have decided to
remove the IDN_ARTIFACT_STORE table creation from the SQL scripts.

The scripts[1] will be available in the "feature-idn-artifact-store" branch
of the carbon-identity-framework repo.

[1] -
https://github.com/wso2/carbon-identity-framework/tree/feature-idn-artifact-store/features/identity-core/org.wso2.carbon.identity.core.server.feature/resources/dbscripts

Best Regards,
Janak

-- 
*Janak Amarasena* | Software Engineer | WSO2 Inc.
(m) +9464144 | (w) +94112145345 | (e) ja...@wso2.com



___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Calling JWKS endpoint in tenant fails after a restart

2019-09-20 Thread Isuranga Perera 
:All

When calling the JWKS endpoint (https://localhost:9443/t/abc.com/oauth2/jwks)
of a tenant, right after restart without loading the tenant, there is an
error[1][2].

We have observed that the reason for $subject is that the keystore for the
relevant tenant is not loaded(from registry) when making the jwks call.

Even Though this issue can be overcome by starting the tenantFlow before
getting the keystore, it involves an addition overhead as it tries to load
the tenant per request.

Appreciate your feedback on $subject.


[1] https://github.com/wso2/product-is/issues/6473
[2] https://github.com/wso2/product-is/issues/6322


Best regards
Isuranga Perera
-- 
*Isuranga Perera* | Software Engineer | WSO2 Inc.
 +94 71 735 7034 | isura...@wso2.com 
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

[Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Harsha Kumara 
Hi,

With the API Manager 3.0.0 release, we are going to add OIDC authenticator
to the API Manager as we already had that capability in directly through
the site.json configuration.

However to try the scenario, I have followed the document[1].

Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below error
during the authorization code exchange.

[2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication failed
exception!
org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
invalid_request, The client MUST NOT use more than one authentication
method in each
at
org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
at

This error occurred due to engaging the MutualTLSAuthenticator in the token
exchange flow. Below check returns list of authenticators greater than one
due to engaging this authenticator. It seems during the token exchange
flow, we send the certificate in the header which lead to trigger the
MutualTLSAuthenticator enable checks and add to the authenticator list. If
I removed the mutual authenticator jar, this started to work.

// Will return an invalid request response if multiple authentication
mechanisms are engaged irrespective of
// whether the grant type is confidential or not.
if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The
client MUST NOT use more than one " +
"authentication method in each", tokenReqDTO);
setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx,
isRefreshRequest);
return tokenRespDTO;
}


Generally people will configure ODIC with external provider and won't
encounter this kind of problem. For testing if tried with our IS as OIDC
provider, this will leads to trigger the above error.

Is it required to engage mutual tls authenticator when certificate present?
Can't we ship it by default setting to false?

[1]
https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect

Thanks,
Harsha
-- 

*Harsha Kumara*

Technical Lead, WSO2 Inc.
Mobile: +94775505618
Email: hars...@wso2.coim
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Calling JWKS endpoint in tenant fails after a restart

2019-09-20 Thread Isura Karunaratne 
Hi Isuranga,

I think we have to initialize the registry as follows before using it.

IdentityTenantUtil.initializeRegistry(tenantId, tenantDomain);
Cheers,
Isura.


On Fri, Sep 20, 2019 at 3:41 PM Isuranga Perera  wrote:

> :All
>
> When calling the JWKS endpoint (
> https://localhost:9443/t/abc.com/oauth2/jwks) of a tenant, right after
> restart without loading the tenant, there is an error[1][2].
>
> We have observed that the reason for $subject is that the keystore for the
> relevant tenant is not loaded(from registry) when making the jwks call.
>
> Even Though this issue can be overcome by starting the tenantFlow before
> getting the keystore, it involves an addition overhead as it tries to load
> the tenant per request.
>
> Appreciate your feedback on $subject.
>
>
> [1] https://github.com/wso2/product-is/issues/6473
> [2] https://github.com/wso2/product-is/issues/6322
>
>
> Best regards
> Isuranga Perera
> --
> *Isuranga Perera* | Software Engineer | WSO2 Inc.
>  +94 71 735 7034 | isura...@wso2.com 
>
>

-- 

*Isura Dilhara Karunaratne*
Technical Lead | WSO2 
*lean.enterprise.middleware*
Email: is...@wso2.com
Mob : +94 772 254 810
Blog : https://medium.com/@isurakarunaratne
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Harsha Kumara 
It seems the logic of checking authenticator list greater than 1 should be
correct?

On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara  wrote:

> Hi,
>
> With the API Manager 3.0.0 release, we are going to add OIDC authenticator
> to the API Manager as we already had that capability in directly through
> the site.json configuration.
>
> However to try the scenario, I have followed the document[1].
>
> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below error
> during the authorization code exchange.
>
> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication failed
> exception!
> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
> invalid_request, The client MUST NOT use more than one authentication
> method in each
> at
> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
> at
>
> This error occurred due to engaging the MutualTLSAuthenticator in the
> token exchange flow. Below check returns list of authenticators greater
> than one due to engaging this authenticator. It seems during the token
> exchange flow, we send the certificate in the header which lead to trigger
> the MutualTLSAuthenticator enable checks and add to the authenticator list.
> If I removed the mutual authenticator jar, this started to work.
>
> // Will return an invalid request response if multiple authentication 
> mechanisms are engaged irrespective of
> // whether the grant type is confidential or not.
> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The client 
> MUST NOT use more than one " +
> "authentication method in each", tokenReqDTO);
> setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
> isRefreshRequest);
> return tokenRespDTO;
> }
>
>
> Generally people will configure ODIC with external provider and won't
> encounter this kind of problem. For testing if tried with our IS as OIDC
> provider, this will leads to trigger the above error.
>
> Is it required to engage mutual tls authenticator when certificate
> present? Can't we ship it by default setting to false?
>
> [1]
> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect
>
> Thanks,
> Harsha
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>


-- 

*Harsha Kumara*

Technical Lead, WSO2 Inc.
Mobile: +94775505618
Email: hars...@wso2.coim
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Harsha Kumara 
As we can configure multiple authenticators, and add them based on
canAuthenticate method response, why we need to return above error if
multiple authenticators engaged?

On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara  wrote:

> It seems the logic of checking authenticator list greater than 1 should be
> correct?
>
> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara  wrote:
>
>> Hi,
>>
>> With the API Manager 3.0.0 release, we are going to add OIDC
>> authenticator to the API Manager as we already had that capability in
>> directly through the site.json configuration.
>>
>> However to try the scenario, I have followed the document[1].
>>
>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below error
>> during the authorization code exchange.
>>
>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
>> failed exception!
>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>> invalid_request, The client MUST NOT use more than one authentication
>> method in each
>> at
>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
>> at
>>
>> This error occurred due to engaging the MutualTLSAuthenticator in the
>> token exchange flow. Below check returns list of authenticators greater
>> than one due to engaging this authenticator. It seems during the token
>> exchange flow, we send the certificate in the header which lead to trigger
>> the MutualTLSAuthenticator enable checks and add to the authenticator list.
>> If I removed the mutual authenticator jar, this started to work.
>>
>> // Will return an invalid request response if multiple authentication 
>> mechanisms are engaged irrespective of
>> // whether the grant type is confidential or not.
>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The client 
>> MUST NOT use more than one " +
>> "authentication method in each", tokenReqDTO);
>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
>> isRefreshRequest);
>> return tokenRespDTO;
>> }
>>
>>
>> Generally people will configure ODIC with external provider and won't
>> encounter this kind of problem. For testing if tried with our IS as OIDC
>> provider, this will leads to trigger the above error.
>>
>> Is it required to engage mutual tls authenticator when certificate
>> present? Can't we ship it by default setting to false?
>>
>> [1]
>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect
>>
>> Thanks,
>> Harsha
>> --
>>
>> *Harsha Kumara*
>>
>> Technical Lead, WSO2 Inc.
>> Mobile: +94775505618
>> Email: hars...@wso2.coim
>> Blog: harshcreationz.blogspot.com
>>
>> GET INTEGRATION AGILE
>> Integration Agility for Digitally Driven Business
>>
>
>
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>


-- 

*Harsha Kumara*

Technical Lead, WSO2 Inc.
Mobile: +94775505618
Email: hars...@wso2.coim
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Sathya Bandara 
Hi Harsha,

In the oauth spec [1], it mandates that client should not use more than one
authentication mechanism per request. Hence, we have that validation here.

[1] https://tools.ietf.org/html/rfc6749#section-2.3

Thanks,

On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara  wrote:

> As we can configure multiple authenticators, and add them based on
> canAuthenticate method response, why we need to return above error if
> multiple authenticators engaged?
>
> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara  wrote:
>
>> It seems the logic of checking authenticator list greater than 1 should
>> be correct?
>>
>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara  wrote:
>>
>>> Hi,
>>>
>>> With the API Manager 3.0.0 release, we are going to add OIDC
>>> authenticator to the API Manager as we already had that capability in
>>> directly through the site.json configuration.
>>>
>>> However to try the scenario, I have followed the document[1].
>>>
>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below
>>> error during the authorization code exchange.
>>>
>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
>>> failed exception!
>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>>> invalid_request, The client MUST NOT use more than one authentication
>>> method in each
>>> at
>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
>>> at
>>>
>>> This error occurred due to engaging the MutualTLSAuthenticator in the
>>> token exchange flow. Below check returns list of authenticators greater
>>> than one due to engaging this authenticator. It seems during the token
>>> exchange flow, we send the certificate in the header which lead to trigger
>>> the MutualTLSAuthenticator enable checks and add to the authenticator list.
>>> If I removed the mutual authenticator jar, this started to work.
>>>
>>> // Will return an invalid request response if multiple authentication 
>>> mechanisms are engaged irrespective of
>>> // whether the grant type is confidential or not.
>>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
>>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The 
>>> client MUST NOT use more than one " +
>>> "authentication method in each", tokenReqDTO);
>>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
>>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
>>> isRefreshRequest);
>>> return tokenRespDTO;
>>> }
>>>
>>>
>>> Generally people will configure ODIC with external provider and won't
>>> encounter this kind of problem. For testing if tried with our IS as OIDC
>>> provider, this will leads to trigger the above error.
>>>
>>> Is it required to engage mutual tls authenticator when certificate
>>> present? Can't we ship it by default setting to false?
>>>
>>> [1]
>>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect
>>>
>>> Thanks,
>>> Harsha
>>> --
>>>
>>> *Harsha Kumara*
>>>
>>> Technical Lead, WSO2 Inc.
>>> Mobile: +94775505618
>>> Email: hars...@wso2.coim
>>> Blog: harshcreationz.blogspot.com
>>>
>>> GET INTEGRATION AGILE
>>> Integration Agility for Digitally Driven Business
>>>
>>
>>
>> --
>>
>> *Harsha Kumara*
>>
>> Technical Lead, WSO2 Inc.
>> Mobile: +94775505618
>> Email: hars...@wso2.coim
>> Blog: harshcreationz.blogspot.com
>>
>> GET INTEGRATION AGILE
>> Integration Agility for Digitally Driven Business
>>
>
>
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>


-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace
WSO2 Inc. http://wso2.com
Mobile: (+94) 715 360 421 <+94%2071%20411%205032>

<+94%2071%20411%205032>
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Harsha Kumara 
So if so our OpenIDConnectAuthenticator shouldn't set certificate in the
request during the authorization code exchange?

On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara  wrote:

> Hi Harsha,
>
> In the oauth spec [1], it mandates that client should not use more than
> one authentication mechanism per request. Hence, we have that validation
> here.
>
> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>
> Thanks,
>
> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara  wrote:
>
>> As we can configure multiple authenticators, and add them based on
>> canAuthenticate method response, why we need to return above error if
>> multiple authenticators engaged?
>>
>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara  wrote:
>>
>>> It seems the logic of checking authenticator list greater than 1 should
>>> be correct?
>>>
>>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara  wrote:
>>>
 Hi,

 With the API Manager 3.0.0 release, we are going to add OIDC
 authenticator to the API Manager as we already had that capability in
 directly through the site.json configuration.

 However to try the scenario, I have followed the document[1].

 Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below
 error during the authorization code exchange.

 [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
 failed exception!
 org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
 invalid_request, The client MUST NOT use more than one authentication
 method in each
 at
 org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
 ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
 at

 This error occurred due to engaging the MutualTLSAuthenticator in the
 token exchange flow. Below check returns list of authenticators greater
 than one due to engaging this authenticator. It seems during the token
 exchange flow, we send the certificate in the header which lead to trigger
 the MutualTLSAuthenticator enable checks and add to the authenticator list.
 If I removed the mutual authenticator jar, this started to work.

 // Will return an invalid request response if multiple authentication 
 mechanisms are engaged irrespective of
 // whether the grant type is confidential or not.
 if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
 tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The 
 client MUST NOT use more than one " +
 "authentication method in each", tokenReqDTO);
 setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
 triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
 isRefreshRequest);
 return tokenRespDTO;
 }


 Generally people will configure ODIC with external provider and won't
 encounter this kind of problem. For testing if tried with our IS as OIDC
 provider, this will leads to trigger the above error.

 Is it required to engage mutual tls authenticator when certificate
 present? Can't we ship it by default setting to false?

 [1]
 https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect

 Thanks,
 Harsha
 --

 *Harsha Kumara*

 Technical Lead, WSO2 Inc.
 Mobile: +94775505618
 Email: hars...@wso2.coim
 Blog: harshcreationz.blogspot.com

 GET INTEGRATION AGILE
 Integration Agility for Digitally Driven Business

>>>
>>>
>>> --
>>>
>>> *Harsha Kumara*
>>>
>>> Technical Lead, WSO2 Inc.
>>> Mobile: +94775505618
>>> Email: hars...@wso2.coim
>>> Blog: harshcreationz.blogspot.com
>>>
>>> GET INTEGRATION AGILE
>>> Integration Agility for Digitally Driven Business
>>>
>>
>>
>> --
>>
>> *Harsha Kumara*
>>
>> Technical Lead, WSO2 Inc.
>> Mobile: +94775505618
>> Email: hars...@wso2.coim
>> Blog: harshcreationz.blogspot.com
>>
>> GET INTEGRATION AGILE
>> Integration Agility for Digitally Driven Business
>>
>
>
> --
> Sathya Bandara
> Senior Software Engineer
> Blog: https://medium.com/@technospace
> WSO2 Inc. http://wso2.com
> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>
> <+94%2071%20411%205032>
>


-- 

*Harsha Kumara*

Technical Lead, WSO2 Inc.
Mobile: +94775505618
Email: hars...@wso2.coim
Blog: harshcreationz.blogspot.com

GET INTEGRATION AGILE
Integration Agility for Digitally Driven Business
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Sathya Bandara 
If client secret is used for client authentication with POST request to the
token endpoint, then its not required to send the certificate.

On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara  wrote:

> So if so our OpenIDConnectAuthenticator shouldn't set certificate in the
> request during the authorization code exchange?
>
> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara  wrote:
>
>> Hi Harsha,
>>
>> In the oauth spec [1], it mandates that client should not use more than
>> one authentication mechanism per request. Hence, we have that validation
>> here.
>>
>> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>>
>> Thanks,
>>
>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara  wrote:
>>
>>> As we can configure multiple authenticators, and add them based on
>>> canAuthenticate method response, why we need to return above error if
>>> multiple authenticators engaged?
>>>
>>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara  wrote:
>>>
 It seems the logic of checking authenticator list greater than 1 should
 be correct?

 On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara  wrote:

> Hi,
>
> With the API Manager 3.0.0 release, we are going to add OIDC
> authenticator to the API Manager as we already had that capability in
> directly through the site.json configuration.
>
> However to try the scenario, I have followed the document[1].
>
> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below
> error during the authorization code exchange.
>
> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
> failed exception!
> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
> invalid_request, The client MUST NOT use more than one authentication
> method in each
> at
> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
> at
>
> This error occurred due to engaging the MutualTLSAuthenticator in the
> token exchange flow. Below check returns list of authenticators greater
> than one due to engaging this authenticator. It seems during the token
> exchange flow, we send the certificate in the header which lead to trigger
> the MutualTLSAuthenticator enable checks and add to the authenticator 
> list.
> If I removed the mutual authenticator jar, this started to work.
>
> // Will return an invalid request response if multiple authentication 
> mechanisms are engaged irrespective of
> // whether the grant type is confidential or not.
> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The 
> client MUST NOT use more than one " +
> "authentication method in each", tokenReqDTO);
> setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
> isRefreshRequest);
> return tokenRespDTO;
> }
>
>
> Generally people will configure ODIC with external provider and won't
> encounter this kind of problem. For testing if tried with our IS as OIDC
> provider, this will leads to trigger the above error.
>
> Is it required to engage mutual tls authenticator when certificate
> present? Can't we ship it by default setting to false?
>
> [1]
> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect
>
> Thanks,
> Harsha
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>


 --

 *Harsha Kumara*

 Technical Lead, WSO2 Inc.
 Mobile: +94775505618
 Email: hars...@wso2.coim
 Blog: harshcreationz.blogspot.com

 GET INTEGRATION AGILE
 Integration Agility for Digitally Driven Business

>>>
>>>
>>> --
>>>
>>> *Harsha Kumara*
>>>
>>> Technical Lead, WSO2 Inc.
>>> Mobile: +94775505618
>>> Email: hars...@wso2.coim
>>> Blog: harshcreationz.blogspot.com
>>>
>>> GET INTEGRATION AGILE
>>> Integration Agility for Digitally Driven Business
>>>
>>
>>
>> --
>> Sathya Bandara
>> Senior Software Engineer
>> Blog: https://medium.com/@technospace
>> WSO2 Inc. http://wso2.com
>> Mobile: (+94) 715 360 421 <+94%2071%20411%205032>
>>
>> <+94%2071%20411%205032>
>>
>
>
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>


-- 
Sathya Bandara
Senior Software Engineer
Blog: https://medium.com/@technospace

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Harsha Kumara 
Yes that's correct. I'm using the openid authenticator, so it sets the
certificate by default to the header, hence multiple authenticators getting
triggered..But mutual SSL is handled at the transport layer and even with
mutual authentication, client id and secret will be present in the request.
I feel there is something wrong with the logic.

On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara  wrote:

> If client secret is used for client authentication with POST request to
> the token endpoint, then its not required to send the certificate.
>
> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara  wrote:
>
>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in the
>> request during the authorization code exchange?
>>
>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara  wrote:
>>
>>> Hi Harsha,
>>>
>>> In the oauth spec [1], it mandates that client should not use more than
>>> one authentication mechanism per request. Hence, we have that validation
>>> here.
>>>
>>> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>>>
>>> Thanks,
>>>
>>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara  wrote:
>>>
 As we can configure multiple authenticators, and add them based on
 canAuthenticate method response, why we need to return above error if
 multiple authenticators engaged?

 On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara  wrote:

> It seems the logic of checking authenticator list greater than 1
> should be correct?
>
> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara 
> wrote:
>
>> Hi,
>>
>> With the API Manager 3.0.0 release, we are going to add OIDC
>> authenticator to the API Manager as we already had that capability in
>> directly through the site.json configuration.
>>
>> However to try the scenario, I have followed the document[1].
>>
>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below
>> error during the authorization code exchange.
>>
>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
>> failed exception!
>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>> invalid_request, The client MUST NOT use more than one authentication
>> method in each
>> at
>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
>> at
>>
>> This error occurred due to engaging the MutualTLSAuthenticator in the
>> token exchange flow. Below check returns list of authenticators greater
>> than one due to engaging this authenticator. It seems during the token
>> exchange flow, we send the certificate in the header which lead to 
>> trigger
>> the MutualTLSAuthenticator enable checks and add to the authenticator 
>> list.
>> If I removed the mutual authenticator jar, this started to work.
>>
>> // Will return an invalid request response if multiple authentication 
>> mechanisms are engaged irrespective of
>> // whether the grant type is confidential or not.
>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The 
>> client MUST NOT use more than one " +
>> "authentication method in each", tokenReqDTO);
>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
>> isRefreshRequest);
>> return tokenRespDTO;
>> }
>>
>>
>> Generally people will configure ODIC with external provider and won't
>> encounter this kind of problem. For testing if tried with our IS as OIDC
>> provider, this will leads to trigger the above error.
>>
>> Is it required to engage mutual tls authenticator when certificate
>> present? Can't we ship it by default setting to false?
>>
>> [1]
>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect
>>
>> Thanks,
>> Harsha
>> --
>>
>> *Harsha Kumara*
>>
>> Technical Lead, WSO2 Inc.
>> Mobile: +94775505618
>> Email: hars...@wso2.coim
>> Blog: harshcreationz.blogspot.com
>>
>> GET INTEGRATION AGILE
>> Integration Agility for Digitally Driven Business
>>
>
>
> --
>
> *Harsha Kumara*
>
> Technical Lead, WSO2 Inc.
> Mobile: +94775505618
> Email: hars...@wso2.coim
> Blog: harshcreationz.blogspot.com
>
> GET INTEGRATION AGILE
> Integration Agility for Digitally Driven Business
>


 --

 *Harsha Kumara*

 Technical Lead, WSO2 Inc.
 Mobile: +94775505618
 Email: hars...@wso2.coim
 Blog: harshcreationz.blogspot.com

 GET INTEGRATION AGILE
 Integration Agility for Digita

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Sathya Bandara 
We came across a similar issue where the OIDC federated authenticator sets
the certificate by default to the request [1]. This has occurred due to a
change to registry.xml with new config model. When the changes were
reverted it worked as expected [2]. Maybe the same issue exists with APIM?

[1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5"
[2] https://github.com/wso2/product-is/issues/6013

On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara  wrote:

> Yes that's correct. I'm using the openid authenticator, so it sets the
> certificate by default to the header, hence multiple authenticators getting
> triggered..But mutual SSL is handled at the transport layer and even with
> mutual authentication, client id and secret will be present in the request.
> I feel there is something wrong with the logic.
>
> On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara  wrote:
>
>> If client secret is used for client authentication with POST request to
>> the token endpoint, then its not required to send the certificate.
>>
>> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara  wrote:
>>
>>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in the
>>> request during the authorization code exchange?
>>>
>>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara  wrote:
>>>
 Hi Harsha,

 In the oauth spec [1], it mandates that client should not use more than
 one authentication mechanism per request. Hence, we have that validation
 here.

 [1] https://tools.ietf.org/html/rfc6749#section-2.3

 Thanks,

 On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara  wrote:

> As we can configure multiple authenticators, and add them based on
> canAuthenticate method response, why we need to return above error if
> multiple authenticators engaged?
>
> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara 
> wrote:
>
>> It seems the logic of checking authenticator list greater than 1
>> should be correct?
>>
>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara 
>> wrote:
>>
>>> Hi,
>>>
>>> With the API Manager 3.0.0 release, we are going to add OIDC
>>> authenticator to the API Manager as we already had that capability in
>>> directly through the site.json configuration.
>>>
>>> However to try the scenario, I have followed the document[1].
>>>
>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below
>>> error during the authorization code exchange.
>>>
>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
>>> failed exception!
>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>>> invalid_request, The client MUST NOT use more than one authentication
>>> method in each
>>> at
>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
>>> at
>>>
>>> This error occurred due to engaging the MutualTLSAuthenticator in
>>> the token exchange flow. Below check returns list of authenticators 
>>> greater
>>> than one due to engaging this authenticator. It seems during the token
>>> exchange flow, we send the certificate in the header which lead to 
>>> trigger
>>> the MutualTLSAuthenticator enable checks and add to the authenticator 
>>> list.
>>> If I removed the mutual authenticator jar, this started to work.
>>>
>>> // Will return an invalid request response if multiple authentication 
>>> mechanisms are engaged irrespective of
>>> // whether the grant type is confidential or not.
>>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
>>> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The 
>>> client MUST NOT use more than one " +
>>> "authentication method in each", tokenReqDTO);
>>> setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
>>> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
>>> isRefreshRequest);
>>> return tokenRespDTO;
>>> }
>>>
>>>
>>> Generally people will configure ODIC with external provider and
>>> won't encounter this kind of problem. For testing if tried with our IS 
>>> as
>>> OIDC provider, this will leads to trigger the above error.
>>>
>>> Is it required to engage mutual tls authenticator when certificate
>>> present? Can't we ship it by default setting to false?
>>>
>>> [1]
>>> https://docs.wso2.com/display/AM260/Configuring+Single+Sign-on+with+OpenID+Connect
>>>
>>> Thanks,
>>> Harsha
>>> --
>>>
>>> *Harsha Kumara*
>>>
>>> Technical Lead, WSO2 Inc.
>>> Mobile: +94775505618
>>> Email: hars...@wso2.coim
>>> Blog: harshcreationz.blogspot.com
>>>
>>> G

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Harsha Kumara 
Thanks a lot @Sathya Bandara  That should be the issue. I
will check and update the thread.

Thanks,
Harsha

On Fri, Sep 20, 2019 at 7:14 PM Sathya Bandara  wrote:

> We came across a similar issue where the OIDC federated authenticator sets
> the certificate by default to the request [1]. This has occurred due to a
> change to registry.xml with new config model. When the changes were
> reverted it worked as expected [2]. Maybe the same issue exists with APIM?
>
> [1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5"
> [2] https://github.com/wso2/product-is/issues/6013
>
> On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara  wrote:
>
>> Yes that's correct. I'm using the openid authenticator, so it sets the
>> certificate by default to the header, hence multiple authenticators getting
>> triggered..But mutual SSL is handled at the transport layer and even with
>> mutual authentication, client id and secret will be present in the request.
>> I feel there is something wrong with the logic.
>>
>> On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara  wrote:
>>
>>> If client secret is used for client authentication with POST request to
>>> the token endpoint, then its not required to send the certificate.
>>>
>>> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara  wrote:
>>>
 So if so our OpenIDConnectAuthenticator shouldn't set certificate in
 the request during the authorization code exchange?

 On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara  wrote:

> Hi Harsha,
>
> In the oauth spec [1], it mandates that client should not use more
> than one authentication mechanism per request. Hence, we have that
> validation here.
>
> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>
> Thanks,
>
> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara 
> wrote:
>
>> As we can configure multiple authenticators, and add them based on
>> canAuthenticate method response, why we need to return above error if
>> multiple authenticators engaged?
>>
>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara 
>> wrote:
>>
>>> It seems the logic of checking authenticator list greater than 1
>>> should be correct?
>>>
>>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara 
>>> wrote:
>>>
 Hi,

 With the API Manager 3.0.0 release, we are going to add OIDC
 authenticator to the API Manager as we already had that capability in
 directly through the site.json configuration.

 However to try the scenario, I have followed the document[1].

 Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got below
 error during the authorization code exchange.

 [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler Authentication
 failed exception!
 org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
 invalid_request, The client MUST NOT use more than one authentication
 method in each
 at
 org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
 ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
 at

 This error occurred due to engaging the MutualTLSAuthenticator in
 the token exchange flow. Below check returns list of authenticators 
 greater
 than one due to engaging this authenticator. It seems during the token
 exchange flow, we send the certificate in the header which lead to 
 trigger
 the MutualTLSAuthenticator enable checks and add to the authenticator 
 list.
 If I removed the mutual authenticator jar, this started to work.

 // Will return an invalid request response if multiple authentication 
 mechanisms are engaged irrespective of
 // whether the grant type is confidential or not.
 if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
 tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The 
 client MUST NOT use more than one " +
 "authentication method in each", tokenReqDTO);
 setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
 triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
 isRefreshRequest);
 return tokenRespDTO;
 }


 Generally people will configure ODIC with external provider and
 won't encounter this kind of problem. For testing if tried with our IS 
 as
 OIDC provider, this will leads to trigger the above error.

 Is it required to engage mutual tls authenticator when certificate
 present? Can't we ship it by default setting to false?

 [1]
 https://docs.wso2.com/display/AM260/Config

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Harsha Kumara 
Since this either should handle at client side and mandate not to send the
certificate or we have to disable the handler. Looks like we have disabled
the handler by default in
https://github.com/wso2/carbon-identity-framework/pull/2336/files

But I don't see it in the wso2is-5.9.0-alpha4-SNAPSHOT. Was it revert again?

Thanks,
Harsha

On Fri, Sep 20, 2019 at 7:53 PM Harsha Kumara  wrote:

> Thanks a lot @Sathya Bandara  That should be the issue.
> I will check and update the thread.
>
> Thanks,
> Harsha
>
> On Fri, Sep 20, 2019 at 7:14 PM Sathya Bandara  wrote:
>
>> We came across a similar issue where the OIDC federated authenticator
>> sets the certificate by default to the request [1]. This has occurred due
>> to a change to registry.xml with new config model. When the changes were
>> reverted it worked as expected [2]. Maybe the same issue exists with APIM?
>>
>> [1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5"
>> [2] https://github.com/wso2/product-is/issues/6013
>>
>> On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara  wrote:
>>
>>> Yes that's correct. I'm using the openid authenticator, so it sets the
>>> certificate by default to the header, hence multiple authenticators getting
>>> triggered..But mutual SSL is handled at the transport layer and even with
>>> mutual authentication, client id and secret will be present in the request.
>>> I feel there is something wrong with the logic.
>>>
>>> On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara  wrote:
>>>
 If client secret is used for client authentication with POST request to
 the token endpoint, then its not required to send the certificate.

 On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara  wrote:

> So if so our OpenIDConnectAuthenticator shouldn't set certificate in
> the request during the authorization code exchange?
>
> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara 
> wrote:
>
>> Hi Harsha,
>>
>> In the oauth spec [1], it mandates that client should not use more
>> than one authentication mechanism per request. Hence, we have that
>> validation here.
>>
>> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>>
>> Thanks,
>>
>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara 
>> wrote:
>>
>>> As we can configure multiple authenticators, and add them based on
>>> canAuthenticate method response, why we need to return above error if
>>> multiple authenticators engaged?
>>>
>>> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara 
>>> wrote:
>>>
 It seems the logic of checking authenticator list greater than 1
 should be correct?

 On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara 
 wrote:

> Hi,
>
> With the API Manager 3.0.0 release, we are going to add OIDC
> authenticator to the API Manager as we already had that capability in
> directly through the site.json configuration.
>
> However to try the scenario, I have followed the document[1].
>
> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got
> below error during the authorization code exchange.
>
> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler
> Authentication failed exception!
> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
> invalid_request, The client MUST NOT use more than one authentication
> method in each
> at
> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
> at
>
> This error occurred due to engaging the MutualTLSAuthenticator in
> the token exchange flow. Below check returns list of authenticators 
> greater
> than one due to engaging this authenticator. It seems during the token
> exchange flow, we send the certificate in the header which lead to 
> trigger
> the MutualTLSAuthenticator enable checks and add to the authenticator 
> list.
> If I removed the mutual authenticator jar, this started to work.
>
> // Will return an invalid request response if multiple authentication 
> mechanisms are engaged irrespective of
> // whether the grant type is confidential or not.
> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
> tokenRespDTO = handleError(OAuth2ErrorCodes.INVALID_REQUEST, "The 
> client MUST NOT use more than one " +
> "authentication method in each", tokenReqDTO);
> setResponseHeaders(tokReqMsgCtx, tokenRespDTO);
> triggerPostListeners(tokenReqDTO, tokenRespDTO, tokReqMsgCtx, 
> isRefreshRequest);
>

[Dev] WSO2 API Manager Tooling v3.0.0-Alpha is Released!

2019-09-20 Thread Dinusha Dissanayake 
*The WSO2 API Manager team is pleased to announce the release of version
3.0.0-Alpha of API Manager Tooling.*

Major improvements include supporting token generation for APIs for testing
purposes. Also, it includes support for Kubernetes APIM operator to deploy
and manage APIs in the Kubernetes cluster.
Further, APIM CLI supports API updates and exporting applications with
consumer key and secrets. Also, this release provides greater flexibility
to create CI/CD pipelines for APIs.

*Distributions & Documentation*

APIM CLI Distributions


APIM CLI Documentations

Bug Fixes And Improvements in API Manager Tooling v3.0.0-Alpha

Fixed issues

Known Issues

All the open issues pertaining to WSO2 API Manager Tooling are reported at
GitHub

How You Can ContributeMailing Lists

Join our mailing list and correspond with the developers directly.

   - Developer List: dev@wso2.org | Subscribe  | Mail
   Archive 
   - User List: u...@wso2.org | Subscribe
 | Mail
   Archive 

Reporting Issues

We encourage you to report issues, documentation faults, and feature
requests regarding WSO2 API Manager Tooling through the public API Manager
Tooling Git Repo. 

If it is a security issue then it must be reported to secur...@wso2.com,
not as a GitHub issue. We strongly advise following the security
vulnerability reporting guide

when
reporting security issues.

*-- The WSO2 API Manager Team --*


-- 
*Dinusha Dissanayake* | Senior Software Engineer | WSO2 Inc
(m) +94 71 293 9439 | (e) dinus...@wso2.com


___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Sathya Bandara 
That PR was not merged. Instead the missing registry configs were re-added
[1]

[1] https://github.com/wso2/product-is/pull/6076

On Fri, Sep 20, 2019 at 8:35 PM Harsha Kumara  wrote:

> Since this either should handle at client side and mandate not to send the
> certificate or we have to disable the handler. Looks like we have disabled
> the handler by default in
> https://github.com/wso2/carbon-identity-framework/pull/2336/files
>
> But I don't see it in the wso2is-5.9.0-alpha4-SNAPSHOT. Was it revert
> again?
>
> Thanks,
> Harsha
>
> On Fri, Sep 20, 2019 at 7:53 PM Harsha Kumara  wrote:
>
>> Thanks a lot @Sathya Bandara  That should be the issue.
>> I will check and update the thread.
>>
>> Thanks,
>> Harsha
>>
>> On Fri, Sep 20, 2019 at 7:14 PM Sathya Bandara  wrote:
>>
>>> We came across a similar issue where the OIDC federated authenticator
>>> sets the certificate by default to the request [1]. This has occurred due
>>> to a change to registry.xml with new config model. When the changes were
>>> reverted it worked as expected [2]. Maybe the same issue exists with APIM?
>>>
>>> [1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5"
>>> [2] https://github.com/wso2/product-is/issues/6013
>>>
>>> On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara  wrote:
>>>
 Yes that's correct. I'm using the openid authenticator, so it sets the
 certificate by default to the header, hence multiple authenticators getting
 triggered..But mutual SSL is handled at the transport layer and even with
 mutual authentication, client id and secret will be present in the request.
 I feel there is something wrong with the logic.

 On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara  wrote:

> If client secret is used for client authentication with POST request
> to the token endpoint, then its not required to send the certificate.
>
> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara 
> wrote:
>
>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in
>> the request during the authorization code exchange?
>>
>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara 
>> wrote:
>>
>>> Hi Harsha,
>>>
>>> In the oauth spec [1], it mandates that client should not use more
>>> than one authentication mechanism per request. Hence, we have that
>>> validation here.
>>>
>>> [1] https://tools.ietf.org/html/rfc6749#section-2.3
>>>
>>> Thanks,
>>>
>>> On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara 
>>> wrote:
>>>
 As we can configure multiple authenticators, and add them based on
 canAuthenticate method response, why we need to return above error if
 multiple authenticators engaged?

 On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara 
 wrote:

> It seems the logic of checking authenticator list greater than 1
> should be correct?
>
> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara 
> wrote:
>
>> Hi,
>>
>> With the API Manager 3.0.0 release, we are going to add OIDC
>> authenticator to the API Manager as we already had that capability in
>> directly through the site.json configuration.
>>
>> However to try the scenario, I have followed the document[1].
>>
>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got
>> below error during the authorization code exchange.
>>
>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler
>> Authentication failed exception!
>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>> invalid_request, The client MUST NOT use more than one authentication
>> method in each
>> at
>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
>> at
>>
>> This error occurred due to engaging the MutualTLSAuthenticator in
>> the token exchange flow. Below check returns list of authenticators 
>> greater
>> than one due to engaging this authenticator. It seems during the 
>> token
>> exchange flow, we send the certificate in the header which lead to 
>> trigger
>> the MutualTLSAuthenticator enable checks and add to the 
>> authenticator list.
>> If I removed the mutual authenticator jar, this started to work.
>>
>> // Will return an invalid request response if multiple 
>> authentication mechanisms are engaged irrespective of
>> // whether the grant type is confidential or not.
>> if (oAuthClientAuthnContext.isMultipleAuthenticatorsEngaged()) {
>> tokenRespDTO = handleError(OAuth2ErrorCod

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Piraveena Paralogarajah 
Hi Harsha,

We observed this error in IS 5.9.0-m3 pack and we fixed it in 5.9.0-m6. In
5.7.0 and Before IS-5.7, we didn't ship mutualtls authenticator by default.
In 5.9.0-m3 pack, since we ship this mutualtls authenticator, that
authenticator gets enabled. So we suspected, it may be the cause and sent
this PR [1] to fix the issue. But In IS5.8.0 also we ships this
authenticator bydefault and suspected some other things can be the root
cause of this issue. In IS 5.9.0-m3 , primary IS's certificate was sent to
the federated IDP by default and mutualtls authenticator also tried to
authenticate the primary IS. OIDC federation failed since
basicclientauthenticator and mutualtls authenticator tried to authenticate.

We found some configs were missing in registry.xml and it caused this
issue. Later we added those missing configs in product-is.

[1]https://github.com/wso2/carbon-identity-framework/pull/2336/

[2]Error when invoking OIDC federated Authenticator in IS 5.9.0-m5
[3]Some configs in registry.xml file are not found in the new config model
in IS-5.9.0

Thanks,
Piraveena
*Piraveena Paralogarajah*
Software Engineer | WSO2 Inc.
*(m)* +94776099594 | *(e)* pirave...@wso2.com



On Sat, Sep 21, 2019 at 12:20 AM Sathya Bandara  wrote:

> That PR was not merged. Instead the missing registry configs were re-added
> [1]
>
> [1] https://github.com/wso2/product-is/pull/6076
>
> On Fri, Sep 20, 2019 at 8:35 PM Harsha Kumara  wrote:
>
>> Since this either should handle at client side and mandate not to send
>> the certificate or we have to disable the handler. Looks like we have
>> disabled the handler by default in
>> https://github.com/wso2/carbon-identity-framework/pull/2336/files
>>
>> But I don't see it in the wso2is-5.9.0-alpha4-SNAPSHOT. Was it revert
>> again?
>>
>> Thanks,
>> Harsha
>>
>> On Fri, Sep 20, 2019 at 7:53 PM Harsha Kumara  wrote:
>>
>>> Thanks a lot @Sathya Bandara  That should be the
>>> issue. I will check and update the thread.
>>>
>>> Thanks,
>>> Harsha
>>>
>>> On Fri, Sep 20, 2019 at 7:14 PM Sathya Bandara  wrote:
>>>
 We came across a similar issue where the OIDC federated authenticator
 sets the certificate by default to the request [1]. This has occurred due
 to a change to registry.xml with new config model. When the changes were
 reverted it worked as expected [2]. Maybe the same issue exists with APIM?

 [1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5"
 [2] https://github.com/wso2/product-is/issues/6013

 On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara  wrote:

> Yes that's correct. I'm using the openid authenticator, so it sets the
> certificate by default to the header, hence multiple authenticators 
> getting
> triggered..But mutual SSL is handled at the transport layer and even with
> mutual authentication, client id and secret will be present in the 
> request.
> I feel there is something wrong with the logic.
>
> On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara 
> wrote:
>
>> If client secret is used for client authentication with POST request
>> to the token endpoint, then its not required to send the certificate.
>>
>> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara 
>> wrote:
>>
>>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in
>>> the request during the authorization code exchange?
>>>
>>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara 
>>> wrote:
>>>
 Hi Harsha,

 In the oauth spec [1], it mandates that client should not use more
 than one authentication mechanism per request. Hence, we have that
 validation here.

 [1] https://tools.ietf.org/html/rfc6749#section-2.3

 Thanks,

 On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara 
 wrote:

> As we can configure multiple authenticators, and add them based on
> canAuthenticate method response, why we need to return above error if
> multiple authenticators engaged?
>
> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara 
> wrote:
>
>> It seems the logic of checking authenticator list greater than 1
>> should be correct?
>>
>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara 
>> wrote:
>>
>>> Hi,
>>>
>>> With the API Manager 3.0.0 release, we are going to add OIDC
>>> authenticator to the API Manager as we already had that capability 
>>> in
>>> directly through the site.json configuration.
>>>
>>> However to try the scenario, I have followed the document[1].
>>>
>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got
>>> below error during the authorization code exchange.
>>>
>>> [2019-09-20 15:

Re: [Dev] Issue with configuring Identity Server is a OIDC provider

2019-09-20 Thread Harsha Kumara 
Thank you for the information. Since I'm using the alpha4 update, it should
have that fix. I'll check further

On Sat, Sep 21, 2019 at 12:20 AM Sathya Bandara  wrote:

> That PR was not merged. Instead the missing registry configs were re-added
> [1]
>
> [1] https://github.com/wso2/product-is/pull/6076
>
> On Fri, Sep 20, 2019 at 8:35 PM Harsha Kumara  wrote:
>
>> Since this either should handle at client side and mandate not to send
>> the certificate or we have to disable the handler. Looks like we have
>> disabled the handler by default in
>> https://github.com/wso2/carbon-identity-framework/pull/2336/files
>>
>> But I don't see it in the wso2is-5.9.0-alpha4-SNAPSHOT. Was it revert
>> again?
>>
>> Thanks,
>> Harsha
>>
>> On Fri, Sep 20, 2019 at 7:53 PM Harsha Kumara  wrote:
>>
>>> Thanks a lot @Sathya Bandara  That should be the
>>> issue. I will check and update the thread.
>>>
>>> Thanks,
>>> Harsha
>>>
>>> On Fri, Sep 20, 2019 at 7:14 PM Sathya Bandara  wrote:
>>>
 We came across a similar issue where the OIDC federated authenticator
 sets the certificate by default to the request [1]. This has occurred due
 to a change to registry.xml with new config model. When the changes were
 reverted it worked as expected [2]. Maybe the same issue exists with APIM?

 [1] "Error when invoking OIDC federated Authenticator in IS 5.9.0-m5"
 [2] https://github.com/wso2/product-is/issues/6013

 On Fri, Sep 20, 2019 at 6:50 PM Harsha Kumara  wrote:

> Yes that's correct. I'm using the openid authenticator, so it sets the
> certificate by default to the header, hence multiple authenticators 
> getting
> triggered..But mutual SSL is handled at the transport layer and even with
> mutual authentication, client id and secret will be present in the 
> request.
> I feel there is something wrong with the logic.
>
> On Fri, Sep 20, 2019 at 6:39 PM Sathya Bandara 
> wrote:
>
>> If client secret is used for client authentication with POST request
>> to the token endpoint, then its not required to send the certificate.
>>
>> On Fri, Sep 20, 2019 at 6:35 PM Harsha Kumara 
>> wrote:
>>
>>> So if so our OpenIDConnectAuthenticator shouldn't set certificate in
>>> the request during the authorization code exchange?
>>>
>>> On Fri, Sep 20, 2019 at 6:30 PM Sathya Bandara 
>>> wrote:
>>>
 Hi Harsha,

 In the oauth spec [1], it mandates that client should not use more
 than one authentication mechanism per request. Hence, we have that
 validation here.

 [1] https://tools.ietf.org/html/rfc6749#section-2.3

 Thanks,

 On Fri, Sep 20, 2019 at 6:25 PM Harsha Kumara 
 wrote:

> As we can configure multiple authenticators, and add them based on
> canAuthenticate method response, why we need to return above error if
> multiple authenticators engaged?
>
> On Fri, Sep 20, 2019 at 6:22 PM Harsha Kumara 
> wrote:
>
>> It seems the logic of checking authenticator list greater than 1
>> should be correct?
>>
>> On Fri, Sep 20, 2019 at 5:30 PM Harsha Kumara 
>> wrote:
>>
>>> Hi,
>>>
>>> With the API Manager 3.0.0 release, we are going to add OIDC
>>> authenticator to the API Manager as we already had that capability 
>>> in
>>> directly through the site.json configuration.
>>>
>>> However to try the scenario, I have followed the document[1].
>>>
>>> Setup would be APIM 3.0.0 and IS-5.9.0-Alpha4-SNAPSHOT. I got
>>> below error during the authorization code exchange.
>>>
>>> [2019-09-20 15:33:38,428] ERROR - DefaultStepHandler
>>> Authentication failed exception!
>>> org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException:
>>> invalid_request, The client MUST NOT use more than one 
>>> authentication
>>> method in each
>>> at
>>> org.wso2.carbon.identity.application.authenticator.oidc.OpenIDConnectAuthenticator.getOauthResponse(OpenIDConnectAuthenticator.java:615)
>>> ~[org.wso2.carbon.identity.application.authenticator.oidc-5.3.2.jar:?]
>>> at
>>>
>>> This error occurred due to engaging the MutualTLSAuthenticator
>>> in the token exchange flow. Below check returns list of 
>>> authenticators
>>> greater than one due to engaging this authenticator. It seems 
>>> during the
>>> token exchange flow, we send the certificate in the header which 
>>> lead to
>>> trigger the MutualTLSAuthenticator enable checks and add to the
>>> authenticator list. If I removed the mutual authenticator jar, this 
>>> started
>>>

Re: [Dev] Binding access token to the browser for new IAM Portal Applications

2019-09-20 Thread Johann Nallathamby 
Hi Thanuja,

Did we consider sending the access token itself as a secure, http-only
cookie to the browser instead of binding it to a separate cookie? This will
also simplify the development on the client side, in case someone wants to
build their own SPA.

Regards,
Johann.

On Mon, Sep 2, 2019 at 12:26 PM Thanuja Jayasinghe  wrote:

> Hi All,
>
> With the introduction of new IAM portal applications, there is a
> requirement to provide additional security measures to secure these SPAs.
> We have already implemented the OAuth2 authorization code flow(public
> client) with PKCE for these applications and with this feature, it will be
> possible to bind the access token to the browser instance. So, an
> additional security measure will be enforced as the combination of the
> access token and browser token(cookie) validated while accessing the IS
> APIs.
> Support for configuring this option using OAuth2 application configuration
> and browser token persistence will be added as well.
>
> Updated request/response flow is as follows,
> [image: Blank Diagram (1).png]
>
> Thanks,
> Thanuja
>
> --
> *Thanuja Lakmal*
> Technical Lead
> WSO2 Inc. http://wso2.com/
> *lean.enterprise.middleware*
> Mobile: +94715979891
>


-- 
*Johann Dilantha Nallathamby* | Associate Director/Solutions Architect |
WSO2 Inc.
(m) +94 (77) 7776950 | (w) +94 (11) 2145345 | (e) joh...@wso2.com
[image: Signature.jpg]
___
Dev mailing list
Dev@wso2.org
http://wso2.org/cgi-bin/mailman/listinfo/dev