WSO2IS OAuth/OpenId Connect SSO Setup - oauth-2.0

I'm trying to figure out how to setup my applications for SSO using WSO2 Identity Server. My use case is I have 2 applications secured by OAuth/OpenId Connect using WSO2IS. If I'm logged into application 1, then launching application 2 should automatically log me in. What should the flow be?
Currently, I have created 2 service providers, one for each application. Each service provider inbound authentication configuration is configured using OAuth/OpenId Connect. What else do I need to do?
I've followed https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect+Single-Sign-On. I'm success on being redirected to IS for login and each application is able to obtain access token and JWT. However, I'm being asked to login for each application separately---no automatic login when I access application 2.
Thank you!
WSO2IS output when I login to application 1 then follow by application 2, within the same browser and tab.
<<< Application 1 >>>
[2017-07-27 21:30:17,117] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : L7c7Zqf9QpDKjyEtOQ74R__RSy0a and callback_uri http://[hostname]:[8080]/xxxx/
[2017-07-27 21:30:17,124] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : L7c7Zqf9QpDKjyEtOQ74R__RSy0a ,App Name : Application1, Callback URL : http://[hostname]:[8080]/xxxx/
[2017-07-27 21:30:30,506] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : testuser#carbon.super, Client ID : L7c7Zqf9QpDKjyEtOQ74R__RSy0a, Authorization Response Type : code, Requested callback URI : http://[hostname]:[8080]/xxxx/, Requested Scope : email openid profile
[2017-07-27 21:30:30,507] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal
[2017-07-27 21:30:30,508] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler} - Issued Authorization Code to user : testuser#carbon.super, Using the redirect url : http://[hostname]:[8080]/xxxx/, Scope : email openid profile, validity period : 300000
[2017-07-27 21:30:30,510] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext
[2017-07-27 21:30:30,756] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID L7c7Zqf9QpDKjyEtOQ74R__RSy0a, User ID null, Scope : [] and Grant Type : authorization_code
[2017-07-27 21:30:30,756] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: L7c7Zqf9QpDKjyEtOQ74R__RSy0a
[2017-07-27 21:30:30,756] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : authorization_code Strict client validation set to : null
[2017-07-27 21:30:30,757] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were fetched from the database.
[2017-07-27 21:30:30,757] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : L7c7Zqf9QpDKjyEtOQ74R__RSy0a
[2017-07-27 21:30:30,757] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler} - Authorization Code Info was not available in cache for client id : L7c7Zqf9QpDKjyEtOQ74R__RSy0a
[2017-07-27 21:30:30,758] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler} - Found an Authorization Code, Client : L7c7Zqf9QpDKjyEtOQ74R__RSy0a, authorized user : testuser#carbon.super, scope : email openid profile
[2017-07-27 21:30:30,758] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthTokenReqMessageContext to threadlocal
[2017-07-27 21:30:30,759] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Infinite lifetime Access Token c6d1b10e-cd51-379a-9162-4f5228aaa5dc found in cache
[2017-07-27 21:30:30,759] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthTokenReqMessageContext
[2017-07-27 21:30:30,759] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access token issued to client Id: L7c7Zqf9QpDKjyEtOQ74R__RSy0a username: testuser#carbon.super and scopes: email openid profile
<<< Application 2 >>>
[2017-07-27 21:30:42,014] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : fwM8a593OUxufW2ZaBXYx9f1mREa and callback_uri http://[hostname]:[8090]/xxxx/
[2017-07-27 21:30:42,016] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : fwM8a593OUxufW2ZaBXYx9f1mREa ,App Name : Application2, Callback URL : http://[hostname]:[8090]/xxxx/
[2017-07-27 21:30:55,454] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : testuser#carbon.super, Client ID : fwM8a593OUxufW2ZaBXYx9f1mREa, Authorization Response Type : code, Requested callback URI : http://[hostname]:[8090]/xxxx/, Requested Scope : email openid profile
[2017-07-27 21:30:55,455] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal
[2017-07-27 21:30:55,457] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler} - Issued Authorization Code to user : testuser#carbon.super, Using the redirect url : http://[hostname]:[8090]/xxxx/, Scope : email openid profile, validity period : 300000
[2017-07-27 21:30:55,458] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext
[2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID fwM8a593OUxufW2ZaBXYx9f1mREa, User ID null, Scope : [] and Grant Type : authorization_code
[2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: fwM8a593OUxufW2ZaBXYx9f1mREa
[2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : authorization_code Strict client validation set to : null
[2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were fetched from the database.
[2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : fwM8a593OUxufW2ZaBXYx9f1mREa
[2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler} - Authorization Code Info was not available in cache for client id : fwM8a593OUxufW2ZaBXYx9f1mREa
[2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler} - Found an Authorization Code, Client : fwM8a593OUxufW2ZaBXYx9f1mREa, authorized user : testuser#carbon.super, scope : email openid profile
[2017-07-27 21:30:55,740] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthTokenReqMessageContext to threadlocal
[2017-07-27 21:30:55,740] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Infinite lifetime Access Token a01c94d9-c889-3a38-a67e-38a7f0350aa0 found in cache
[2017-07-27 21:30:55,740] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthTokenReqMessageContext
[2017-07-27 21:30:55,740] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access token issued to client Id: fwM8a593OUxufW2ZaBXYx9f1mREa username: testuser#carbon.super and scopes: email openid profile

Next step is to setup your client application which will try to authenticate user with WSO2 using OpenID Connect. Follow these steps:
https://docs.wso2.com/display/IS530/OpenIDConnect
Once done, create a copy of your application and run on different port and play with SSO and SLO. An example is this:
https://docs.wso2.com/display/IS530/Configuring+OpenID+Connect+Single+Logout
You can learn about the mechanics of how WSO2 IS maintains a SSO session by reading Enabling Authentication Session Persistence.

Related

actions on google home app not calling token exchange endpoint

Everything is ok before token exchange. I found that Google Home showed "something went wrong,try again." It seems that the account linking was failed. I checked the official document, but I could not find the point that where is wrong.
[enter image description here](https://i.stack.imgur.com/8NzVp.png)
Our OAuth server's log:
14:30:09.322 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.FilterChainProxy - [doFilterInternal,218] - Securing GET /oauth2/authorize?response_type=code&client_id=home-control-google&redirect_uri=https://oauth-redirect.googleusercontent.com/r/smarthome-63b16&state=AGsGMl0x-_cveABQcrOPo1I0RVk6fFwzA328sn87humHtmb_d33ppy7MtK0bnqRKJnKKocsJlIGBZyqUBfZnmskiIi5lFU4Kfus9gVFJeQAqyWoKOUwKUbKo5xl3ieM-ElcYYqMJJ0M4IJ5L171QldMLmeAoIJPlSoIgB4-cTx5NQoXYdcFgj4deBZ8p1GA1ucuT_UlTc72irf8GXlLg19geMnJ0W6-PE8cRlx0gN22Qj8AzsmXRRj_h0N6unvRIIfJI-7NaFdmVpYVQBuXzZYi-ajjcLLhiQYLSveVFnbSv-HS2P8mRuZvXhooPoqnj9j7yg0TPDaXPsS3myHb7G1Ka9UHIXHy6yQnEtboQQhLPfHzw204raLk4FzxzUqF4RGz7I8RZu8ExGopO0NkXk4xHn51oLJumyAs6FRJ6n38sYw43yWboa1q3KjAqiPs-2AxqHofL1Hzq-xmWKvKNx5D1i80toVi3nIQys_EPOje89qWH6cWgcuiJ2s4-l_ZIkuw0GK1YT61_dg9XSW2ACJ72agnY2k81vTZYJt1yuh_kGgg83_oqbjcsazr2x9gF_beVxOxq65H9xxYE0D8m2tiNJRaS5CUvygQLJjqCoOy1JozI0sgS9dy6warYk7mc9KPg27e5LagQmEYdghtG_5t5iluzNX4jag
14:30:09.353 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.c.HttpSessionSecurityContextRepository - [readSecurityContextFromSession,189] - Retrieved SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=linesware, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=58.56.179.134, SessionId=E1CD90937DE27B197B6DA53D47FA0454], Granted Authorities=[ROLE_USER]]]
14:30:09.384 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - [doFilter,109] - Set SecurityContextHolder to SecurityContextImpl [Authentication=UsernamePasswordAuthenticationToken [Principal=org.springframework.security.core.userdetails.User [Username=linesware, Password=[PROTECTED], Enabled=true, AccountNonExpired=true, credentialsNonExpired=true, AccountNonLocked=true, Granted Authorities=[ROLE_USER]], Credentials=[PROTECTED], Authenticated=true, Details=WebAuthenticationDetails [RemoteIpAddress=58.56.179.134, SessionId=E1CD90937DE27B197B6DA53D47FA0454], Granted Authorities=[ROLE_USER]]]
14:30:11.556 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.DefaultRedirectStrategy - [sendRedirect,57] - Redirecting to https://oauth-redirect.googleusercontent.com/r/smarthome-63b16?code=O1h-RSPrRnKn45aWutuafiC3EkB_jVVJU-AJfRwdB177-xq1BIJ2fHbftdaMNHZ1Zv70YkKvtHkHZGKO5kAwoqYGmK0ATXAAnSYmyNg_cdQ5Q9V2YnVhs3RUkUr1lYtb&state=AGsGMl0x-_cveABQcrOPo1I0RVk6fFwzA328sn87humHtmb_d33ppy7MtK0bnqRKJnKKocsJlIGBZyqUBfZnmskiIi5lFU4Kfus9gVFJeQAqyWoKOUwKUbKo5xl3ieM-ElcYYqMJJ0M4IJ5L171QldMLmeAoIJPlSoIgB4-cTx5NQoXYdcFgj4deBZ8p1GA1ucuT_UlTc72irf8GXlLg19geMnJ0W6-PE8cRlx0gN22Qj8AzsmXRRj_h0N6unvRIIfJI-7NaFdmVpYVQBuXzZYi-ajjcLLhiQYLSveVFnbSv-HS2P8mRuZvXhooPoqnj9j7yg0TPDaXPsS3myHb7G1Ka9UHIXHy6yQnEtboQQhLPfHzw204raLk4FzxzUqF4RGz7I8RZu8ExGopO0NkXk4xHn51oLJumyAs6FRJ6n38sYw43yWboa1q3KjAqiPs-2AxqHofL1Hzq-xmWKvKNx5D1i80toVi3nIQys_EPOje89qWH6cWgcuiJ2s4-l_ZIkuw0GK1YT61_dg9XSW2ACJ72agnY2k81vTZYJt1yuh_kGgg83_oqbjcsazr2x9gF_beVxOxq65H9xxYE0D8m2tiNJRaS5CUvygQLJjqCoOy1JozI0sgS9dy6warYk7mc9KPg27e5LagQmEYdghtG_5t5iluzNX4jag
14:30:11.556 [https-jsse-nio-9000-exec-10] DEBUG o.s.s.w.c.SecurityContextPersistenceFilter - [doFilter,120] - Cleared SecurityContextHolder to complete request
Exchange authorization codes for access tokens
Account Linking through Google Home App consists of two steps: Users are sent to your Authorization Url to provide credentials and complete the consent flow. Once this process is completed successfully, your server gets a token exchange request containing the authorization code at your Token Url. In order to debug this flow, you might need to understand if your credentials exchange completes successfully. You can learn more from the Account Linking Documentation for Google Home.
If you still have issues after this step, make sure to take a look at the Troubleshooting flow. You can also go through the introductory codelab to try these out in a brand new project with a functioning OAuth 2.0 implementation to compare against your project/implementation.

Issue with Integration of Spring Security SAML Java application with ADFS 4

I am trying to integrate SSO in an existing java/jsp based application(SP) with help of Spring Security SAML extension and ADFS 4(IP). After I land in the ADFS SSO page from SP login link and enter credentials, application is not able to validate the ADFS response and giving "HTTP Status 401 - Authentication Failed: Error validating SAML message" error.
However from logs I can see the Assertion is already decrypted successfully and Attributes are being printed. So I am not able to understand why it is giving Authentication Failed error. Pl. help. I am providing log data below. The java application is hosted in Tomcat server.
20-08-2019 11:52:20,003 DEBUG org.apache.xml.security.signature.Reference:? - Verification successful for URI "#_530eaef7-3196-431c-bef8-36fc7c76ef27"
20-08-2019 11:52:20,003 DEBUG org.apache.xml.security.signature.Manifest:? - The Reference has Type
20-08-2019 11:52:20,006 TRACE org.springframework.web.context.support.XmlWebApplicationContext:322 - Publishing event in Root WebApplicationContext: org.springframework.security.authentication.event.AuthenticationFailureServiceExceptionEvent[source=org.springframework.security.saml.SAMLAuthenticationToken#43b19eef: Principal: null; Credentials: [PROTECTED]; Authenticated: false; Details: null; Not granted any authorities]
20-08-2019 11:52:20,006 DEBUG org.springframework.security.saml.SAMLProcessingFilter:346 - Authentication request failed: org.springframework.security.authentication.AuthenticationServiceException: Error validating SAML message
20-08-2019 11:52:20,006 DEBUG org.springframework.security.saml.SAMLProcessingFilter:347 - Updated SecurityContextHolder to contain null Authentication
20-08-2019 11:52:20,007 DEBUG org.springframework.security.saml.SAMLProcessingFilter:348 - Delegating to authentication failure handler org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler#90f53ff
20-08-2019 11:52:20,007 DEBUG org.springframework.security.web.authentication.SimpleUrlAuthenticationFailureHandler:56 - No failure URL set, sending 401 Unauthorized error
20-08-2019 11:52:20,007 DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository:269 - SecurityContext is empty or contents are anonymous - context will not be stored in HttpSession.

Unable to validate token: Couldn't retrieve remote JWK set

I'm setting up an authentication method on Nexus Hybrid Access Gateway based on OpenID Connect, using ADFS as an identity provider.
The goal is to access Nexus Hybrid Access Gateway using the OpenID Connect authentication method.
When configuring OpenID Connect on Nexus HAG I specified the following informations for the Identity Provider :
- Cliend ID : 3b6fc4cc7463......
- Client Secret : 812e4167....
- Discovery EndPoint : https://example.com/adfs/.well-known/openid-configuration
When I try to log in to Nexus HAG portail using the OpenID Connect authentication method, i'm redirected to "https://example.com/adfs/ls/idpinitatedsignon" page to specify user credentials. ADFS is able to verify my credentials, but on my server (Nexus) I keep having this message:
AUTHENTICATION_MECHANISM:[ 14 ] MECHANISM_MESSAGE:[ Unable to validate
token: Couldn't retrieve remote JWK set: Connection reset ]
RADIUS_REJECT_MESSAGE:[ Unable to validate token: Couldn't retrieve
remote JWK set: Connection reset ]
Any help will be much appreciated.
Thanks.

OAuth validation fails for valid token in wso2 IS 4.6

I have tried to secure rest API by creating the custom handler with wso2 Identity server 4.6, It shows Invalid token even for valid tokens. (stub.validate(dto).getValid() always false) But It works well in IS 4.5.What will be the reason ?
Please help..
log in IS 4.6
[2013-12-31 09:38:21,625] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token Request Received with the Client Id : jjTDKDAThDSg_IroxfpC4qjPCR8a, Grant Type : password
[2013-12-31 09:38:21,625] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were available in the cache for client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:38:21,626] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:38:21,646] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received. Username : admin#carbon.superScope : , Authentication State : true
[2013-12-31 09:38:21,647] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Access Token info retrieved from the cache and served to client with client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:38:21,647] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access Token issued to client. client-id=jjTDKDAThDSg_IroxfpC4qjPCR8a user-name=admin#carbon.super to application=sample
[2013-12-31 09:38:21,721] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2013-12-31
09:38:21,721+0530]
[2013-12-31 09:38:21,723] DEBUG {org.wso2.carbon.identity.oauth2.validators.TokenValidationHandler} - Access token identifier is not present in the validation request
[2013-12-31 09:38:21,740] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2013-12-31
09:38:21,740+0530]
DEBUG {org.wso2.carbon.identity.oauth2.validators.TokenValidationHandler} - Access token identifier is not present in the validation request
log in IS 4.5
[2013-12-31 09:48:47,432] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service}
- Access Token Request Received with the Client Id : jjTDKDAThDSg_IroxfpC4qjPCR8a, Grant Type : password
[2013-12-31 09:48:47,442] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were available in the cache for client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:48:47,442] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:48:47,462] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received.
Username : admin#carbon.superScope : , Authentication State : true
[2013-12-31 09:48:47,462] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Access Token info retrieved from the cache and served to client with client id : jjTDKDAThDSg_IroxfpC4qjPCR8a
[2013-12-31 09:48:47,462] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access Token issued to client. client-id=jjTDKDAThDSg_IroxfpC4qjPCR8a user-name=admin#carbon.super to application=sample
[2013-12-31 09:48:47,582] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2013-12-31 09:48:47,582+0530]
[2013-12-31 09:48:47,582] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService} - Token validation request received for : Client Id : nullTokenType : bearer
[2013-12-31 09:48:47,582] DEBUG {org.wso2.carbon.identity.oauth2.validators.BearerTokenValidator} - Started processing token validation request of type : bearer
[2013-12-31 09:48:47,612] INFO {org.wso2.carbon.core.services.util.CarbonAuthenticationUtil} - 'admin#carbon.super [-1234]' logged in at [2013-12-31 09:48:47,612+0530]
[2013-12-31 09:48:47,612] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2TokenValidationService} - Token validation request received for : Client Id : nullTokenType : bearer
[2013-12-31 09:48:47,612] DEBUG {org.wso2.carbon.identity.oauth2.validators.BearerTokenValidator} - Started processing token validation request of type : bearer
I faced the same problem with OAuth Mediator in Wso2 ESB 4.8.0 accessing Wso2 Identity Server 4.6.0 via Oauth2 validation web service. With Identity server 4.5.0 it works fine. The mediator code invokes the client stub passing the accessToken as plain string.
The error message returned by validation service is Access token identifier is not present in the validation request.
To answer your question you should use the bundle org.wso2.carbon.identity.oauth.stub in version 4.2.2. It defines a class org.wso2.carbon.identity.oauth2.stub.dto.OAuth2TokenValidationRequestDTO_OAuth2AccessToken which should be used as a parameter for the OAuth2TokenValidationRequestDTO.setAccessToken method. The dto object can the be used as parameter for the OAuth2TokenValidationServiceStub.validate method.
As you may know, OAuth access token are validated by calling OAuth2TokenValidationService web service in Identity Server. Could you try out this service using the SOAPUI and see... WSDL can be found at (https://{ip}:{port}/services/OAuth2TokenValidationService?wsdl). Normally this error is generated when access token is not present in the web service request that is sent to the this service.
In request message body, must be as following..
<xsd1:accessToken>
<xsd1:identifier>35d1538940ce9a1e86c0a287c521d14</xsd1:identifier>
<xsd1:tokenType>bearer</xsd1:tokenType>
</xsd1:accessToken>
In your code, "dto" object may not have been properly set with identifier value.
Also please find the sample OAuth token validation client code from here

Calling customer service results in 401 Unauthorized

We are trying to connect to a custom Dynamics 365 Finance service operation but are struggling to authorize.
We've set up an app registration
Redirect_uri set to the dynamics url (root)
Enabled implicit grant (both for access tokens and ID tokens)
Single tenant
Assigned the "Dynamics ERP > CustomService.FullAccess" API permission
Assigned the "Dynamics ERP > Odata.FullAccess" API permission
Assigned "Dynamicd ERP > Connector.FullAccess" API permission + granted admin consent for entire AD
Created a secret
We've added the Application (client ID) within the Dynamics 365 environment with a user which has System Administrator role
We can successfully retrieve access tokens both via Postman and .NET (Microsoft.IdentityModel.Clients.ActiveDirectory)
we tried to reach both https://xxxxxxdevaossoap.cloudax.dynamics.com &https://xxxxxxdevaos.cloudax.dynamics.com
Yet when we call custom services, we get a 401 UnAuthorized
A call to Odata also fails for the same reason.
Verify resource in your request for OAuth token (and verify token at https://jwt.io for aud (Audience) field).
It should be same as your primary url without / at the end (like https://d365fo-10-12345678baef10230aos.cloudax.dynamics.com).
Also verify that Azure Active Directory applications (mi=SysAADClientTable) Client Id is equal to appid field in the token (and without any special characters).
You can always inspect Windows Event Log Microsoft-Dynamics-AX-WebApi/Operational
There is good information like this:
Source: Microsoft-Dynamics-AX-WebApi
Category: WebApiOwinConfigurationMissingError
Level: Error
Description: Web API Owin Authentication Configuration Missing Error
infoMessage: Can read the token but failed validating token with exception
'IDX10214: Audience validation failed.
Audiences: 'https://d365fo-10-12345678baef10230aos.cloudax.dynamics.com/'.
Did not match: validationParameters.
ValidAudience: 'null' or validationParameters.ValidAudiences:
'https://d365fo-10-12345678baef10230aos.cloudax.dynamics.com,
00000015-0000-0000-c000-000000000000,
Microsoft.ERP''

Resources