I have problems getting work "SAML2 Bearer Assertion profile for Oauth" within WSO2 API Manager(9445 port).
My Setup,
I created an application (app1) in API manager tenant domain (wso2.com) and generated keys.
When I log into IS as admin of wso2.com tenant domain I see a service provider is created for my application (app1).
I configured the SP of app1 and created the IDP as explained in documentation.
I could generate SAML assertion by SAML2AssertionCreator.
When I try to generate access token using the assertion generated with command I get "
{"error":"invalid_grant","error_description":"Provided Authorization Grant is invalid"}
SAML Assertion
<?xml version="1.0" encoding="UTF-8"?>
<saml:Assertion
xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="alajckjphcbadkfhacmcfnnanohlnlpbhfomlmjm" IssueInstant="2017-06-13T08:05:36.500Z" Version="2.0">
<saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">TestSP</saml:Issuer>
<ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#alajckjphcbadkfhacmcfnnanohlnlpbhfomlmjm">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#">
<ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/>
</ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>ISNhVVsEbeRLN2MQdob0qs1QEXc=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue>
XrMqLJO6z8BERlmrysn9aV9m1GPte3hOUqxNUhr8eTMtho2zjYE5fJkbT+pf8oHxXUaozefs5G+o
N0tWQc9pqXxuYtk6Lk/EimMzF2xEgrtEzZqksVebJagz9UeOr1mfubZpSGcfdWMHSJdkOuAmsW0E
rqIc1RZDh+95aoh3VmE=
</ds:SignatureValue>
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UE
CAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxv
Y2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQsw
CQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UE
AwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTou
sMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5
HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQID
AQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44i
QlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJR
O4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</ds:Signature>
<saml:Subject>
<saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">admin</saml:NameID>
<saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer">
<saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2017-06-13T08:10:36.500Z" Recipient="https://localhost:9445/oauth2/token"/>
</saml:SubjectConfirmation>
</saml:Subject>
<saml:Conditions NotBefore="2017-06-13T08:05:36.500Z" NotOnOrAfter="2017-06-13T08:10:36.500Z">
<saml:AudienceRestriction>
<saml:Audience>https://localhost:9445/oauth2/token</saml:Audience>
</saml:AudienceRestriction>
</saml:Conditions>
<saml:AuthnStatement AuthnInstant="2017-06-13T08:05:36.601Z">
<saml:AuthnContext>
<saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef>
</saml:AuthnContext>
</saml:AuthnStatement>
<saml:AttributeStatement>
<saml:Attribute Name="C">
<saml:AttributeValue
xmlns:xs="http://www.w3.org/2001/XMLSchema"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">:
</saml:AttributeValue>
</saml:Attribute>
</saml:AttributeStatement>
</saml:Assertion>
Command java -jar SAML2AssertionCreator.jar TestSP admin https://localhost:9445/oauth2/token https://localhost:9445/oauth2/token .../wso2/wso2is-5.1.0/repository/resources/security/resources/security/wso2carbon.jks wso2carbon wso2carbon wso2carbon
Token CMD-
curl -k -d "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<Assertion_provided_by_client>&scope=PRODUCTION" -H "Authorization: Basic <Base64 encoded consumer key:consumer secret>" -H "Content-Type:application/x-www-form-urlencoded" https://<IP of the APIM server>:9445/oauth2/token
Logs
[2017-06-13 12:56:17,036] DEBUG - OAuth2Service Access Token request received for Client ID 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka, User ID null, Scope : [PRODUCTION] and Grant Type : urn:ietf:params:oauth:grant-type:saml2-bearer
[2017-06-13 12:56:17,036] DEBUG - AbstractClientAuthHandler Can authenticate with client ID and Secret. Client ID: 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,039] DEBUG - AbstractClientAuthHandler Grant type : urn:ietf:params:oauth:grant-type:saml2-bearer Strict client validation set to : null
[2017-06-13 12:56:17,043] DEBUG - OAuth2Util Client credentials were available in the cache for client id : 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,045] DEBUG - OAuth2Util Successfully authenticated the client with client id : 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,055] DEBUG - SAML2BearerGrantHandler SAML Assertion Audience Restriction validation failed against the Audience : https://192.168.0.4:9445/oauth2/token of Identity Provider : IS in tenant : carbon.super
[2017-06-13 12:56:17,055] DEBUG - AccessTokenIssuer Invalid Grant provided by the client Id: 0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka
[2017-06-13 12:56:17,060] DEBUG - AccessTokenIssuer OAuth-Error-Code=invalid_grant client-id=0rD1Hf7ZT5ZMz5ZJkMDpCZSBOHka grant-type=urn:ietf:params:oauth:grant-type:saml2-bearer scope=PRODUCTION
Related
I am trying to connect 2 Keycloak instances. One as an Identity Provider and one as an external broker by following this article.
I am running 2 docker instances for keycloak with the following setup:
Keycloak-External (127.0.0.1:9090)
Keycloak Internal (127.0.0.1:8080)
Created 2 realms:
realm:“keycloak-external-broker” in Keycloak External (127.0.0.1:9090)
realm “keycloak-internal-identity” in Keycloak Internal (127.0.0.1:8080)
Registered Identity Provider on external broker with following setup
Configured Broker as Client on internal identity provider
Created a demo user from the user's section in Keycloak Internal (127.0.0.1:8080)
Accessed External Login url and click on sigin
http://127.0.0.1:9090/realms/keycloak-external-broker/account/
Following page shows up:
Clicking Employee login redirects me to internal identity provider as
But when i try to login with user created in internal keycloak.it gives me following error.
I'm putting out logs as well. I tried troubleshooting with various options as suggested in various blogs but still facing the issue. Appreciate any leads, Is there anything that i'm missing?
2023-02-15 09:11:40,900 WARN [org.keycloak.events] (executor-thread-179) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=bf5ad1d9-c4c9-4f20-8272-e415c04ec67c, clientId=account-console, userId=null, ipAddress=172.17.0.1, error=identity_provider_login_failure, code_id=970a50e2-50af-4f38-80e1-8d4dd900c825, authSessionParentId=970a50e2-50af-4f38-80e1-8d4dd900c825, authSessionTabId=SPngHd5ApfM
2023-02-15 10:05:28,991 ERROR [org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider] (executor-thread-190) Failed to make identity provider oauth callback: org.keycloak.broker.provider.IdentityBrokerException: No access_token from server. error='Realm does not exist', error_description='null', error_uri='null'
at org.keycloak.broker.oidc.OIDCIdentityProvider.verifyAccessToken(OIDCIdentityProvider.java:574)
at org.keycloak.broker.oidc.OIDCIdentityProvider.getFederatedIdentity(OIDCIdentityProvider.java:384)
at org.keycloak.broker.oidc.AbstractOAuth2IdentityProvider$Endpoint.authResponse(AbstractOAuth2IdentityProvider.java:502)
at jdk.internal.reflect.GeneratedMethodAccessor669.invoke(Unknown Source)
at java.base/jdk.internal.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.base/java.lang.reflect.Method.invoke(Method.java:566)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:170)
at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:130)
at org.jboss.resteasy.core.ResourceMethodInvoker.internalInvokeOnTarget(ResourceMethodInvoker.java:660)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTargetAfterFilter(ResourceMethodInvoker.java:524)
at org.jboss.resteasy.core.ResourceMethodInvoker.lambda$invokeOnTarget$2(ResourceMethodInvoker.java:474)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:476)
at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:434)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:192)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:152)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invokeOnTargetObject(ResourceLocatorInvoker.java:183)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:141)
at org.jboss.resteasy.core.ResourceLocatorInvoker.invoke(ResourceLocatorInvoker.java:32)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:492)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$invoke$4(SynchronousDispatcher.java:261)
at org.jboss.resteasy.core.SynchronousDispatcher.lambda$preprocess$0(SynchronousDispatcher.java:161)
at org.jboss.resteasy.core.interception.jaxrs.PreMatchContainerRequestContext.filter(PreMatchContainerRequestContext.java:364)
at org.jboss.resteasy.core.SynchronousDispatcher.preprocess(SynchronousDispatcher.java:164)
at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:247)
at io.quarkus.resteasy.runtime.standalone.RequestDispatcher.service(RequestDispatcher.java:73)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.dispatch(VertxRequestHandler.java:151)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:82)
at io.quarkus.resteasy.runtime.standalone.VertxRequestHandler.handle(VertxRequestHandler.java:42)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:84)
at io.quarkus.vertx.http.runtime.StaticResourcesRecorder$2.handle(StaticResourcesRecorder.java:71)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:430)
at io.quarkus.vertx.http.runtime.VertxHttpRecorder$6.handle(VertxHttpRecorder.java:408)
at io.vertx.ext.web.impl.RouteState.handleContext(RouteState.java:1284)
at io.vertx.ext.web.impl.RoutingContextImplBase.iterateNext(RoutingContextImplBase.java:173)
at io.vertx.ext.web.impl.RoutingContextImpl.next(RoutingContextImpl.java:140)
at org.keycloak.quarkus.runtime.integration.web.QuarkusRequestFilter.lambda$createBlockingHandler$0(QuarkusRequestFilter.java:82)
at io.quarkus.vertx.core.runtime.VertxCoreRecorder$14.runWith(VertxCoreRecorder.java:576)
at org.jboss.threads.EnhancedQueueExecutor$Task.run(EnhancedQueueExecutor.java:2449)
at org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1478)
at org.jboss.threads.DelegatingRunnable.run(DelegatingRunnable.java:29)
at org.jboss.threads.ThreadLocalResettingRunnable.run(ThreadLocalResettingRunnable.java:29)
at io.netty.util.concurrent.FastThreadLocalRunnable.run(FastThreadLocalRunnable.java:30)
at java.base/java.lang.Thread.run(Thread.java:829)
2023-02-15 10:05:29,004 WARN [org.keycloak.events] (executor-thread-190) type=IDENTITY_PROVIDER_LOGIN_ERROR, realmId=bf5ad1d9-c4c9-4f20-8272-e415c04ec67c, clientId=account-console, userId=null, ipAddress=172.17.0.1, error=identity_provider_login_failure, code_id=9ab52933-adf7-4987-97af-320797a534cb, authSessionParentId=9ab52933-adf7-4987-97af-320797a534cb, authSessionTabId=o8n1TLDNldc
With spring-security 5.7.1 I get
Invalid signature for object [id6...]
This is the error message of the signature verification of the saml assertion. But with version 5.4.2 it works.
This is my application.yml
spring:
security:
saml2:
relyingparty:
registration:
okta-saml:
identityprovider:
entity-id: http://www.okta.com/e...
verification:
credentials:
- certificate-location: "classpath:saml-certificate/okta.crt"
singlesignon:
url: https://dev-7....okta.com/app/dev-7..._appsaml_1/e.../sso/saml
sign-request: false
Maybe something must be changed in application.yml?
have seen the Same problem after updating to Spring Boot 2.7.
the problem is related to verifying the SAML response signature
2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to establish trust of KeyInfo-derived credential 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] o.o.x.s.s.impl.BaseSignatureTrustEngine : Failed to verify signature and/or establish trust using any KeyInfo-derived credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Attempting to verify signature using trusted credentials 2022-06-23 17:26:52.747 DEBUG 5308 --- [nio-8282-exec-8] .x.s.s.i.ExplicitKeySignatureTrustEngine : Failed to verify signature using either KeyInfo-derived or directly trusted credentials
I have created a REST API service which is calling another REST API through a POST request. I am using the call , send mediators to call the third party service hosted on same machine.When I try to call the WSO2 REST API the service is unable to call the third party service. The service drops message with a timeout or see an Exceeption that cannot send the call through sendPostURL.
I have tried using both send and call mediators (blocking, non blocking ) but the request never completes.
The authentication on third party API is Basic ( username/password).
Not sure what I am doing incorrect.
Following is the API request
<?xml version="1.0" encoding="UTF-8"?>
<api context="/xyz" name="XYZPostAPI" statistics="enable" trace="enable" xmlns="http://ws.apache.org/ns/synapse">
<resource methods="POST GET">
<inSequence>
<log description="Input"/>
<Header> variables
<call blocking="true">
<endpoint key="XYZPost"/>
</call>
</inSequence>
<outSequence>
<log description="Response">
<property expression="json-eval($)" name="JSON-Payload"/>
</log>
<respond description="batchId"/>
</outSequence>
<faultSequence>
<log description="FaultDetails">
<property name="text" value="An unexpected error occurred"/>
<property expression="$ctx:ERROR_MESSAGE" name="message"/>
<property expression="$ctx:ERROR_CODE" name="code"/>
<property expression="$ctx:ERROR_DETAIL" name="detail"/>
<property expression="$ctx:ERROR_EXCEPTION" name="exception"/>
</log>
<respond description="fault"/>
</faultSequence>
</resource>
</api>
Error seen:
a.
[2020-04-06 10:05:00,712] INFO {org.apache.synapse.mediators.builtin.LogMediator} - To: /nuxeopost, MessageID: urn:uuid:e445d272-b9eb-4e89-84f1-428c622213b8, Direction: request
[2020-04-06 10:05:00,713] INFO {API_LOGGER.NuxeoPostAPI} - To: /nuxeopost, MessageID: urn:uuid:e445d272-b9eb-4e89-84f1-428c622213b8, Direction: request
[2020-04-06 10:05:00,714] INFO {TRACE_LOGGER} - Sending message through endpoint : NuxeoPost resolving to address = http://localhost:8080/nuxeo/api/v1/upload
[2020-04-06 10:05:00,714] INFO {TRACE_LOGGER} - SOAPAction: null
[2020-04-06 10:05:00,715] INFO {TRACE_LOGGER} - WSA-Action: null
[2020-04-06 10:05:03,735] INFO {org.apache.axis2.transport.http.HTTPSender} - Unable to sendViaPost to url[http://localhost:8080/nuxeo/api/v1/upload] org.apache.axis2.AxisFault: Transport error: 401 Error:
at org.apache.axis2.transport.http.HTTPSender.handleResponse(HTTPSender.java:371)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:200)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:442)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:228)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.apache.synapse.message.senders.blocking.BlockingMsgSender.sendReceive(BlockingMsgSender.java:492)
at org.apache.synapse.message.senders.blocking.BlockingMsgSender.send(BlockingMsgSender.java:384)
at org.apache.synapse.core.axis2.Axis2FlexibleMEPClient.send(Axis2FlexibleMEPClient.java:92)
at org.apache.synapse.core.axis2.Axis2Sender.sendOn(Axis2Sender.java:85)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.send(Axis2SynapseEnvironment.java:569)
at org.apache.synapse.endpoints.AbstractEndpoint.send(AbstractEndpoint.java:408)
at org.apache.synapse.endpoints.HTTPEndpoint.send(HTTPEndpoint.java:96)
at org.apache.synapse.endpoints.IndirectEndpoint.send(IndirectEndpoint.java:56)
at org.apache.synapse.mediators.builtin.CallMediator.handleBlockingCall(CallMediator.java:165)
at org.apache.synapse.mediators.builtin.CallMediator.mediate(CallMediator.java:120)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:109)
at org.apache.synapse.mediators.AbstractListMediator.mediate(AbstractListMediator.java:71)
at org.apache.synapse.mediators.base.SequenceMediator.mediate(SequenceMediator.java:158)
at org.apache.synapse.rest.Resource.process(Resource.java:331)
at org.apache.synapse.rest.API.process(API.java:440)
at org.apache.synapse.rest.RESTRequestHandler.apiProcess(RESTRequestHandler.java:135)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:113)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:325)
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:98)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:367)
at org.apache.synapse.transport.passthru.ServerWorker.processEntityEnclosingRequest(ServerWorker.java:412)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:181)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
[2020-04-06 10:05:03,762] WARN {API_LOGGER.NuxeoPostAPI} - ERROR_CODE : 401 ERROR_MESSAGE : Transport error: 401 Error:
[2020-04-06 10:05:03,763] WARN {org.apache.synapse.endpoints.EndpointContext} - Endpoint : NuxeoPost with address http://localhost:8080/nuxeo/api/v1/upload will be marked SUSPENDED as it failed
[2020-04-06 10:05:03,764] WARN {org.apache.synapse.endpoints.EndpointContext} - Suspending endpoint : NuxeoPost with address http://localhost:8080/nuxeo/api/v1/upload - current suspend duration is : 30000ms - Next retry after : Mon Apr 06 10:05:33 IST 2020
[2020-04-06 10:05:03,764] INFO {API_LOGGER.NuxeoPostAPI} - FaultHandler executing impl: org.apache.synapse.mediators.MediatorFaultHandler
[2020-04-06 10:05:03,765] WARN {API_LOGGER.NuxeoPostAPI} - Executing fault sequence mediator : org.apache.synapse.mediators.base.SequenceMediator
b.
2020-04-06 09:48:02,801] INFO {org.apache.synapse.transport.passthru.core.PassThroughListeningIOReactorManager} - Pass-through EI_INTERNAL_HTTPS_INBOUND_ENDPOINT Listener started on 0.0.0.0:9164
[2020-04-06 09:49:04,842] INFO {org.apache.synapse.mediators.builtin.LogMediator} - To: /nuxeopost, MessageID: urn:uuid:01e07a5c-93b7-47b8-a8f6-b04f6da03649, Direction: request
[2020-04-06 09:49:04,842] INFO {API_LOGGER.NuxeoPostAPI} - To: /nuxeopost, MessageID: urn:uuid:01e07a5c-93b7-47b8-a8f6-b04f6da03649, Direction: request
[2020-04-06 09:49:04,844] INFO {TRACE_LOGGER} - Sending message through endpoint : NuxeoPostSample resolving to address = http://localhost:8080/nuxeo/api/v1/upload
[2020-04-06 09:49:04,844] INFO {TRACE_LOGGER} - SOAPAction: null
[2020-04-06 09:49:04,844] INFO {TRACE_LOGGER} - WSA-Action: null
[2020-04-06 09:49:04,853] INFO {org.apache.synapse.core.axis2.TimeoutHandler} - This engine will expire all callbacks after GLOBAL_TIMEOUT: 120 seconds, irrespective of the timeout action, after the specified or optional timeout
[2020-04-06 09:51:19,854] WARN {org.apache.synapse.core.axis2.TimeoutHandler} - Expiring message ID : urn:uuid:d6945cd0-6e98-4dfb-a837-5d764cd3cabd; dropping message after GLOBAL_TIMEOUT of : 120 seconds for Endpoint [NuxeoPostSample], URI : http://localhost:8080/nuxeo/api/v1/upload, Received through API : NuxeoPostAPI
[2020-04-06 09:52:04,850] INFO {org.apache.synapse.transport.passthru.SourceHandler} - Writer null when calling informWriterError
[2020-04-06 09:52:04,851] WARN {org.apache.synapse.transport.passthru.SourceHandler} - Connection time out after request is read: http-incoming-3 Socket Timeout : 180000 Remote Address : /127.0.0.1:56896
I tried to secure my API using Oauth 2.0 http://abeykoon.blogspot.com/2015/04/wso2-esb-securing-rest-end-point-using.html in wso2 EI custom SimpleOauthhandler and I'm observing this exception
Caused by: javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated.
I tried to import certificates using keytool, but I'm not sure which certificates are expired, if certificate expiry is the cause for this exception.
Line 63(return stub.validate(dto).getValid();) in SimpleOAuthHandler class http://abeykoon.blogspot.com/2015/04/wso2-esb-securing-rest-end-point-using.html causing this exception
Exception:
[2020-01-10 13:10:54,931] [EI-Core] INFO - HTTPSender Unable to sendViaPost to url[https://localhost:9445/services/OAuth2TokenValidationService]
javax.net.ssl.SSLPeerUnverifiedException: peer not authenticated
at sun.security.ssl.SSLSessionImpl.getPeerCertificates(SSLSessionImpl.java:450)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.verifyHostName(SSLProtocolSocketFactory.java:276)
at org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory.createSocket(SSLProtocolSocketFactory.java:186)
at org.apache.commons.httpclient.HttpConnection.open(HttpConnection.java:707)
at org.apache.commons.httpclient.MultiThreadedHttpConnectionManager$HttpConnectionAdapter.open(MultiThreadedHttpConnectionManager.java:1361)
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:387)
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171)
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397)
at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:704)
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:199)
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:81)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:459)
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:286)
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:442)
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:441)
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:227)
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:149)
at org.wso2.carbon.identity.oauth2.stub.OAuth2TokenValidationServiceStub.validate(OAuth2TokenValidationServiceStub.java:738)
at org.wso2.handler.SimpleOauthHandler.handleRequest(SimpleOauthHandler.java:93)
at org.apache.synapse.rest.API.process(API.java:325)
at org.apache.synapse.rest.RESTRequestHandler.apiProcess(RESTRequestHandler.java:135)
at org.apache.synapse.rest.RESTRequestHandler.dispatchToAPI(RESTRequestHandler.java:113)
at org.apache.synapse.rest.RESTRequestHandler.process(RESTRequestHandler.java:71)
at org.apache.synapse.core.axis2.Axis2SynapseEnvironment.injectMessage(Axis2SynapseEnvironment.java:303)
at org.apache.synapse.core.axis2.SynapseMessageReceiver.receive(SynapseMessageReceiver.java:92)
at org.apache.axis2.engine.AxisEngine.receive(AxisEngine.java:180)
at org.apache.synapse.transport.passthru.ServerWorker.processNonEntityEnclosingRESTHandler(ServerWorker.java:337)
at org.apache.synapse.transport.passthru.ServerWorker.run(ServerWorker.java:158)
at org.apache.axis2.transport.base.threads.NativeWorkerPool$1.run(NativeWorkerPool.java:172)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at java.lang.Thread.run(Thread.java:748)
[2020-01-10 13:10:54,933] [EI-Core] ERROR - SimpleOauthHandler Error occurred while processing the message
org.apache.axis2.AxisFault: peer not authenticated
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
Download server certificat
(here is desrcibed how:
https://superuser.com/questions/97201/how-to-save-a-remote-server-ssl-certificate-locally-as-a-file)
In your case from localhost:9445
Add downloaded server SSL certificate to client-truststore.jks in WSO2.
keytool -import -alias localhost -file {PathToDownloadedCertFile} -keystore {WSO2HomeDir}\repository\resources\security\client-truststore.jks
Restart WSO2
I am using the spring-boot-security-saml-sample and attempting to hook it up to an application that uses the vmware identity appliance for SSO.
I can run the vanilla sample application just fine but when I change the IDP Metadata to point at the vmware identity server I am running into some issues.
My app uses a local keystore which contains a private key and I have imported the certs from the IDP metadata into it manually. When the application redirects I am seeing an error on the vmware identity server side:
java.lang.NullPointerException
com.vmware.identity.samlservice.impl.SamlServiceImpl.verifySignature(SamlServiceImpl.java:124)
com.vmware.identity.samlservice.AuthnRequestState.parseRequestForTenant(AuthnRequestState.java:341)
com.vmware.identity.BaseSsoController.processSsoRequest(BaseSsoController.java:63)
com.vmware.identity.SsoController.sso(SsoController.java:68)
sun.reflect.GeneratedMethodAccessor113.invoke(Unknown Source)
sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
java.lang.reflect.Method.invoke(Method.java:606)
org.springframework.web.method.support.InvocableHandlerMethod.invoke(InvocableHandlerMethod.java:215)
org.springframework.web.method.support.InvocableHandlerMethod.invokeForRequest(InvocableHandlerMethod.java:132)
org.springframework.web.servlet.mvc.method.annotation.ServletInvocableHandlerMethod.invokeAndHandle(ServletInvocableHandlerMethod.java:104)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.invokeHandleMethod(RequestMappingHandlerAdapter.java:749)
org.springframework.web.servlet.mvc.method.annotation.RequestMappingHandlerAdapter.handleInternal(RequestMappingHandlerAdapter.java:689)
org.springframework.web.servlet.mvc.method.AbstractHandlerMethodAdapter.handle(AbstractHandlerMethodAdapter.java:83)
org.springframework.web.servlet.DispatcherServlet.doDispatch(DispatcherServlet.java:938)
org.springframework.web.servlet.DispatcherServlet.doService(DispatcherServlet.java:870)
org.springframework.web.servlet.FrameworkServlet.processRequest(FrameworkServlet.java:961)
org.springframework.web.servlet.FrameworkServlet.doGet(FrameworkServlet.java:852)
javax.servlet.http.HttpServlet.service(HttpServlet.java:621)
org.springframework.web.servlet.FrameworkServlet.service(FrameworkServlet.java:837)
javax.servlet.http.HttpServlet.service(HttpServlet.java:722)
My assumption is that I am doing something wrong in that the identity server is erroring out when trying to verifySignature(). I do not see any errors in my app.
Here is my idp metadata:
<EntityDescriptor xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" xmlns:vmes="http://vmware.com/schemas/attr-names/2012/04/Extensions" entityID="https://hostname:7444/websso/SAML2/Metadata/vsphere.local">
<Extensions>
<vmes:ExportedOn>2015-02-26T02:52:39Z</vmes:ExportedOn>
<vmes:ExportedBy>Exported by VMware Identity Server (c) 2012</vmes:ExportedBy>
</Extensions>
<IDPSSODescriptor WantAuthnRequestsSigned="false" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SAML2/SLO/vsphere.local"/>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="https://hostname:7444/websso/SAML2/SLO/vsphere.local"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>http://schemas.xmlsoap.org/claims/UPN</NameIDFormat>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SAML2/SSO/vsphere.local"/>
<saml:Attribute FriendlyName="Groups" Name="http://rsa.com/schemas/attr-names/2009/01/GroupIdentity" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="givenName" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/givenname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="surname" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/surname" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="Subject Type" Name="http://vmware.com/schemas/attr-names/2011/07/isSolution" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="userPrincipalName" Name="http://schemas.xmlsoap.org/claims/UPN" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
<saml:Attribute FriendlyName="email" Name="http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri"/>
</IDPSSODescriptor>
<SPSSODescriptor AuthnRequestsSigned="false" WantAssertionsSigned="true" protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol">
<KeyDescriptor xmlns:ds="http://www.w3.org/2000/09/xmldsig#" use="signing">
<ds:KeyInfo>
<ds:X509Data>
<ds:X509Certificate>...</ds:X509Certificate>
<ds:X509Certificate>...</ds:X509Certificate>
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
<SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://hostname:7444/websso/SsoClient/SLO/vsphere.local"/>
<NameIDFormat>urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress</NameIDFormat>
<NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:persistent</NameIDFormat>
<NameIDFormat>http://schemas.xmlsoap.org/claims/UPN</NameIDFormat>
<AssertionConsumerService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://hostname:7444/websso/SsoClient/SSO/vsphere.local" index="0"/>
</SPSSODescriptor>
The only modifications I've made to the sample are to change the metadata provider, point the keystore to a local file, imported the two certs from the metadata file into the keystore and pointed the extendedMetadata to reference the alias of one of the certs and used the private key as the signingKey
Any ideas what could be going wrong?
I changed the private key in my keystore to be an RSA key with sigalg SHA1WithRSA and that seems to have solved this issue. Not sure if the vmware identity server restricts the sigalg or not but either way it looks to be a bug on their end. Just for sake of completeness I created my private key with this command:
keytool -genkey -alias server -keyalg RSA -sigalg SHA1WithRSA -keysize 2048 -keystore mykeystore -dname "CN=www.mycompany.com,OU=it, O=mycompany, L=city, ST=state, C=US" -storepass keystorepass