I am new to PingFederate. I have setup the sample OAuthPlayground web application on PingFederate 8.2.11 . To setup I imported the data.zip provided in the OAuthPlayground-3.3.0 . I am able to get a code . Subsequently I am able get the Access Token. I can refresh the token even.
When I click on validate token, I get the following response :
{"error_description":"Invalid client or client credentials","error":"invalid_client"}
Please help as I am pretty stuck here.
Following are the excerpts from the server.log
2017-01-09 23:31:33,146 INFO [com.pingidentity.ws.rest.oauth.client_management.filter.OAuthClientMgmtEnabledFilter] OAuth Client Management REST Web Service Attempted: service=/pf-ws/rest/oauth/clients, remote-ip=127.0.0.1, but the client management database is not enabled. Consult product documentation for config changes required to enable service.
2017-01-09 23:31:33,358 INFO [com.pingidentity.ws.rest.oauth.client_management.filter.OAuthClientMgmtEnabledFilter] OAuth Client Management REST Web Service Attempted: service=/pf-ws/rest/oauth/clients, remote-ip=127.0.0.1, but the client management database is not enabled. Consult product documentation for config changes required to enable service.
2017-01-09 23:31:33,480 INFO [com.pingidentity.ws.rest.oauth.client_management.filter.OAuthClientMgmtEnabledFilter] OAuth Client Management REST Web Service Attempted: service=/pf-ws/rest/oauth/clients, remote-ip=127.0.0.1, but the client management database is not enabled. Consult product documentation for config changes required to enable service.
2017-01-09 23:31:33,646 INFO [com.pingidentity.ws.rest.oauth.client_management.filter.OAuthClientMgmtEnabledFilter] OAuth Client Management REST Web Service Attempted: service=/pf-ws/rest/oauth/clients, remote-ip=127.0.0.1, but the client management database is not enabled. Consult product documentation for config changes required to enable service.
2017-01-09 23:31:33,658 INFO [com.pingidentity.ws.rest.oauth.client_management.filter.OAuthClientMgmtEnabledFilter] OAuth Client Management REST Web Service Attempted: service=/pf-ws/rest/oauth/clients, remote-ip=127.0.0.1, but the client management database is not enabled. Consult product documentation for config changes required to enable service.
2017-01-09 23:32:13,426 tid:aKxlAgS2121ZWpbbiOd4fn6WCy4 INFO [org.sourceid.saml20.domain.mgmt.impl.PluginManagementSupport] Configuring plugin UserPass (org.sourceid.saml20.domain.SimpleUsernamePasswordCredentialValidator)
2017-01-09 23:32:43,956 tid:3hwAz7tzhsUoKKWNL_xQBbxwUd4 INFO [org.sourceid.saml20.domain.mgmt.impl.PluginManagementSupport] Configuring plugin default (org.sourceid.oauth20.token.plugin.impl.ReferenceBearerAccessTokenManagementPlugin)
2017-01-10 00:07:19,810 INFO [com.pingidentity.fsm.SessionTimeout] Application '/pingfederate' session timeout is 30 minutes.
2017-01-10 02:39:05,810 INFO [com.pingidentity.fsm.SessionTimeout] Application '/pingfederate' session timeout is 30 minutes.
2017-01-10 03:09:22,399 tid:5hLSp5Xw-IJNCDNF0xrSbssJmX8 INFO [org.sourceid.saml20.service.impl.localmemory.ArtifactPersistenceServiceMapImpl] Removing expired artifact ByteArrayHashKey: EC5F5B57592E6D3C485EFBF0921ECDD1CA6726D5C19BD40B2FAD9412B122 : Message{partnerRole=null, entityId='null', msg=StoredMessage{clientId='ac_client', userKeyValue='joe', scope='', return scope='false', qualifier='authz_req|HTMLFormSimplePCV', redirectUri='null', idToken='null', codeChallenge='null', codeChallengeMethod='null', tokenManagerId='null', audience='null', extendedGrantAttrs='{}', authnContextAttrs='{}'}}
I believe the log messages you've included in this post are not relevant to the error you're hitting.
Double check that your Resource Server credentials are the same in these places:
OAuth Playground > Settings (top right cog) > Advanced Settings > Resource Server: client_id / client_secret
PingFederate Administration (https://pfadminhost:9999/pingfederate/app) > OAuth Settings > Clients / Manage All - find the same client_id entry and ensure it has a matching client_secret value as the playground, and that the grant types chosen include Access Token Validation (Client is a Resource Server).
It should have already set this up if you used the data.zip packaged with the OAuth Playground - I suspect something has changed in your configuration afterwards.
Related
I am developing a web application using asp.net MVC 5 that is integrated with ADFS. After login to ADFS using credentials I get this error:
Microsoft.IdentityServer.RequestFailedException: MSIS7012: An error occurred while processing the request. Contact your administrator for details. ---> Microsoft.IdentityServer.Service.SecurityTokenService.EmptyOrMissingWSFederationPassiveEndpointException: MSIS5004: The WSFederationPassiveEndpoint address is not configured on the relying party trust identified by the endpoint 'https://xxxxx.xxx.com'. It is required to process the current request.
please advise ..!
Problem: Missing OAuth 2 Refresh Token.
The problem is that the localhost version receives a Refresh Token as part of the granted token but the same code running in GCE does not.
Details:
I have written a Python Flask application that implements Google OAuth 2.0. This web application runs in the cloud with a verified domain name, valid SSL certificate and HTTPS endpoint. This web application unmodified also runs as localhost. The differences between the runtime is that the localhost version does not use TLS. There are no other differences in the code flow.
Other than the Refresh Token is missing and I cannot automatically renew a token, everything works perfectly.
I have researched this issue extensively. API problems such as access_type=offline etc are correctly implemented otherwise I would not get a Refresh Token in the localhost version.
I am using the requests_oauthlib python library.
gcp = OAuth2Session(
app.config['gcp_client_id'],
scope=scope,
redirect_uri=redirect_uri)
# print('Requesting authorization url:', authorization_base_url)
authorization_url, state = gcp.authorization_url(
authorization_base_url,
access_type="offline",
prompt="select_account",
include_granted_scopes='true')
session['oauth_state'] = state
return redirect(authorization_url)
# Next section of code after the browser approves the request
token = gcp.fetch_token(
token_url,
client_secret=app.config['gcp_client_secret'],
authorization_response=request.url)
The token has refresh_token when running in localhost but not when running with in the cloud.
This Google document discusses refresh tokens, which indicates that this is supported for web applications.
Refreshing an access token (offline access)
[Update 11/18/2018]
I found this bug report which gave me a hint to change my code from this:
authorization_url, state = gcp.authorization_url(
authorization_base_url,
access_type="offline",
prompt="select_account",
include_granted_scopes='true')
to this:
authorization_url, state = gcp.authorization_url(
authorization_base_url,
access_type="offline",
prompt="consent",
include_granted_scopes='true')
Now I am receiving the Refresh Token in the public server version and the localhost version.
Next I searched for documentation on the prompt option and found this:
OpenID Conect prompt
prompt (Optional)
A space-delimited list of string values that specifies whether the
authorization server prompts the user for reauthentication and
consent. The possible values are:
none
The authorization server does
not display any authentication or user consent screens; it will return
an error if the user is not already authenticated and has not
pre-configured consent for the requested scopes. You can use none to
check for existing authentication and/or consent.
consent
The authorization server prompts the user for consent before returning
information to the client.
select_account
The authorization server
prompts the user to select a user account. This allows a user who has
multiple accounts at the authorization server to select amongst the
multiple accounts that they may have current sessions for.
If no value is specified and the user has not previously authorized access, then
the user is shown a consent screen.
I think the Google documentation should be updated. On the same page, the following text appears:
access_type (Optional)
The allowed values are offline and online. The
effect is documented in Offline Access; if an access token is being
requested, the client does not receive a refresh token unless offline
is specified.
That statement caused me a lot of confusion trying to debug why I could not obtain a Refresh Token for the public server version but I could for the localhost version.
In Hyperledger composer rest api (composer-rest-server) are secure with Enabling authentication for the REST server. but in http://localhost:3000/explorer, All sensitive data is not encryption. Could i use cryptography or other approach to encrypt and decrypt like Zero Knowledge Proof to prevent data privacy (sensitive data)?
And I see Securing the REST server using HTTPS and TLS, when i run command composer-rest-server -c alice1#my-network -t and then open browser https://localhost:3000/explorer, but I don't know how to use it?
Thank you in advance!
Firstly, you would use TLS between the REST client and REST server - see https://hyperledger.github.io/composer/latest/integrating/securing-the-rest-server and general/useful info on TLS with diagrams here
You would really need to set up authentication (known user identities that are using it) with TLS like discussed here then connect to the authentication path for your application to authenticate the user using the REST APIs https://localhost:3000/auth/github: ((or whatever the authPath is for your implemented strategy)) and then interactions/ data in transit between client and server will be encrypted.
Once the REST server is up and running and TLS enabled - you will authenticate at your REST client as the user in question: once authenticated, that user gets an access token or similar. In terms of Composer and the deployed business network / smart contract - that user will (already) have been issued a business network card - that includes the user's blockchain identity (key/cert) and contain connection info/metadata (ie how to connect to the deployed/runtime business network out on the Fabric network). This access may be programmatically, from an application client that's using REST APIs (ie the app user that's logged in to the app, has been assigned this business network card) or indeed - a user is using the REST API client in a browser for example (eg. he/she would import it into their Wallet in the REST client then that would be the default identity in the REST API session, and which interacts / signs transactions that update the business network (create asset, update asset etc), as REST API operations to the REST Server (over TLS) that interacts with the Fabric network (over TLS).
I am trying to use the WebSphere Liberty Profile OIDC Client feature. I have the feature installed and configured, but I am confused about what URL I should be using to connect to it. In the WLP Knowledge Center, it shows an example like this:
https://server.example.com:443/oidc/endpoint/PROVIDER_NAME/authorize
But when my WLP server comes up, I see the following URL in the log:
com.ibm.ws.webcontainer.osgi.DynamicVirtualHost I addWebApplication SRVE0250I: Web Module OpenID Connect Client Redirect Servlet has been bound to default_host.
com.ibm.ws.http.internal.VirtualHostImpl A CWWKT0016I: Web application available (default_host): http://ibm669-r9v0dvb:11080/oidcclient/
I don't know whether to use 'oidcclient' (probably) or 'oidc'. I also don't know what to put as the PROVIDER_NAME. I tried using the ID of my OIDCClient:
<openidConnectClient id="oidcRP"
clientId="${oauth.client.id}"
clientSecret="${oauth.client.secret}"
authorizationEndpointUrl="${oauth.authorize.endpoint}"
tokenEndpointUrl="${oauth.token.endpoint}"
httpsRequired="false"
redirectToRPHostAndPort="https://myhost.com:443">
I tried connecting with this, but it's not finding it:
http://ibm669-r9v0dvb:11080/oidcclient/endpoint/oidcRP/authorize?scope=openid&response_type=code&client_id=XXX&redirect_uri=https://myhost.com:443
com.ibm.ws.webcontainer.extension.DefaultExtensionProcessor W handleRequest SRVE0190E: File not found: /endpoint/oidcRP/authorize
Can anyone tell me what URL I should be using to connect to the client?
The Liberty openidConnectClient feature enables Liberty as a client to openid connect provider. The configuration parameters inside openidConnectClient are information about openidConnectProvider, for example, the openidConnect provider's authorization endpoint and token endpoint.
What is your openid connect provider? Liberty also can be configured as openid Connect provider. If you also want to use Liberty as openid connect provider, you can create another Liberty instance and enable openidConnectProvider feature.
We are trying to connect to a custom Dynamics 365 Finance service operation but are struggling to authorize.
We've set up an app registration
Redirect_uri set to the dynamics url (root)
Enabled implicit grant (both for access tokens and ID tokens)
Single tenant
Assigned the "Dynamics ERP > CustomService.FullAccess" API permission
Assigned the "Dynamics ERP > Odata.FullAccess" API permission
Assigned "Dynamicd ERP > Connector.FullAccess" API permission + granted admin consent for entire AD
Created a secret
We've added the Application (client ID) within the Dynamics 365 environment with a user which has System Administrator role
We can successfully retrieve access tokens both via Postman and .NET (Microsoft.IdentityModel.Clients.ActiveDirectory)
we tried to reach both https://xxxxxxdevaossoap.cloudax.dynamics.com &https://xxxxxxdevaos.cloudax.dynamics.com
Yet when we call custom services, we get a 401 UnAuthorized
A call to Odata also fails for the same reason.
Verify resource in your request for OAuth token (and verify token at https://jwt.io for aud (Audience) field).
It should be same as your primary url without / at the end (like https://d365fo-10-12345678baef10230aos.cloudax.dynamics.com).
Also verify that Azure Active Directory applications (mi=SysAADClientTable) Client Id is equal to appid field in the token (and without any special characters).
You can always inspect Windows Event Log Microsoft-Dynamics-AX-WebApi/Operational
There is good information like this:
Source: Microsoft-Dynamics-AX-WebApi
Category: WebApiOwinConfigurationMissingError
Level: Error
Description: Web API Owin Authentication Configuration Missing Error
infoMessage: Can read the token but failed validating token with exception
'IDX10214: Audience validation failed.
Audiences: 'https://d365fo-10-12345678baef10230aos.cloudax.dynamics.com/'.
Did not match: validationParameters.
ValidAudience: 'null' or validationParameters.ValidAudiences:
'https://d365fo-10-12345678baef10230aos.cloudax.dynamics.com,
00000015-0000-0000-c000-000000000000,
Microsoft.ERP''