WebSphere Liberty Profile OIDC Client URL - oauth

I am trying to use the WebSphere Liberty Profile OIDC Client feature. I have the feature installed and configured, but I am confused about what URL I should be using to connect to it. In the WLP Knowledge Center, it shows an example like this:
https://server.example.com:443/oidc/endpoint/PROVIDER_NAME/authorize
But when my WLP server comes up, I see the following URL in the log:
com.ibm.ws.webcontainer.osgi.DynamicVirtualHost I addWebApplication SRVE0250I: Web Module OpenID Connect Client Redirect Servlet has been bound to default_host.
com.ibm.ws.http.internal.VirtualHostImpl A CWWKT0016I: Web application available (default_host): http://ibm669-r9v0dvb:11080/oidcclient/
I don't know whether to use 'oidcclient' (probably) or 'oidc'. I also don't know what to put as the PROVIDER_NAME. I tried using the ID of my OIDCClient:
<openidConnectClient id="oidcRP"
clientId="${oauth.client.id}"
clientSecret="${oauth.client.secret}"
authorizationEndpointUrl="${oauth.authorize.endpoint}"
tokenEndpointUrl="${oauth.token.endpoint}"
httpsRequired="false"
redirectToRPHostAndPort="https://myhost.com:443">
I tried connecting with this, but it's not finding it:
http://ibm669-r9v0dvb:11080/oidcclient/endpoint/oidcRP/authorize?scope=openid&response_type=code&client_id=XXX&redirect_uri=https://myhost.com:443
com.ibm.ws.webcontainer.extension.DefaultExtensionProcessor W handleRequest SRVE0190E: File not found: /endpoint/oidcRP/authorize
Can anyone tell me what URL I should be using to connect to the client?

The Liberty openidConnectClient feature enables Liberty as a client to openid connect provider. The configuration parameters inside openidConnectClient are information about openidConnectProvider, for example, the openidConnect provider's authorization endpoint and token endpoint.
What is your openid connect provider? Liberty also can be configured as openid Connect provider. If you also want to use Liberty as openid connect provider, you can create another Liberty instance and enable openidConnectProvider feature.

Related

Auth0 ADFS - Can't Find Federation Metadata URL - Next Steps

This post became much longer than anticipated, TLDR: Where is my ASFS Federation Metadata located on my server? My overall task to the setup a test ADFS server in order to integrate our current application with ADFS
Hello, I'm trying to integrate our application with ADFS (it's a WPF application with a NodeJS backend), and I'm testing out Auth0 for this job (but if there are other simple solutions, I would be open to that as well - I've found no good guides so far ): espeically as a developer with no AD experience).
Regardless, I think I've set up a single server AD FS environment (locally as server1.local - with AD CS, AD DS and AD FS and that same server is the domain controller/DNS server) and set up an Auth0 relying party using this guide:
https://auth0.com/docs/connections/enterprise/adfs
In the next steps part, it says: try these quickstart guides. So I've downloaded the Angular2 quick start example project to test. But when I go to the enterprise connections and try to set up an ADFS connection, it asks for a ADFS URL
You can either provide the ADFS URL or upload the federation metadata file.
But I can't seem to find my ADFS URL. Not only that, my server is local, so it wouldn't be able to use my URL anyways right? I can just upload the metadata instead?
I've tried going to https://server1.local/federationmetadata/2007-06/federationmetadata.xml and https://127.0.0.1/FederationMetadata/2007-06/FederationMetadata.xml and https://localhost/FederationMetadata/2007-06/FederationMetadata.xml which under endpoints that's the one that shows, but ie says:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://server1.local again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
I've enabled TLS 1.0, 1.1 and 1.2 and this still doesn't seem to give me my metadata. I've also tried that URL on Chrome and it gives a generic "This site can't be reached"
How do I get my metadata?
In the ADFS configuration, look for what you configured as your federation service name.
Use this in the URL.
https://federation service name/federationmetadata/2007-06/federationmetadata.xml
BTW the federation service name should not be the FQDN of the server.

how can i configure the service provider in wso2is for different tenants of version 5.2.0

As per the documentation, enabling the SAAS Application, allows the Service provider to all tenants is not working.Even Though we have created the service provider per each tenant.
when login by using wso2is authentication page it is saying authentication fails.
I have seen the log file of WSO2IS it says service provider has to be registered.
But,we have tested the same service provider application name by using the soap webservice by giving the same credentials it is giving the response.
Thanks In advance,
Solution is,
Verify the ClientId/ClientSecret is associated with the Application/SP.
If Using SoapWS, for OAuthServices then use the super-user credentials(~assuming the clientID/clientSecret belongs to superUser).
If using HTTP-Post:Binding, replace the secToken, respective to each user(~this is for validation in SAMLsoo/SAMLAssertion).
Hope it helps..!

ACS30001: Unable to verify the OpenID response signature

I am working on a proof of concept using Azure Active Directory Access Control Fig. 4 at The fundamentals of Azure identity management is the model I am shooting for. Since I need manage my own identifies in a deep heritage SaaS solution, I am setting up my own OpenID provider. For that, I am using DotNotOpenAuth. In my very vanilla, "hello world" example, I built a simple MVC app and registered it in my Access Control Service Namespace as a Relying Party Application and also registered the OpenIdProviderMvc project as-is from DotNetOpenAuth.Samples as my OpenID Provider using ACS Management Service. Here is the view I registered,
var openIdAddress = new IdentityProviderAddress
{
Address = "...localhost...",
EndpointType = "SignIn"
};
svc.AddRelatedObject(openId, "IdentityProviderAddresses", openIdAddress);
svc.SaveChanges();
which is the OpenID Provider endpoint page expecting to receive OpenID authentication messages to allow users to log into other web sites. This works well, when I launch my relying party application, where I installed the appropriate Nuget packages for DotNetOpenAuth (core, relying party, and their dependencies), the OpenID Providers gets called from the configuration in ACS and log in is successful. However, on redirection to ACS sending to my namespace the OpenID response, (...accesscontrol.windows.net/v2/openid?...) I get the error response:
An error occurred while processing your request.
HTTP Error Code: 502
Message: ACS30000: There was an error processing a sign-in response sent to the OpenID endpoint.
Inner Message: ACS30001: Unable to verify the OpenID response signature.
Inner Message: ACS90005: External server error.
Trace ID: 41338728-fd6e-4299-9efb-ad8684976aae
Timestamp: 2015-08-10 19:18:28Z
I am trying to figure our what I need to do to help ACS be able to verify the OpenID response signature. The response looks good (formatted for legibility and so I don't exceed my link restriction for low reputation):
https://....accesscontrol.windows.net/v2/openid?
context=cH...2
openid.claimed_id=.../user/bob
openid.identity=.../user/bob
openid.sig=NU...Rs=
openid.signed=claimed_id,identity,assoc_handle,op_endpoint,return_to,response_nonce,ns.alias3,alias3.mode,alias3.type.alias1,alias3.value.alias1,alias3.type.alias2,alias3.value.alias2,ns.sreg,sreg.email,sreg.fullname
openid.assoc_handle=WWcF!...
openid.alias3.type.alias2=.../namePerson&openid.alias3.value.alias2=bob
openid.ns.sreg=...openid.net/extensions/sreg/1.1
openid.sreg.email=bob#dotnetopenauth.net
openid.sreg.fullname=bob
Is this something I should be able to handle in the Rule Groups? Is there something I am missing in the security between my OpenId provider and ACS, such as sending some information back relating to signing algorithm, thumbprint, or something?
Thank you

Thinktecture Identity Server - setup external identity providers

I'm following Brock's tutorial on OAuth2 identity providers: OAuth2 in Thinktecture IdentityServer : OAuth2 identity providers and I'm having problems trying to setup each provider details. I'm trying to use google and facebook.
Google: What I've done is. I've created new project, within which I've gone to APIs & auth > Credentials > Create New Client ID and then chose "Web Application" option. On "Client ID for web application" panel in "Javascript Origins" section I have pasted base URL of my IdSrv (https://somename). I have copied Client ID and Client secret and pasted both into appropriate sections in IdSrv identity provider shown in tutorial. When I run the application I get the invalid_request error from Google saying Invalid parameter value for redirect_uri: Non-public domains not allowed: https://somename/idsrv/issue/hrd/oauth2callback
In case of Facebook, I've created new App, and was trying to set "Site URL" in basic settings to https://somename, but got an alert saying "must be a URL with a valid domain." which I believe is essentially the same as what the Google error message is saying
My question is: How can I deploy a test version of my IdSrv then? I just want a quick and simple environment for testing purposes for now. Am running the IdSrv in my local IIS, was following Dominick installation tutorial video Thinktecture IdentityServer v2 Tutorial: Installation
When we setup IdentityServer for local testing we configure it to run under IIS with a custom host name and then setup a entry in the local hosts file. To google this should appear as a public URL.
An easier approach is to use one of the localhost DNS services that exist.
For example, whatever.vcap.me resolves to 127.0.0.1 as does production.vcap.me, staging.vcap.me and development.vcap.me.

Client certificate authentication in spring security

I need to configure 'Client certificate authentication' in Glassfish 3. I tried many scenarios but couldn't configure. The requirement is - the user who imported the .cer file can alone access the application.
So we need to configure in such a way that we need to validate the .cer file that is uploaded into the browser (through which the client is trying to access the application).
Once the certificate file is validated, then we need to show the login screen (form-login). Further we validate the username/password of the user.
I tried several configuratiosn (in applicationCOntext-security.xml file) but in vain.
Can anyone tell how to configure spring security so that both the client certicate authentication (done first) and then the form-login (done next)?
Spring does not do SSL its Glassfish that is setting up the SSL connection. By the time the request has arrived in Spring security all spring security knows is that the request came in over a secure channel but does not know how the secure channel was configured.
To setup client certificate authentication you need to configure glassfish to require a client side certificate to setup the SSL connection and to refuse the connection if the client does not provide a valid certificate.
This way you will get the behavior you want if the client does not present a valid certificate to glassfish glassfish never routes the call to spring.
I do know how to setup client side ssl authentication with glass fish so I can't help you with exact details, but google should know the answer.

Resources