I'm working with oauth for sso authentication using wso2 identity server but i don't found the url of sso like https://localhost:9443/samlsso in saml ?
can anybody help me ?
Here is the endpoints related to oauth2 in wso2 identity server.
Authorization Endpoint : https://localhost:9443/oauth2/authorize
Token Endpoint : https://localhost:9443/oauth2/token
Revoke Endpoint : https://localhost:9443/oauth2/revoke
Additionally
Openid Connect Userinfo Endpoint : https://localhost:9443/oauth2/userinfo
Here assumption is the identity server is running locally and has port offset set zero
Related
I have created 2 JHipster applications (JHipster v6.3.1):
Microservice Gateway
authenticationType: oauth2
Microservice Application
authenticationType: jwt
I have configured Okta with the gateway app and this works fine, I can log in with my user. I can also see that the ROLE_ADMIN and ROLE_USER authorities are being correctly assigned in Spring Security.
However I get the following error from the Microservice Application when I attempt to add/view an entity:
Unsupported JWT token.
Unauthorized: Full authentication is required to access this resource
Is there some configuration I need to do to get the JWT token passed in to the Microservice Application?
You cannot mix authentication types between microservice apps. You have to use either OAuth 2.0 or JWT in all of them. FWIW, JHipster's OAuth 2.0 support does use JWTs.
Implementing SSO in my application and from app-1 i need to make a rest call to app-2. Login in app-1 with SAML and authenticated successfully and trying for rest call from app-1 with openid but since authentication is using saml only so not able to get the access/bearer token. Please help how to get the access/bearer token from saml request/response. I'm using Keycloak Server for SSO implementation.
You can't.
REST API need a JWT token not a SAML one.
Change SAML to OpenID Connect and it will work.
(1) OpenID Connect 1.0 is a simple identity layer on top of the OAuth 2.0 protocol. It allows Clients to verify the identity of the End-User based on the authentication performed by an Authorization Server, as well as to obtain basic profile information about the End-User in an interoperable and REST-like manner.
(2) Presently there is no IETF draft document regarding SAML 2.0 Profile for OpenID Connect client.
We can refer to the IETF draft document SAML 2.0 Profile for OAuth 2.0 client.
The OAuth 2.0 Access Token using SAML Assertion filter enables an OAuth client to request an access token using a SAML assertion. This supports the OAuth 2.0 SAML flow, which is used when a client wishes to utilize an existing trust relationship, expressed through the semantics of the SAML assertion, without a direct user approval step at the authorization server. For more details on supported OAuth flows, see API Gateway OAuth 2.0 authentication flows.
(3) Both Auth0 and open-source WSO2 Identity Server implement the SAML profile for OpenID Connect/OAuth to convert SAML token to OpenID Connect/OAuth token, as demonstrated by Auth0 SAML Configuration and WSO2 Adding and Configuring an Identity Provider. In other words, Auth0 and WSO2 Identity Server can relay SAML authentication provided by SAML IdP to either OpenID Connect client or OAuth 2.0 client.
I have installed and configured JWT Grant Type in WSO2 IS 5.3.0 following this guide
Then I have configured a Service Provider enabling the OAuth/OpenID Connect Inbound Authenticator.
I am able from a javascript client to authenticate the user exploiting the Oauth 2 protocol with open-id scope obtaining a valid JWT token (JWTToken).
Finally I tried to make a POST request to https://****/oauth2/token?grant_type=urn:ietf:params:oauth:grant-type:jwt-bearer&assertion=JWTToken using a REST Client and setting Content-Type=application/x-www-form-urlencoded.
When I do the request the WSOIS Server asks for a username and a password. I am able to pass this step providing a valid clientId and clientSecret.
Unfortunately at this point the server dos not reply with an access token but with a 400 Bad Request and in the response body writes "{"error_description":"Error occurred while decoding public certificate of Identity Provider default for tenant domain carbon.super","error":"invalid_grant"}"
I can't understand if the problem is the JWT Token that I pass to the server or if there is some issues with the certificates. Any help please?
Okay. I think this should help you.
If you take the OpenID connect token you got from WSO2 Identity Server and put it in jwt.io you would see that the openID connect will have the "iss" (issuer) value of "https://localhost:9443/oauth2/token" (replace localhost with your hostname if you have set the hostname) which is the token endpoint of WSO2 Identity Server.
So when you use this token as a JWT Bearer grant, in order to validate the signature the grant handler tries to retrieve an IDP with the name given in the issuer(iss) field (ie. token endpoint of WSO2 Identity Server). As it fails to find any identity provider it retrieves the default identity provider (note this is a dummy IDP added for sake of backward compatibility) which doesn't have any certificate. (you can find this under $IS_HOME/repository/conf/identity/identity-providers/default.xml)
So there are two ways to fix this,
Change the issuer value of Identity Server so that it can fetch the certifcate of it's resident identity provider.
To do this,
Login to the management console,
Go to Identity Provider --> Resident --> Inbound Authentication Configuration --> OAuth2/OpenID Connect Configuration --> set the
'Identity Provider Entity Id' value as LOCAL
Create a new Identity Provider with the name equal issuer value of the OpenID connect token (ie. the token endpoint) and upload the public certificate that could be used to verify the OpenID connect token.
Personally, I prefer the first solution :)
Update:
You also need to do one more change,
In identity.xml (found under repository/conf/identity) uncomment the following lines
<Audiences>
<Audience>
${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/token
</Audience>
</Audiences>
This will make sure that the audience validation check will pass for the issued OpenID connect token when used as a JWT bearer grant. (ie. the JWT Grant handler will validate whether the token endpoint is one of the audiences in the provided grant)
I have created a SAML SSO service and used Google Federated Authentication.
When I am redirected back to Google and after successful authentication I am getting this error:
OpenID auth request contains an unregistered domain:
https://example.com:9446/commonauth
I have already registered a OAuth client in Google developer console and registered this redirection url.
When I search the internet I found that, Google closed registration to new OpenID 2.0 clients. - https://developers.google.com/+/api/auth-migration#timetable
So how can I solve this problem?
We need to use the OpenID Connect Authenticator or we need to write our own authenticator to use Google Plus API.
We are using WSO2 IS 4.5.0 for our product implementation. We are implementing SAML2 based SSO between our product applications. And our REST APIs are secured using OAuth2. Now, we are trying to configure IS to issue SAML2 bearer token for OAuth applications.
These are the steps that we followed
Added a tenant 'sample.com'
Added SAML SSO service provider (travelocity.com) within tenant 'sample.com'
Added OAuth application within tenant 'travelocity'
Added Trusted Identity Provider as defined in SAML2 Bearer Assertion Profile for OAuth 2
Added wso2carbon.jks public certificate to Trusted Identity Provider [This is the same certificate used during SAML Authentication Request generation]
And when I try to invoke OAuth2Service.issueAccess, I get the following error
Signature was either invalid or signing key could not be established as trusted
Any help to resolve will be highly appreciated.
We have missed configuring public certificate of the tenant 'sample.com' in trusted identity provider configuration, that resolves the issue!