I'm trying to use WSO2 Identity server for OAuth token management for my own web application.
I exactly follow the instructions in this blog post and downloaded WSO2 identity server 3.2.3, wso2esb 4.0.3, wso2as 4.1.2 in Ubuntu 10.04. I successfully got the access token.
However, when I ran the code in the last part of the blog in Eclipse(I've already used the correct CONSUMER_SECRET,CONSUMER_KEY and OAUTH_TOKEN in the code), I ended up with an error:
java.net.ConnectException: Connection refused
at java.net.PlainSocketImpl.socketConnect(Native Method)
at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:327)
at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:193)
at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:180)
at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:384)
at java.net.Socket.connect(Socket.java:546)
at java.net.Socket.connect(Socket.java:495)
at sun.net.NetworkClient.doConnect(NetworkClient.java:178)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:409)
at sun.net.www.http.HttpClient.openServer(HttpClient.java:530)
at sun.net.www.http.HttpClient.<init>(HttpClient.java:240)
at sun.net.www.http.HttpClient.New(HttpClient.java:321)
at sun.net.www.http.HttpClient.New(HttpClient.java:338)
at sun.net.www.protocol.http.HttpURLConnection.getNewHttpClient(HttpURLConnection.java:935)
at sun.net.www.protocol.http.HttpURLConnection.plainConnect(HttpURLConnection.java:876)
at sun.net.www.protocol.http.HttpURLConnection.connect(HttpURLConnection.java:801)
at com.google.gdata.client.http.HttpGDataRequest.execute(HttpGDataRequest.java:488)
at com.google.gdata.client.http.GoogleGDataRequest.execute(GoogleGDataRequest.java:515)
at org.wso2.rest.security.oauth.OauthClient.main(OauthClient.java:44)
I'm sure the service port is available and can't figure out what the problem is. Could anyone provide any help?
Besides, in the example in that blog, it seems like I have to connect my own web application to ESB to validate the token. Is there any API I can use in my app to validate the token directly with the Identity Server? Or how should I connect my Jsp web app to the ESB?
In your client code, please change following
private static final String ESB = "http://127.0.0.1:8280/";
To
private static final String ESB = "http://127.0.0.1:8282/";
Related
This post became much longer than anticipated, TLDR: Where is my ASFS Federation Metadata located on my server? My overall task to the setup a test ADFS server in order to integrate our current application with ADFS
Hello, I'm trying to integrate our application with ADFS (it's a WPF application with a NodeJS backend), and I'm testing out Auth0 for this job (but if there are other simple solutions, I would be open to that as well - I've found no good guides so far ): espeically as a developer with no AD experience).
Regardless, I think I've set up a single server AD FS environment (locally as server1.local - with AD CS, AD DS and AD FS and that same server is the domain controller/DNS server) and set up an Auth0 relying party using this guide:
https://auth0.com/docs/connections/enterprise/adfs
In the next steps part, it says: try these quickstart guides. So I've downloaded the Angular2 quick start example project to test. But when I go to the enterprise connections and try to set up an ADFS connection, it asks for a ADFS URL
You can either provide the ADFS URL or upload the federation metadata file.
But I can't seem to find my ADFS URL. Not only that, my server is local, so it wouldn't be able to use my URL anyways right? I can just upload the metadata instead?
I've tried going to https://server1.local/federationmetadata/2007-06/federationmetadata.xml and https://127.0.0.1/FederationMetadata/2007-06/FederationMetadata.xml and https://localhost/FederationMetadata/2007-06/FederationMetadata.xml which under endpoints that's the one that shows, but ie says:
Turn on TLS 1.0, TLS 1.1, and TLS 1.2 in Advanced settings and try connecting to https://server1.local again. If this error persists, it is possible that this site uses an unsupported protocol or cipher suite such as RC4 (link for the details), which is not considered secure. Please contact your site administrator.
I've enabled TLS 1.0, 1.1 and 1.2 and this still doesn't seem to give me my metadata. I've also tried that URL on Chrome and it gives a generic "This site can't be reached"
How do I get my metadata?
In the ADFS configuration, look for what you configured as your federation service name.
Use this in the URL.
https://federation service name/federationmetadata/2007-06/federationmetadata.xml
BTW the federation service name should not be the FQDN of the server.
As per the documentation, enabling the SAAS Application, allows the Service provider to all tenants is not working.Even Though we have created the service provider per each tenant.
when login by using wso2is authentication page it is saying authentication fails.
I have seen the log file of WSO2IS it says service provider has to be registered.
But,we have tested the same service provider application name by using the soap webservice by giving the same credentials it is giving the response.
Thanks In advance,
Solution is,
Verify the ClientId/ClientSecret is associated with the Application/SP.
If Using SoapWS, for OAuthServices then use the super-user credentials(~assuming the clientID/clientSecret belongs to superUser).
If using HTTP-Post:Binding, replace the secToken, respective to each user(~this is for validation in SAMLsoo/SAMLAssertion).
Hope it helps..!
I am trying to use the WebSphere Liberty Profile OIDC Client feature. I have the feature installed and configured, but I am confused about what URL I should be using to connect to it. In the WLP Knowledge Center, it shows an example like this:
https://server.example.com:443/oidc/endpoint/PROVIDER_NAME/authorize
But when my WLP server comes up, I see the following URL in the log:
com.ibm.ws.webcontainer.osgi.DynamicVirtualHost I addWebApplication SRVE0250I: Web Module OpenID Connect Client Redirect Servlet has been bound to default_host.
com.ibm.ws.http.internal.VirtualHostImpl A CWWKT0016I: Web application available (default_host): http://ibm669-r9v0dvb:11080/oidcclient/
I don't know whether to use 'oidcclient' (probably) or 'oidc'. I also don't know what to put as the PROVIDER_NAME. I tried using the ID of my OIDCClient:
<openidConnectClient id="oidcRP"
clientId="${oauth.client.id}"
clientSecret="${oauth.client.secret}"
authorizationEndpointUrl="${oauth.authorize.endpoint}"
tokenEndpointUrl="${oauth.token.endpoint}"
httpsRequired="false"
redirectToRPHostAndPort="https://myhost.com:443">
I tried connecting with this, but it's not finding it:
http://ibm669-r9v0dvb:11080/oidcclient/endpoint/oidcRP/authorize?scope=openid&response_type=code&client_id=XXX&redirect_uri=https://myhost.com:443
com.ibm.ws.webcontainer.extension.DefaultExtensionProcessor W handleRequest SRVE0190E: File not found: /endpoint/oidcRP/authorize
Can anyone tell me what URL I should be using to connect to the client?
The Liberty openidConnectClient feature enables Liberty as a client to openid connect provider. The configuration parameters inside openidConnectClient are information about openidConnectProvider, for example, the openidConnect provider's authorization endpoint and token endpoint.
What is your openid connect provider? Liberty also can be configured as openid Connect provider. If you also want to use Liberty as openid connect provider, you can create another Liberty instance and enable openidConnectProvider feature.
I am working on a proof of concept using Azure Active Directory Access Control Fig. 4 at The fundamentals of Azure identity management is the model I am shooting for. Since I need manage my own identifies in a deep heritage SaaS solution, I am setting up my own OpenID provider. For that, I am using DotNotOpenAuth. In my very vanilla, "hello world" example, I built a simple MVC app and registered it in my Access Control Service Namespace as a Relying Party Application and also registered the OpenIdProviderMvc project as-is from DotNetOpenAuth.Samples as my OpenID Provider using ACS Management Service. Here is the view I registered,
var openIdAddress = new IdentityProviderAddress
{
Address = "...localhost...",
EndpointType = "SignIn"
};
svc.AddRelatedObject(openId, "IdentityProviderAddresses", openIdAddress);
svc.SaveChanges();
which is the OpenID Provider endpoint page expecting to receive OpenID authentication messages to allow users to log into other web sites. This works well, when I launch my relying party application, where I installed the appropriate Nuget packages for DotNetOpenAuth (core, relying party, and their dependencies), the OpenID Providers gets called from the configuration in ACS and log in is successful. However, on redirection to ACS sending to my namespace the OpenID response, (...accesscontrol.windows.net/v2/openid?...) I get the error response:
An error occurred while processing your request.
HTTP Error Code: 502
Message: ACS30000: There was an error processing a sign-in response sent to the OpenID endpoint.
Inner Message: ACS30001: Unable to verify the OpenID response signature.
Inner Message: ACS90005: External server error.
Trace ID: 41338728-fd6e-4299-9efb-ad8684976aae
Timestamp: 2015-08-10 19:18:28Z
I am trying to figure our what I need to do to help ACS be able to verify the OpenID response signature. The response looks good (formatted for legibility and so I don't exceed my link restriction for low reputation):
https://....accesscontrol.windows.net/v2/openid?
context=cH...2
openid.claimed_id=.../user/bob
openid.identity=.../user/bob
openid.sig=NU...Rs=
openid.signed=claimed_id,identity,assoc_handle,op_endpoint,return_to,response_nonce,ns.alias3,alias3.mode,alias3.type.alias1,alias3.value.alias1,alias3.type.alias2,alias3.value.alias2,ns.sreg,sreg.email,sreg.fullname
openid.assoc_handle=WWcF!...
openid.alias3.type.alias2=.../namePerson&openid.alias3.value.alias2=bob
openid.ns.sreg=...openid.net/extensions/sreg/1.1
openid.sreg.email=bob#dotnetopenauth.net
openid.sreg.fullname=bob
Is this something I should be able to handle in the Rule Groups? Is there something I am missing in the security between my OpenId provider and ACS, such as sending some information back relating to signing algorithm, thumbprint, or something?
Thank you
Is there any way to locally use OAuth 2.0 without SSL ? I tried to execute it in my localserver. but it says, I need SSL to perfome actions with Oauth 2.0.
Error: it was not possible to open the OAuth access token URL: establishing SSL connections requires the OpenSSL extension enabled
Is there any way to use OAuth 2.0 without SSL ?
Im using PHP Client Library for OAuth 2.0.
The security of OAuth 2.0 is dependent on SSL, without it anyone could see the bearer token that belongs to the user and use it to pretend to be them. However if you need to turn ssl off for debugging purposes and your server is also written in PHP then I would try taking a look at this: http://php.net/manual/en/oauth.disablesslchecks.php
Also SSL is dependent on the server, not the client.