We Keep Coding

Wso2 IS SMS OTP returns 401 page after login

Wso2 IS 5.10.0 I have configured basic auth and sms otp. I wanted to trigger basic auth using url like below without login page(skipping login page with authentication at backend with the username and password provided).
https://192.168.1.10:9448/oauth2/authorize?client_id=USER_PORTAL&code_challenge=KmuKeL_V3Gc5rRp9zEQeK0SFMrHZU25lLyrtnr8uekE&code_challenge_method=S256&commonAuthCallerPath=/oauth2/authorize&forceAuth=false&passiveAuth=false&redirect_uri=https://192.168.1.10:9448/user-portal/login&response_type=code&scope=internal_login+internal_humantask_view+openid&relyingParty=USER_PORTAL&type=oidc&sp=User+Portal&isSaaSApp=false&username=test&password=test#123
The login is successful but after that smsotp page is throwing 401 error even after authentication. But same thing is working if I am login with login page(mobile sms otp page will be shown successfully). I am not getting what is wrong.
EDIT:
After login it is routing to sms otp page like below.
https://192.168.1.10:9448/oauth2/smsotpauthenticationendpoint/smsotp.jsp?client_id=USER_PORTAL&code_challenge=KmuKeL_V3Gc5rRp9zEQeK0SFMrHZU25lLyrtnr8uekE&code_challenge_method=S256&commonAuthCallerPath=%2Foauth2%2Fauthorize&forceAuth=false&isSaaSApp=false&passiveAuth=false&redirect_uri=https%3A%2F%2F192.168.1.10%3A9448%2Fuser-portal%2Flogin&response_type=code&scope=internal_login+internal_humantask_view+openid&sp=User+Portal&tenantDomain=carbon.super&sessionDataKey=c23b62da-3031-44fd-892c-5cff2e62db58&relyingParty=USER_PORTAL&type=oidc&sp=User+Portal&isSaaSApp=false&authenticators=SMSOTP

This invalid URL (/oauth2/smsotpauthenticationendpoint/..) is generated due to relative URLs configured for the following properties (in deployment.toml). To address it, you can update them with a slash at the beginning as below.
[authentication.authenticator.sms_otp.parameters]
SMSOTPAuthenticationEndpointURL= "/smsotpauthenticationendpoint/smsotp.jsp"
SMSOTPAuthenticationEndpointErrorPage= "/smsotpauthenticationendpoint/smsotpError.jsp"
MobileNumberRegPage = "/smsotpauthenticationendpoint/mobile.jsp"

Getting Error 400: redirect_uri_mismatch in cognito idp settings

I am following this cognito add social auth to add google auth into one of my app for testing. Completed all steps as listed, but when I am testing that using this
https://<your_user_pool_domain>/login?response_type=code&client_id=<your_client_id>&redirect_uri=https://www.example.com , I am getting an error
Error 400: redirect_uri_mismatch
The redirect URI in the request, https://xxxx-xxxx.auth.ap-south-1.amazoncognito.com/oauth2/idpresponse, does not match the ones authorized for the OAuth client. To update the authorized redirect URIs, visit:
initially the redirect uri and callback url in cognito app client settings were different but i changed those, also I tried changing my redirect url to simple https://google.com, but still not working. I did some research regarding the same, found out that it might take some time to reflect the changes in google oauth setings, its been 2 hrs since I have changed the same, should I wait or is there some other work around this.
Also, I setup facebook login following same doc, it is working fine.
please help!

In my experience this mismatch refers to the difference between your constructed URL and the setting in Cognito Pool. In the pool config, the redirect_uri is called Callback URL. Make sure those two have the same URL.
You can set it in Cognito UI here: App Integration > App Client Settings > Sign in and sign out URLs > Callback URL(s)
or you can specify the URL(s) in your code if you are using CDK.
new cognito.UserPoolClient({
oAuth: {
callbackUrls: ['https://www.example.com', '<url2>'],
}
...
}

Finally I got the solution, redirect url in google auth credentials needs to be your **domainName+/oauth2/idpresponse** .

its has something to do with your uri, whether in google cloud or cognito ,double check if the uri entered is a match

Wso2 keep using wrong assertion url

I am trying to use wso2 SSO. I have set the SP in carbon and set the assertion url like this
Here assertion url is like this http://example.com/acs. Now when trying to login on the SSO login screen i keep getting the below message
TID: [-1234] [] [2017-10-31 20:14:14,381] ERROR
{org.wso2.carbon.identity.sso.saml.processors.SPInitSSOAuthnRequestProcessor}
- ALERT: Invalid Assertion Consumer URL value 'http://example.com/simplesaml/module.php/saml/sp/saml2-acs.php/default-sp'
in the AuthnRequest message from the issuer 'simplesaml1'. Possibly
an attempt for a spoofing attack
Here example.com is same as the domain i used in the image. I have used example.com only because stackoverflow doesnt let me add that domain name.
Can anyone kindly let me know from where wso2 keep reading that url. Its not in metadata also. Also why that url is invalid? Any help will be appreciated.

This complaint is about that the assertion consumer URL of the SAML request is different from the provided URL of the Identity Server. Please check the assertion consumer URL of the SAML request from the service provider.

Authenticate against WSO2 Identity Server with no browser and get SAML2 assertion message

I am trying to setup a service provider that uses WSO2 IS for authentication via SAML2. Now, wehave a use-case in which the user is a machine (i.e. an external program) that needs to access the service provider. Since the user is a machine, there is no browser and cannot use the WSO2 login form to complete the authentication steps, though it has been given a username and password since it is still a user.
My question is how can this non-GUI user participate in the SAML2 workflow (specifically pass credentials to WSO2 to obtain a SAMLV2 Assertion message) and access the service provider?
I tried to do the following as a simulation but I failed
1) curl -v -k http://localhost:8000/service_provider/login
2) Extracting the SAML message from the response:
curl --user username:password -v -k https://localhost:9443/samlsso?SAMLRequest=<ENCODED_REQUEST>
Basically, I was expecting to get a redirect response from WSO2 back to the service provider with SAML assertion message, but instead I got the following:
https://localhost:9443/authenticationendpoint/login.do;jsessionid=7QON18982323HWIH?commonAuthCallerPath=%2Fsamlsso&forceAuth=false&passiveAuth=false&tenantDomain=carbon.super&sessionDataKey=122JhQ-JQOJ-H8123&relyingParty=test-saml2&type=samlsso&sp=test&isSaaSApp=false&authenticators=BasicAuthenticator:LOCAL, which is the same url that is used when a human user authenticates using a browser.
I also tried using HTTP-POST Binding with "sectoken" form param as suggested in this article: http://xacmlinfo.org/2015/02/12/sso-without-identity-provider-login-page/ . But it didn't work either.
I also tried making SOAP requests to WSO2's AuthenticationAdminHttpsSoap12Endpoint service, specifically the "login" method. I used the JSESSIONID I got from the SOAP response to the above steps but the effect was the same. This is not a surprise to me since WSO2 does not use JSESSIONID to check if you are authenticated already (at least not for trying to grab SAML responses).

1.Get login form
Request
curl -v http://localhost:8000/service_provider/login
Response
Extract SAMLRequest and SSOAuthSessionID (if RelayState presents extract it too)
2.Send saml request to IDP using extracted valuses in step1(In browser this will happen through redirection)
Request
Endpoint : https://<is_host>:9443/samlsso
Verb :post
Content-Type:application/x-www-form-urlencoded
Parameters:[
SAMLRequest:<value from previous step>,
SSOAuthSessionID:<value from previous step>,
RelayState :<value from previous step>]
Response
This will give IS login page.Extract sessionDataKey from that.
3. Login by providing user name password
Reqeust
Endpoint:https://<is_host>:9443/commonauth
Content-Type:application/x-www-form-urlencoded
Verb :post
Parameters: [tocommonauth:true,username:xxxx,password:xxx,sessionDataKey:<extracted from previous step>]
Response
Extract SAML response
5.Post the saml resposne to ACS url of service provider

WSO2 - Reset password reports an AuthenticationException in the logs

We are using the ResetPassword API from UserInformationRecoveryService WSDL (https://localhost:9443/services/UserInformationRecoveryService), to request a password reset without captcha for the user 'dummy' with the following body, providing the admin/admin user.
<x:Envelope xmlns:x="http://schemas.xmlsoap.org/soap/envelope/" xmlns:ser="http://services.mgt.identity.carbon.wso2.org" xmlns:xsd="http://beans.mgt.captcha.carbon.wso2.org/xsd">
<x:Header/>
<x:Body>
<ser:verifyUser>
<ser:username>dummy</ser:username>
</ser:verifyUser>
</x:Body>
</x:Envelope>
The request returns a 200 status code with the token but when checking the console, it reports the following error:
Invalid remote address detected.
org.wso2.carbon.core.common.AuthenticationException: Authentication Failed : Invalid remote address passed - 0:0:0:0:0:0:0:1
Am I missing any configuration? The WSDL doesn't show any remote address field to send like the login API, so it should be something else.
Or is this log error expected?
UPDATE:
Here are the requested DEBUG logs of multiple wso2 components: http://hastebin.com/ubasixagev.coffee
log4j.logger.org.wso2.carbon.user.core=DEBUG
log4j.logger.org.wso2.carbon.identity=DEBUG
log4j.logger.org.wso2.carbon.identity.sso.saml=DEBUG
log4j.logger.org.wso2.carbon.identity.application=DEBUG
log4j.logger.org.wso2.carbon.identity.application.authentication.framework=DEBUG
log4j.logger.org.wso2.carbon.core=DEBUG
log4j.logger.org.wso2.carbon.identity.core=DEBUG