WSO2 OAuth Validation Error between Identity Server and Integration Studio - wso2

We are attempting to use the OAuth Mediator in Integration Studio to validate a token with the WSO2 Identity Server.
The token we are using is valid on the Identity Server because testing through SOAP UI returns a valid response. However, we are unable to do so using the OAuth Mediator in Integration Studio. We are using a password grant type.
When we attempt to pass the call through the OAuth mediator we receive the below errors:
WARN {org.apache.synapse.FaultHandler} - ERROR_EXCEPTION : org.apache.synapse.SynapseException: Error **occured while validating** oauth 2.0 access token
WARN {API_LOGGER.UserInfoRestAPI} - ERROR_CODE : 0 *ERROR_MESSAGE : Error occured while validating oauth 2.0 access token*
WARN {org.apache.synapse.FaultHandler} - FaultHandler : org.apache.synapse.mediators.MediatorFaultHandler#1f7c8500
WARN {org.apache.synapse.mediators.MediatorFaultHandler} - Executing fault handler mediator : org.apache.synapse.mediators.base.SequenceMediator
WARN {API_LOGGER.UserInfoRestAPI} - Executing fault sequence mediator : org.apache.synapse.mediators.base.SequenceMediator
For reference, we are using this documentation.
Calling the web service through SOAP UI returns successfully as shown here:
Information about the setup:
WSO2 Integration Studio: 7.0.2
WSO2 Identity Server: 5.10.0 (Running on port 9446)
All services are running on the same virtual machine

WSO2 EI 7.0.2 and even 6.6 are using org.wso2.carbon.identity.oauth.stub_6.1.0 containing oauth stub classes that are not compatible with WSO2 Identity Server 5.10. So what you need to do is:
Copy org.wso2.carbon.identity.oauth.stub_6.4.2,jar from WSO2 Identity Server to the wso2\components\plugins folder of the WSO2 EI 6.6 or 7.X
Update wso2\components\default\configuration\org.eclipse.equinox.simpleconfigurator\bundles.info replacing the old entry with the new updated one.
org.wso2.carbon.identity.oauth.stub,6.4.2,../plugins/org.wso2.carbon.identity.oauth.stub_6.4.2.jar,4,true
Restart.
The error should go away. However, this is not a very clean solution and maybe WSO2 should release a fix updating the WSO2 OAuth Mediator java classes.

Related

WSO2 APIM can't connect to WSO2 IS

I'm using WSO2 API Manager 4.1.0, ad I configurated a Key Manager of type WSO2 Identity Server.
When I go to my application, to generate the token, I have the following exception:
https://pastebin.com/rjfxLiAA
Error occurred while executing SubscriberKeyMgtClient. org.wso2.carbon.apimgt.api.APIManagementException: Key Manager IS not configured
The IS is not beeing contacted, I have the same error stopping it, so it's only an apim error.
With the same APIM versione I can contact keycloak for example.
I'm running in server mode, openjdk 11
With API Manager 4.1.0, it is recommended to use WSO2 IS 5.11.0 - https://apim.docs.wso2.com/en/latest/install-and-setup/setup/reference/product-compatibility/#tested-wso2-products
Now I used the correct IS version, and I Have this exception:
https://pastebin.com/uRLDJPqx
TID: [-1234] [api/am/devportal] [2022-11-17 14:05:46,592] ERROR {org.wso2.carbon.apimgt.impl.AbstractKeyManager} - Can not create OAuth application : admin_151a9ace-ce5d-4d7b-9455-d82f909dbce4_PRODUCTION for application: 222 and key type: PRODUCTION org.wso2.carbon.apimgt.impl.kmclient.KeyManagerClientException: Received status code: 403 Reason:

Identity Server does not validate SAML LogoutRequest Signature

I've got WSO2 IS running and a service provider that has SAML inbound authentication set up. I've enabled the "Enable Signature Validation in Authentication Requests and Logout Requests" checkbox for the SAMl service provider.
If I send an AuthnRequest that is not properly signed, it will error. However, if I send a LogoutRequest with no signature (or with a signature made from a completely different cert/key), it will log my user out without error. How can I enable actual signature validation WSO2 IS?
I'm running the latest WSO2 Docker Container. I believe that is IS 5.7.0 according to this startup logging:
Starting WSO2 Carbon...
Operating System : Linux 4.9.93-linuxkit-aufs, amd64
Java Home : /home/wso2carbon/java/jre
Java Version : 1.8.0_144
Java VM : Java HotSpot(TM) 64-Bit Server VM 25.144-b01,Oracle Corporation
Carbon Home : /home/wso2carbon/wso2is-5.7.0
Java Temp Dir : /home/wso2carbon/wso2is-5.7.0/tmp
Seems the signature validation [1] is skipping in the logout request due to an issue in the code. Please refer the git issue [2] to track this.
[1] https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/ee338982c1add8f75f1132a6b3bacb30cee7989b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java#L130
[2] https://github.com/wso2/product-is/issues/4048

wso2 Oauth Mediator Issue

We are using WSO2 EI 6.1.1 and WSO2 Identity server of version 5.5.0. We have a requirement of using Oauth Mediator to validate the access token. I have a service provider registered with the identity server and generated the oauth2.0 bearer access token using curl command. I tried the Oauth2webservice to validate the authorization which was succeed and request going to identity server. But if I use the Oauth Mediator of WSO2 Integrator getting the below error message and the request is not going to identity server which was confirmed from the logs of identity server.Please help on it.Is there any other jar files or configuration settings needed for the same.
<oauthService remoteServiceUrl="https://localhost:9444/services/" username="admin" password="admin"/>
ERROR - OAuthMediator Error occured while validating oauth access token.java.lang.Exception: Error while validating OAuth2 request. at org.wso2.carbon.identity.oauth.mediator.OAuth2TokenValidationServiceClient.validateAuthenticationRequest(OAuth2TokenValidationServiceClient.java:61).
Caused by: org.apache.axis2.AxisFault: SSL peer failed hostname validation for name: null.at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430)
I have the same issue and can't resolve, This bug has not been corrected yet
https://wso2.org/jira/browse/IDENTITY-5243

WSO2 API with WSO2 IS as KeyManager - NPE when using OAuth authorization

Having WSO2 API Manager 2.1.0 and WSO2 IS 5.3.0 KM (with prepackaged Key Manager) I set up the Key Manager as described in the documentation.
The main intention is authenticate and authorize users with other federated IdPs and add some authorization capabilities. My assumption is that users auhorized with WSO2IS will receive an OAuth token valid for the defined APP and API.
So far all on localhost with IS offset 1. I created an API, an application and that is usable from the API Store.
When trying to authorize a client through WSO2 IS using the code grant_type authorization:
https://localhost:9444/oauth2/authorize?response_type=code&client_id=KJTbkbFmcDvslo2fjhzfQkaBH3Ea&redirect_uri=http%3A//localhost%3A8080/test2/callback
I am asked for credentials and authorization grant (looks ok) and then I receive an exception on IS:
[2018-03-27 10:43:51,822] ERROR {org.apache.catalina.core.StandardWrapperValve} - Servlet.service() for servlet [OAuth2Endpoints] in context with path [/oauth2] threw exception
java.lang.RuntimeException: org.apache.cxf.interceptor.Fault
at org.apache.cxf.interceptor.AbstractFaultChainInitiatorObserver.onMessage(AbstractFaultChainInitiatorObserver.java:116)
...
Caused by: java.lang.NullPointerException
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:251)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.sendRequestToFramework(OAuth2AuthzEndpoint.java:1163)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:135)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorizePost(OAuth2AuthzEndpoint.java:574)
What I assume I misconfigured some endpoint, however - any idea which service is invoked by the OAuth2AuthzEndpoint implementation or potential cause for this exception?
This is already reported in https://wso2.org/jira/browse/IDENTITY-5581.
You can WUM update the WSO2 IS 5.3.0 to resolve the issue.

Is OpenId Connect response_type id_token supported by WSO2 Identity Server 5.0

I'm trying to implement OpenId Connect in an SPA application with WSO2 Identity Server 5.0.0. I'm trying to use Implicit Flow but I always received an error from the identity server.
GET Request:
https://idserver:9443/oauth2/authorize?response_type=id_token&
client_id=abcd&
redirect_uri=https%3A%2F%2Flocalhost%3A44326%2F
Error Response:
invalid_request, Invalid response_type parameter value
Is response_type=id_token supported?
With WSO2 Identity Server 5.0.0 OpenID Connect "id_token" response type is not implemented. The "Implicit" settings in the configuration only work for OAuth 2.0 "token" response type. You might wait until 5.1.0 or take the pain of implementing a patch for it.