community.
I'm using WSO2 IS 5.7.0 to integrate an Angular app with an external IDP.
The external IDP is configured with SAML2 and the service provider Inbound Authentication is set with Oauth/OpenID.
The service provider uses Federated Authentication to comunicate with the IDP.
The user uid from the IDP is matched with the claim userid, so when I ask for an oauth token, I get the correct scopes (matching a local user with roles configured) to use the token with WSO2 AM. This is working well whe I get the initial oauth token using code grant.
If I introspect this token, I can verify the token belongs to the username XXXXXXXX and the scopes are the ones to consume an API on WSO2 AM, based on the roles associated to the local user XXXXXXXX.
The problem is when the refresh token is used to get a new access token after expiration. The new access token comes with the same scopes, but I cannot consume the same API I was consuming with the first token. I get a 403 Forbidden on every call and the AM log shows:
WARN - APIAuthenticationHandler API authentication failure due to Invalid Credentials
(The first WARN appears only once)
WARN - APIAuthenticationHandler API authentication failure due to The access token does not allow you to access the requested resource
(this WARN appears on the subsequent calls)
If I introspect the receibed token, I can see the same scopes as the original access token, but the username is different:
FEDERATED/XXXXXXXX#carbon.super.
I think this username change on the token information leads to the 403 error.
The problem is worst if I activate the Service Provider option "Use tenant domain in local subject identifier" on the Local & Outbound Authentication Configuration. In this case, every time I ask for a new token with refresh token, the tenant is appended to the username on an infinite loop:
XXXXXXXX#carbon.super#carbon.super#carbon.super#carbon.super
On every token I get, the introspect shows me another #carbon.super is appended to the username of the actual token. In this case, the FEDERATED/ is not always present on the username.
I expect the username associated to the refreshtoken to be equal to the one on the first access token.
Is there a configuration to solve this or this is a bug? is resolved on new releases of WSO2 IS?
(sorry for my english)
Thanks!
Similar issue is reported[1] and fixed with PR[2].
[1] https://github.com/wso2/product-is/issues/4472
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1022
If you don't have a WSO2 subscription, upgrading to the 5.8.0 will resolve the issue.
Related
I created "test-App" application in API Manager WSO2 with the grant types of "refresh-token" "SAML2", "PASSWORD" "Client Credentials" and "JWT"
I also Created a "test"
To use the webservices behind API manager, First, I should call https://localhost:9443/oauth2/token) to get a access-token
Unfortunately, if I call the link again, instead of receiving the same access-token, the system will generate a new access-token and the previous access-token would be expired. ( I think this link is more like refresh token rather than get the access token).
So, How can I Separate getting available access-token and Refresh-token link in WSO2 API Manager ?
In the latest versions of API Manager you have JWT tokens. When you request a new token it always generates a new token. But it doesn’t revoke the previous access token.
In the earlier versions of APIM, opaque tokens were supported and it has a different behavior. When you request a token, if it is not expired you get the same token.
Please read more about refresh grant here https://apim.docs.wso2.com/en/latest/design/api-security/oauth2/grant-types/refresh-token-grant/
If you have not done any other configuration changes, invoking https://localhost:9443/oauth2/token URL will always generate a new JWT token without expiring the earlier one. However, the token validity can be changed in the Dev Portal while generating the access token.
In wso2 IS 5.10 I have a claim skype which is a local claim which I am returning from saml assertion as a attribute. But using SAML grant type if I generate OAuth2 token by exchanging SAML Assertion I am not getting claim skype in jwt token as claims.
I have added a skype claim in openidscope as a external scope also and also I have added skype claim as requested claim in service provider.But then also in jwt token claim is not returning.
Seems you are checking the requested claims on the JWT access token requested using the saml-bearer grant.
Self Contained access token in saml-bearer grant won't return the user claims is a known issue tracked in;
https://github.com/wso2/product-is/issues/6321 and
https://github.com/wso2/product-is/issues/12131
You should be able to retrieve the claim values in the id token as mentioned in the above issue descriptions.
In WSO2 Identity Server 5.9.0 I am using OAuth 2.0 Authorization Code. Access tokens are short-lived and are refreshed by refresh tokens. It implements current recommendation for SPAs and it works fine.
I also configured account disabling and I though that when I disable user which holds refresh token the user won't be able to get new access token. But /oauth2/token endpoint is issuing new tokens no matter if user is disabled or not. Is this expected? How can I deny given user to refresh access token?
I found a workaround. If locking is used instead of disabling then it works as expected. Submitted issue to WSO2.
Using WSO2AM 2.1.0-update12
trying to get a token from an authorization code grant with role based scope:
using SAML to authenticate users (SAML returning username only, we assume roles from the underlying AD userstore).
Complete stacktrace is available
we have an exception:
DEBUG - Found Authorization Code for Client : kf2UGHFTyCzKUNgSMc65BZNCzooa, authorized user : FEDERATED/xxxxxxx#carbon.super, scope : test001_backend
Caused by: java.lang.NullPointerException
at org.wso2.carbon.user.core.common.UserRolesCache.isCaseSensitiveUsername(UserRolesCache.java:213)
at org.wso2.carbon.user.core.common.UserRolesCache.getRolesListOfUser(UserRolesCache.java:128)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUserFromCache(AbstractUserStoreManager.java:3641)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2730)
... 67 more
thing is - in the wso2am base version 2.1.0 the authorization is working, the upgrade is needed to support application sharing between groups.
Any hint?
Edit:
the change is - user returned through SAML is assigned domain FEDERATED (so the full domain username is FEDERATED/username, which is not recognized by the userstore), using base version 2.1.0 works (I am not sure if the FEDERATED domain is set, but the user roles and scopes are validated properly)
As a resolution - we have overwritten the method getRoleListOfUser on the userstore maanger stripping the realm (FEDERATED) from the username.
I am using Identity server 5.2.0 and api manager 2.0.0. I have implemented a method to use refresh token to get the new access token for a user if the token has expired. But after implementing this some of the users will be unauthorized. When the user tries to login, token and scopes will be returned correctly but when calling the an api with the token, the user is unauthorized. Deleting and adding the user with same username also does not solve the issue. Is there any setting that blocks a user that may cause this issue?
Are you sure, the application in APIM is subscribed to the API you're trying to invoke? If not, you need to do that.