I am attempting to import a service provider into my WSO2 Identity Server by using code. This tutorial seems to be saying that I to add my service provider xml configuration file to the WSO2_HOME/repository/identity/service-providers folder. However, it's a bit difficult to understand so I'm afraid I'm doing something wrong.
My requirements are:
Set up OAuth service provider through code
Include clientID, clientSecret, grant types, etc. in the .xml config files
My observations are as follows:
If I put my service provider .xml file into the WSO2_HOME/repository/identity/service-providers folder before I have ever started my WSO2 server, the XML file is read and I can authenticate against it.
If I put my service provider .xml file into the WSO2_HOME/repository/identity/service-providers folder on a subsequent WSO2 server startup the file is not read from the service-providers folder.
I see the tutorial mention the file sso-idp-config.xml but I'm not sure where that comes into play. Do I need to utilize that file somehow?
I am confirming that service providers in observation 2 aren't being loaded into the server by both looking at the data in the H2 database (a row isn't written for the service provider in the SP_APP table) and attempting to authenticate against the service provider using a REST call
The tutorial I linked seems pretty comprehensive but it give directions for SAML authentication. Is there a resource/instructions I can use to do a code-first OAuth approach?
From IS 5.7.0 supports import and export complete service provider configuration as the xml file. Here is the corresponding documentation. So I think you can use the respective admin service(ApplicationManagementService) to import the OAuth application from your code.
You can refer this doc to get the call the admin service.
Related
I have added these 2 identity providers (refer attached images) to Google Cloud -->Identity Platform
Email/Password
OIDC Connect (oidc provider)
Now if you see there is a User section as well under Identity Platform
So I have added some random users which are non gmail users (refer image), like xyz#abc.com, which I want to authenticate with the help of Google Cloud (it when this user comes to login, I will hit API endpoint /login and in login server side code, I will redirect to Google Cloud to Authenticate this user using OIDC Authorization flow)
I need Java code to :
Using some java code, First choose the provider as OIDC provider (oidc-auth-provider).
Make call to Google Cloud which should use this Provider (oidc-auth-provider)
This oidc-auth-provider should look up the users which I have created under Users section (refer image)
Google Cloud after verifying user exist, should send back with Auth Code
using Auth Code I will call back to Google and get ID token/JWT token
I was referring to this link :
https://cloud.google.com/identity-platform/docs/web/oidc
If you search "Signing in users with OAuth" this section on page, that is what exactly I am looking for, but the problem is it has given a UI code example using Firebase API example, to create OAuthProvider instance (which will choose provider), but I need server side code example instead, I am not sure if I can use this Firebase API on server side java code for a web application? Any suggestion that how can I do similar things from a server side Java code?
added Providers under Identity-platform
Added users manually which I wanted to authenticate
I have a web app in Google App Engine (with Flask) that needs to ask the user for permissions.
I followed this explanation and it got me working great.
But how do I get the secret_file (or client_config) credentials?
All examples I saw used a local file - but that is not production safe! Is there any way to get it from the application credentials?
I also tried using oauth2client.client.GoogleCredentials.get_application_default() but that seems to be a service account which I can't use.
Creation of web app authorization credentials is discussed here.
Once you are done with the form, client_secret.json file will be generated and is downloadable via the API Console.
There will be a 'Download JSON' button at the right of the OAuth Client credential you created and at the upper part of the page when you click on the Client ID.
From this documentation, it is explained how to construct the authorization request using google-auth-oauthlib.flow module.
In Python, call the from_client_secrets_file method to retrieve the
client ID from a client_secret.json file. (You can also use the
from_client_config method, which passes the client configuration as it
originally appeared in a client secrets file but doesn't access the
file itself.)
I have asked a similar question in a previous post, but I think this deserves it's own post.
In WSO2 Identity Server, I understand that service providers can be configured (on first startup only) if they are placed in the folder /repository/conf/identity/service-providers. I also understand that they are not visible through the management console ui if they are configured on first startup.
How do you edit them though? Let's say I want to want to edit the claims of an existing service provider? Change the allowed OAuth grant types? Even delete the service provider?
If I can't see the service provider in the console, how can I edit or delete it?
A follow-up but related question: What's the reasoning behind the "one and done" service provider setup that WSO2 provides? I expect to be adding service providers through the lifetime of my WSO2 implementation and it would be much easier if I could just place a file in a folder (the repository/conf/identity/service-providers folder that only works on first startup) and restart my server instead of going into the UI and performing multiple clicks to configure the service provider manually or upload it manually via file.
EDIT: #sajith pointed out that you should be able to configure service providers even after the server has started up once based on information in this article: https://docs.wso2.com/display/IS570/Configuring+a+SP+and+IdP+Using+Configuration+Files. However, I have not seen it work successfully. I know that something is happening because if I try to upload a service provider through the console (with a file upload) I get an error:
Console output:
Caused by: org.wso2.carbon.identity.application.common.IdentityApplicationManagementException: Application with the same name loaded from the file system.
So it looks like the WSO2 server is recognizing and loading the new service providers (even after the first startup) but I can't authenticate against them. Example response when attempting to authenticate against a new service provider:
{
"error_description": "A valid OAuth client could not be found for client_id: test",
"error": "invalid_client"
}
If I can't see the service provider in the console, how can I edit or
delete it? What's the reasoning behind the "one and done" service provider setup that WSO2 provides?
This document says you can restart the WSO2 Identity Server to apply the file-based service-provider and identity-provider configurations (configs which are placed inside <IS_HOME>/repository/conf/identity/) to the system.
I assume you have mixed with the following note regarding claim configurations.
The claims configured in /repository/conf/claim-config.xml
file get applied only when you start the product for the first time,
or for any newly created tenants. With the first startup, claim
dialects and claims will be loaded from the file and persisted in the
database. Any consecutive updates to the file will not be picked up
and claim dialects and claims will be loaded from the database.
Edit:
{
"error_description": "A valid OAuth client could not be found for client_id: test",
"error": "invalid_client" }
This is already answered in your previous question. invalid_client comes because you are setting a client id in the sp config file, but the identity server does not support to configure InboundAuthenticationConfig through this file.
Currently, the
InboundAuthenticationConfig in the deployed file is not supported.
But, you can have the SAML configurations in the
WSO2_HOME/repository/conf/identity/sso-idp-config.xml file.
Therefore, you may use SOAP admin services for that purpose.
I am trying to integrate the single sign on for my application running on Google app engine platform.
I am using SAML 2.0 protocol to get this done. My organization already have the identity provider using LDAP, which configured in such a format (https://sso-companyname/appname). For this configuration, its took following details
XML metadata for their assertion consumer service (ACS) (https://www.google/companyname/a/acs),
a list of the LDAP attributes to be sent (email),
which attribute is to be used as the subject of the assertion (company enterprise id),
the RelayState URL at the relying party site to send the user after the SAML Response assertion has been validated, (application target URL form GAE deployment. like (https://appname-dot-projectid.appspot.com)
a short name (less than 7 characters) of the application to be used in the URL, (given as app name)
According to this configuration, the ACS is not for a particular GAE application, so I am getting 400 error from the google server.
Can some one help me on how to create ACS for a single GAE application and would able to explain the SSO for GAE web application would be grateful.
The web application using Python jinja2 frame-work for the UI, webapp2 for the routing. It will call the google-big-query to populate the data to UI, currently, it is using Python standard environment of GAE, and OAuth 2 method to authenticate and call the big-query API to get data. So some people don't have the GCP/Project access, doesn't able to view the data. to resolve this we trying to implement SSO on top of the application.
I think the easiest way to integrate GAE with SSO/SAML is to use Google Identity Platform (GIP) which uses Firebase under the hood. This lets you use the firebase-admin Python package to easily interact with JWTs, and lets you use the GIP console to set up an SAML server.
I am studying wso2 and trying to configure the sso sample follow by this article
https://docs.wso2.com/display/IS500/Configuring+Single+Sign-On+with+SAML+2.0
In this article, it configured home.jsp as assertion consumer url, so when user access home.jsp, it will first go to identity server for authentication and then redirect back to home.jsp, this is fine. However, I realized if I have another jsp file, for example, new.jsp, if I hit new.jsp, it still redirects me to home.jsp. So what should I do to redirect me to new.jsp?
I searched about previous posts, and someone mentioned about RelayState , so how should I set the target url to this RelayState? Any sample will be appreciated.
If you want to redirect ACS(Assertion Consumer Service) to other url you have to do some customization in the authentication process. Basic authenticator is the default and local authenticator in WSO2 Identity Server. In this case after successfully authenticate, we have to invoke the custom implementation. Please look at this blog post[2] for write custom authenticator.
This extends from the Basic Authenticator.
1.Create a jar file by building as a maven project.
2.Put this jar file to dropins directory that located inside the /repository/components directory.
3.Edit the login.jsp with new custom authenticator name and that located
/repository/deployments/server/webapps/uthenticationendpoint/login.jsp
4.Configure the application-authentication.xml that is located /repository/conf/security/application-authentication.xml.
AuthenticatorConfig name=" BasicCustomAuthenticator" and enabled="true"
5.Restart the server.
6.Log into the Management console and configure new authenticator for each service Provider under “Local & Outbound Authentication Configuration”. Select you customized authenticator from drop down list as the Local Authenticator. Then Update.
[1] http://xacmlinfo.org/2015/10/15/custom-authenticator-for-wso2-identity-server-wso2is-sso-login/