Federated users with WSO2 AM - wso2

I'm trying to use WSO2-AM with federated users. I've had success with authenticating federated users using the Implicit grant, but having a problem with the authorized code grant.
Specifically, when using
<GrantTypeHandlerImplClass>org.wso2.carbon.apimgt.keymgt.handlers.ExtendedAuthorizationCodeGrantHandler</GrantTypeHandlerImplClass>
I get an error
TID: [-1234] [] [2018-05-27 22:48:18,476] ERROR {org.wso2.carbon.apimgt.keymgt.issuers.RoleBasedScopesIssuer} - Error when getting the tena
nt's UserStoreManager or when getting roles of user
org.wso2.carbon.user.core.UserStoreException: Invalid Domain Name
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:173)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2716)
at org.wso2.carbon.apimgt.keymgt.issuers.RoleBasedScopesIssuer.getScopes(RoleBasedScopesIssuer.java:131)
at org.wso2.carbon.apimgt.keymgt.ScopesIssuer.setScopes(ScopesIssuer.java:109)
at org.wso2.carbon.apimgt.keymgt.handlers.ExtendedAuthorizationCodeGrantHandler.validateScope(ExtendedAuthorizationCodeGrantHandler.
java:48)
because it doesn't like the 'FEDERATED' domain of the authenticated user when calling the relevant AbstractUserStoreManager method.
Has anyone come across this before or might know how to handle federated users in API Manager ?
P.S. If I instead use the Identity Server class
org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler
it all works fine with federated users.

Related

How to use Cognito LOGOUT endpoint to really log out?

I'm trying to use Federated Authentication to enable login with Microsoft AD. It works fine and we can login. But when I call LOGOUT endpoint as the documentation says ( https://docs.aws.amazon.com/cognito/latest/developerguide/logout-endpoint.html ) and try to login again I'm not being redirected to Microsoft page to type my email and password again.
It seems like the email and password I typed are in cache and I just can see this login page again if I clean cache. How can we really logout the user in a way that when he login he needs to type his email and password again ?
Edit: I enabled 'Sing Out Idp Flow' as suggested in the answer but now I'm getting a 400 response saying "Required String parameter client_id is not present"
Does anybody have any clue how to solve this problem ?
You will need to ensure you select 'Enable IdP sign out flow' on your SAML Identity provider in Cognito. After navigating your browser to the logout endpoint, you should then be redirected to the SAML IDP logout aswell.
https://docs.aws.amazon.com/cognito/latest/developerguide/cognito-user-pools-managing-saml-idp-console.html
Select Enable IdP sign out flow if you want your user to be logged out
from the SAML IdP when logging out from Amazon Cognito.
Enabling this flow sends a signed logout request to the SAML IdP when
the LOGOUT Endpoint is called.
Configure this endpoint for consuming logout responses from your IdP.
This endpoint uses post binding.
Edit: I enabled 'Sing Out Idp Flow' as suggested in the answer but now I'm getting a 400 response saying "Required String parameter client_id is not present" Does anybody have any clue how to solve this problem ?
You need to include the client_id parameter when calling the logout endpoint, the parameter is specified as required in the documentation you provided. The client id can be found in AWS Cognito console in User pools > Your User pool name > App Integration > Your app client name and you should see a Client ID there.

WSO2 Federated IDP RefreshToken with invalid username

community.
I'm using WSO2 IS 5.7.0 to integrate an Angular app with an external IDP.
The external IDP is configured with SAML2 and the service provider Inbound Authentication is set with Oauth/OpenID.
The service provider uses Federated Authentication to comunicate with the IDP.
The user uid from the IDP is matched with the claim userid, so when I ask for an oauth token, I get the correct scopes (matching a local user with roles configured) to use the token with WSO2 AM. This is working well whe I get the initial oauth token using code grant.
If I introspect this token, I can verify the token belongs to the username XXXXXXXX and the scopes are the ones to consume an API on WSO2 AM, based on the roles associated to the local user XXXXXXXX.
The problem is when the refresh token is used to get a new access token after expiration. The new access token comes with the same scopes, but I cannot consume the same API I was consuming with the first token. I get a 403 Forbidden on every call and the AM log shows:
WARN - APIAuthenticationHandler API authentication failure due to Invalid Credentials
(The first WARN appears only once)
WARN - APIAuthenticationHandler API authentication failure due to The access token does not allow you to access the requested resource
(this WARN appears on the subsequent calls)
If I introspect the receibed token, I can see the same scopes as the original access token, but the username is different:
FEDERATED/XXXXXXXX#carbon.super.
I think this username change on the token information leads to the 403 error.
The problem is worst if I activate the Service Provider option "Use tenant domain in local subject identifier" on the Local & Outbound Authentication Configuration. In this case, every time I ask for a new token with refresh token, the tenant is appended to the username on an infinite loop:
XXXXXXXX#carbon.super#carbon.super#carbon.super#carbon.super
On every token I get, the introspect shows me another #carbon.super is appended to the username of the actual token. In this case, the FEDERATED/ is not always present on the username.
I expect the username associated to the refreshtoken to be equal to the one on the first access token.
Is there a configuration to solve this or this is a bug? is resolved on new releases of WSO2 IS?
(sorry for my english)
Thanks!
Similar issue is reported[1] and fixed with PR[2].
[1] https://github.com/wso2/product-is/issues/4472
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1022
If you don't have a WSO2 subscription, upgrading to the 5.8.0 will resolve the issue.

Register user cognito in django

I am applying cognito into django and try to write a registered user api I used warrant library and are faulty.
boto3.setup_default_session(region_name='ap-southeast-2')
user_cognito = Cognito('your-user-pool-id','your-client-id')
user_cognito.register(user['username'], user['password'])
print(user_cognito)
my error is:
NotAuthorizedException at /api/register_user
An error occurred (NotAuthorizedException) when calling the SignUp operation: Unable to verify secret hash for client 'your-client-id'
please help me
You need to create an app without client secret.
It seems that currently, AWS Cognito doesn't handle client secret as it should. In your user pool try to create a new app without generating a client secret. Then use that app to signup a new user or to confirm registration. It worked for me.

WSO2AM2.1.0-update12 scope roles for federated users

Using WSO2AM 2.1.0-update12
trying to get a token from an authorization code grant with role based scope:
using SAML to authenticate users (SAML returning username only, we assume roles from the underlying AD userstore).
Complete stacktrace is available
we have an exception:
DEBUG - Found Authorization Code for Client : kf2UGHFTyCzKUNgSMc65BZNCzooa, authorized user : FEDERATED/xxxxxxx#carbon.super, scope : test001_backend
Caused by: java.lang.NullPointerException
at org.wso2.carbon.user.core.common.UserRolesCache.isCaseSensitiveUsername(UserRolesCache.java:213)
at org.wso2.carbon.user.core.common.UserRolesCache.getRolesListOfUser(UserRolesCache.java:128)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUserFromCache(AbstractUserStoreManager.java:3641)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2730)
... 67 more
thing is - in the wso2am base version 2.1.0 the authorization is working, the upgrade is needed to support application sharing between groups.
Any hint?
Edit:
the change is - user returned through SAML is assigned domain FEDERATED (so the full domain username is FEDERATED/username, which is not recognized by the userstore), using base version 2.1.0 works (I am not sure if the FEDERATED domain is set, but the user roles and scopes are validated properly)
As a resolution - we have overwritten the method getRoleListOfUser on the userstore maanger stripping the realm (FEDERATED) from the username.

wso2am - extending userstoremanager - Error occurred while accessing Java Security Manager Privilege Block

I am extending a userstore manager ActiveDirectoryUserStoreManager for WSO2AM 2.1.0 overriding the protected String[] doGetExternalRoleListOfUser method to add roles from an external authorization service (roles are used for scope authorization).
All looks working locally, but in other environments (deployed on kubernetes) when requesting a token (code grant) I got following exception: Error occurred while accessing Java Security Manager Privilege Block
(other grant types are working with no issue)
Error occurred while issuing the access token for Client ID : ddSiloINsMx5fwp08FqqF62hcaaa, User ID null, Scope : [] and Grant Type : authorization_code More
ERROR {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error occurred while issuing the access token for Client ID : ddSiloINsMx5fwp08FqqF62hcaaa, User ID null, Scope : [] and Grant Type : authorization_code
java.util.AbstractCollection.addAll(AbstractCollection.java:343)
org.wso2.carbon.apimgt.keymgt.ScopesIssuer.setScopes(ScopesIssuer.java:110)
org.wso2.carbon.apimgt.keymgt.handlers.ExtendedAuthorizationCodeGrantHandler.validateScope(ExtendedAuthorizationCodeGrantHandler.java:48)
org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:242)
...
ERROR {org.wso2.carbon.apimgt.keymgt.issuers.RoleBasedScopesIssuer} - Error when getting the tenant's UserStoreManager or when getting roles of user
org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:177)
org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2586)
org.wso2.carbon.apimgt.keymgt.issuers.RoleBasedScopesIssuer.getScopes(RoleBasedScopesIssuer.java:118)
org.wso2.carbon.apimgt.keymgt.ScopesIssuer.setScopes(ScopesIssuer.java:109)
...
ERROR {org.wso2.carbon.user.core.common.AbstractUserStoreManager} - Error occurred while accessing Java Security Manager Privilege Block
Checking the source code I see there are secure calls made (callSecure), which I don't see immediate reason (though I assume there must be a security reason if someone made so much effort).
The same issue pops up whe nvalidating the token (invoking an API requiring a scope)
As it is working locally, atm I am unable to provide a working testable (repeatable) case, as soon I have one I will update the question.
Using default AD userstore manager there's no issue whatsoever, just we don't have the external roles available for authorization
There was another log entry in the wso2carbon.log (though not in the console - logs available through the carbon console)
Caused by: java.lang.NullPointerException
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.getLDAPRoleListOfUser(ReadOnlyLDAPUserStoreManager.java:1928)
at org.wso2.carbon.user.core.ldap.ReadOnlyLDAPUserStoreManager.doGetExternalRoleListOfUser(ReadOnlyLDAPUserStoreManager.java:2041)
at com.rd.poa.auth.roleuserstore.ExtRoleUserstore.doGetExternalRoleListOfUser(ExtRoleUserstore.java:162)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.doGetRoleListOfUser(AbstractUserStoreManager.java:3730)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getRoleListOfUser(AbstractUserStoreManager.java:2615)
seems users were members of groups outside the "GroupSearch" filter. Making the group search base containing all LDAP group seems to help (so far)
another needed action was stripping the FEDERATED realm from the username WSO2AM2.1.0-update12 scope roles for federated users