Configure microservices security using JWT OAuth2 in WSO2 Identity Server - wso2-identity-server

My idea is to configure microservices security pattern for APIs and SPA security pattern for web application to make our hybrid mobile apps and webapps work with WSO2 IS.
I configured IdP and SP as mentioned in the documentation. https://docs.wso2.com/display/ISCONNECTORS/Configuring+JWT+Grant+Type. I am not able to get this working.
<SupportedGrantType>
<GrantTypeName>urn:ietf:params:oauth:grant-type:jwt-bearer</GrantTypeName>
<GrantTypeHandlerImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTBearerGrantHandler</GrantTypeHandlerImplClass>
<GrantTypeValidatorImplClass>org.wso2.carbon.identity.oauth2.grant.jwt.JWTGrantValidator</GrantTypeValidatorImplClass>
</SupportedGrantType>
[2016-10-23 07:01:32,115] DEBUG
{org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler}
- Grant type : urn:ietf:params:oauth:grant-type:jwt-bearer Strict client validation set to : null
[2016-10-23 07:01:32,118] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client
credentials were fetched from the database.
[2016-10-23 07:01:32,118] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully
authenticated the client with client id : VY3zPlWNRgm3BqJWmHtYXe2ym08a
[2016-10-23 07:01:32,118] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler}
- Unsupported Grant Type : urn:ietf:params:oauth:grant-type:jwt-bearer for client id :
VY3zPlWNRgm3BqJWmHtYXe2ym08a
[2016-10-23 07:01:32,118] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -
OAuth-Error-Code=unauthorized_client
client-id=VY3zPlWNRgm3BqJWmHtYXe2ym08a
grant-type=urn:ietf:params:oauth:grant-type:jwt-bearer scope=

JWT Bearer Grant is supported with IS 5.1.0
For the version to support IS 5.2.0 please follow up the jira [2]
[1] https://store.wso2.com/store/assets/isconnector/details/8affec9a-706f-4e72-83ec-f65c42895d40
[2] https://wso2.org/jira/browse/ISCONNECT-34

Please try now with version 1.0.3[1] which is compatible with IS 5.2.0.
[1] https://store.wso2.com/store/assets/isconnector/details/8affec9a-706f-4e72-83ec-f65c42895d40

Related

Identity Server does not validate SAML LogoutRequest Signature

I've got WSO2 IS running and a service provider that has SAML inbound authentication set up. I've enabled the "Enable Signature Validation in Authentication Requests and Logout Requests" checkbox for the SAMl service provider.
If I send an AuthnRequest that is not properly signed, it will error. However, if I send a LogoutRequest with no signature (or with a signature made from a completely different cert/key), it will log my user out without error. How can I enable actual signature validation WSO2 IS?
I'm running the latest WSO2 Docker Container. I believe that is IS 5.7.0 according to this startup logging:
Starting WSO2 Carbon...
Operating System : Linux 4.9.93-linuxkit-aufs, amd64
Java Home : /home/wso2carbon/java/jre
Java Version : 1.8.0_144
Java VM : Java HotSpot(TM) 64-Bit Server VM 25.144-b01,Oracle Corporation
Carbon Home : /home/wso2carbon/wso2is-5.7.0
Java Temp Dir : /home/wso2carbon/wso2is-5.7.0/tmp
Seems the signature validation [1] is skipping in the logout request due to an issue in the code. Please refer the git issue [2] to track this.
[1] https://github.com/wso2-extensions/identity-inbound-auth-saml/blob/ee338982c1add8f75f1132a6b3bacb30cee7989b/components/org.wso2.carbon.identity.sso.saml/src/main/java/org/wso2/carbon/identity/sso/saml/processors/SPInitLogoutRequestProcessor.java#L130
[2] https://github.com/wso2/product-is/issues/4048

Not getting remote claims from wso2

I have using wso2 IS with another configured identity provider like: google,yahoo.
when i logged form IDP and redirect back to callback URL my application
call /outh2/token API to fetch id_token base on authorization_code but the problem is not getting remote claim (IDP custom claim attribute) which i have configured in service provider mapping.I have facing this issues randomly not for all user.
Success claims Log:TID: [-1234] [] [2018-04-24 07:25:03,300] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning claims from claim handler = [middle_name:M,given_name:abc,family_name:xyz,email:abc.xyz#domain.com,]
Failure claims Log: 07:32:19,062] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Returning claims from claim handler = []
Seems like you are facing the issue mentioned in [1]. This issue is fixed in master branch and also the fix is available as wum update for IS-5.4.0 and IS-5.5.0. You can either try the latest milestone of WSO2 Identity Server or get a wum updated pack of IS 5.4.0 or IS 5.5.0.
[1] https://github.com/wso2/carbon-identity-framework/issues/1494

configure wso2 identity to generate JWT using OIDC/oauth

can anyone assist me here . I am trying to use WSO2 to authenticate a user from active directory and return a OIDC/oauth jwt token .
Please provide more details on where you are stuck and which version of component you try to configure.
There is three steps to get this done:
0 - Set email field as login : https://docs.wso2.com/display/IS530/Using+Email+Address+as+the+Username
1 - ConfigureAD as primary store in WSO2IS : https://docs.wso2.com/display/IS530/Configuring+a+Read-Write+Active+Directory+User+Store
2 - Set up an OIDC client in WSO2IS : https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect+Single-Sign-On
3 - Configure your client to use WSo2IS as OIDC token provider
Jeff

How to integrate WSO2 API Manager (AM) 1.10.0 with PingFederate SAML 2.0?

How to integrate WSO2 am 1.10.0 with PingFederate SAML 2.0? Any instructions?
From WSO2 web site, I only saw docs on how to set up SSO among WSO2 products: https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 . But I did not see documentation on how to enable WSO2 AM 1.10.0 with external identity providers such as PingFederate via SAML2.
Any help is appreciated.
*** UPDATE:
I followed the instructions here https://docs.wso2.com/display/AM1100/Configuring+Single+Sign-on+with+SAML2 - just assuming WSO2 IS as PingIdentity. For the mojority part it's working, but I cannot generate keys when subscribing to an API. It says "invalid credentials" even if I have logged into applications and subscriptions and can create applications from /store UI.
I can confirm that this can be done without adding a separate wso2 IS server into the picture. I fixed several issues (Cannot generate keys, cannot publish APIs, etc..) by: What I did to fix the issue was to 1) add admin user inside ApiKeyValidaor in api-manager.xml also into admin user via management console and into user-mgt.xml; 2) Inside api-manager.xml:
Change the following:
https://${carbon.local.ip}:${mgt.transport.https.port}${carbon.context}/services/
to: https://[FQDN_OF_HOST}:${mgt.transport.https.port}${carbon.context}/services/
Reason is my server certificate only recorded the domain name, not ip address.
The solution was also mentioned here: wso2 am 1.10.0 API Store: "Error occurred while executing the action generateApplicationKey" with " Invalid credentials provided."
Basically, you can do this by adding PingFederate as an IDP in WSO2 AM and configuring federated SAML SSO configurations. An example of how to achieve this with Shibboleth is given in [1]. You can follow the same steps to do any configurations according to your requirement.
Refer [2] for configuring SAML SSO Federated authenticator in general
[1] https://docs.wso2.com/display/IS510/How+To%3A+Configure+Shibboleth+IdP+as+a+Trusted+Identity+Provider
[2] https://docs.wso2.com/display/IS510/Configuring+SAML+2.0+Web+SSO

wso2 identity server Multifactor Authentication error

I am unable to implement Multifactor Authentication .
The error i am getting is
TID: [0] [WSO2 Identity Server] [2012-10-30 10:31:38,620] ERROR {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider} - login failed. Trying again.. {org.wso2.carbon.identity.provider.xmpp.MPAuthenticationProvider}
SASL authentication failed:
at org.jivesoftware.smack.SASLAuthentication.authenticate (SASLAuthentication.java:209)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:341)
at org.jivesoftware.smack.XMPPConnection.login(XMPPConnection.java:301)
This is for wso2 Identity Server 3.2.3 . Straight out of the box. No additional configuration performed to run this instance of Identity Server.
It appears that signing in as admin , the ldap authentication is completed and then authentication with gtalk is attempted when the error occurs.
Should I be setting my own configuration in the identity.xml where gtalk is being set?
<MultifactorAuthentication>
<XMPPSettings>
<XMPPConfig>
<XMPPProvider>gtalk</XMPPProvider>
<XMPPServer>talk.google.com</XMPPServer>
<XMPPPort>5222</XMPPPort>
<XMPPExt>gmail.com</XMPPExt>
<XMPPUserName>multifactor1#gmail.com</XMPPUserName>
<XMPPPassword>wso2carbon</XMPPPassword>
</XMPPConfig>
</XMPPSettings>
</MultifactorAuthentication>
I found out that I do need to set up a Google talk account.
I added the new settings to the MultifactorAuthentication configuration.
I restarted the server.
I edited the user account with another new Google talk account.
I logged out.
Logged back in via relyingparty URL with openid,
received communication over gtalk requesting pin.
I entered the pin and got logged in.
It would have been nice if wso2 had I their documentation the need to setup the settings for this configuration to get multifactor authentication to work out of the box.