Im trying to set up WSO2 Identity Server to use OpenId connect. I have currently applied the following settings shown Here: Setup WSO2.
What it boiles down to is that i use the Resident Identity Provider and i have setup a Service Provider for my app "CoolApp".
I configured "OAuth/OpenID Connect Configuration" and set a callback URL.
Is there a simple example how to use this in javascript?
I have played around with identityserver3 and they have a client oidc-client.js which works nicely in combination with identityserver3. However i cant seem to get it working with WSO2 identity server.
I was going about the issue in a wrong way, what i actually wanted was to protect my website using the owin middleware like they tried here and here.
so now i have the following:
app.SetDefaultSignInAsAuthenticationType("ClientCookie");
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = "ClientCookie",
CookieName = CookieAuthenticationDefaults.CookiePrefix + "ClientCookie",
ExpireTimeSpan = TimeSpan.FromMinutes(5)
});
// ***************************************************************************
// Approach 1 : ResponseType = "id_token token"
// ***************************************************************************
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType,
SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType(),
Authority = " https://localhost:9443/oauth2/",
ClientId = "fgx4M5e27NJqgRIs8nu5aL7Jw3oa",
ClientSecret = "dwGdRDCFY7Soa7CB5K5smkiuMmYa",
RedirectUri = "http://localhost:57815/Account/ExternalLoginCallback/",
ResponseType = "id_token token",
Scope = "openid",
Configuration = new OpenIdConnectConfiguration
{
AuthorizationEndpoint = "https://localhost:9443/oauth2/authorize",
TokenEndpoint = "https://localhost:9443/oauth2/token",
UserInfoEndpoint = "https://localhost:9443/oauth2/userinfo",
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = n =>
{
var token = n.ProtocolMessage.AccessToken;
// persist access token in cookie
if (!string.IsNullOrEmpty(token))
{
n.AuthenticationTicket.Identity.AddClaim(
new Claim("access_token", token));
}
return Task.FromResult(0);
},
AuthenticationFailed = notification =>
{
if (string.Equals(notification.ProtocolMessage.Error, "access_denied", StringComparison.Ordinal))
{
notification.HandleResponse();
notification.Response.Redirect("/");
}
return Task.FromResult<object>(null);
}
}
});
I put a break point in the SecurityTokenValidated and AuthenticationFailed. Go to the page and i get redirected to the WSO2 identity server as expected. When i login and return to the page both of my break points are NOT hit and im not logged in.
Im using WSO2 Identity Server 5.1.0.
#farasath, could you please help me and the others out looks like we are all running into the same issue and havent found a solution yet.
During further investigation i found out that using the code flow with response_type = "code" will not work either, as the OIDC middleware doesn't support it (see here and here).
Found a suggestion by #pinpoint that ASP.net core does support this. But this is not really an option.
#Hos answered here:
With WSO2 Identity Server 5.0.0 OpenID Connect "id_token" response type is not implemented.
Im not getting the error response he mentioned in his post, but the results for me stay the same using these versions, the breakpoints never get hit. So now i'm wondering should this actually work in 5.1.0 or in the 5.2.0-Beta or is this still WIP.
#farasath, Thank you for your reply here are the logs
[2016-08-16 08:11:39,998] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa and callback_uri http://localhost:57815/
[2016-08-16 08:11:40,074] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa ,App Name : CoolApp, Callback URL : http://localhost:57815/
[2016-08-16 08:11:50,948] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : raymond#carbon.super, Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorization Response Type : id_token token, Requested callback URI : http://localhost:57815/, Requested Scope : openid
[2016-08-16 08:11:50,967] INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The default OAuth token issuer will be used. No custom token generator is set.
[2016-08-16 08:11:50,985] INFO {org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO} - Thread pool size for session persistent consumer : 100
[2016-08-16 08:11:50,991] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenPersistenceTask} - Access Token context persist consumer is started
... This one repeats about 100 times ...
[2016-08-16 08:11:51,031] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} - Successfully created AppInfoCache under OAuthCacheManager
[2016-08-16 08:11:51,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal
[2016-08-16 08:11:52,180] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - No active access token found in cache for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID : raymond#carbon.super and Scope : openid
[2016-08-16 08:11:52,199] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - No access token found in database for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID : raymond#carbon.super and Scope : openid. Therefore issuing new access token
[2016-08-16 08:11:52,208] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenPersistenceTask} - Access Token Data persisting Task is started to run
[2016-08-16 08:11:52,208] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Persisted Access Token for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorized User : raymond#carbon.super, Timestamp : 2016-08-16 08:11:52.207, Validity period (s) : 3600, Scope : openid, Callback URL : http://localhost:57815/, Token State : ACTIVE and User Type : APPLICATION_USER
[2016-08-16 08:11:52,233] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Access Token was added to OAuthCache for cache key : fgx4M5e27NJqgRIs8nu5aL7Jw3oa:raymond#carbon.super:openid
[2016-08-16 08:11:52,298] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext
Second time i ran it i got this log:
[2016-08-16 08:30:17,216] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa and callback_uri http://localhost:57815/
[2016-08-16 08:30:17,222] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa ,App Name : CoolApp, Callback URL : http://localhost:57815/
[2016-08-16 08:30:23,178] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : raymond#carbon.super, Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorization Response Type : id_token token, Requested callback URI : http://localhost:57815/, Requested Scope : openid
[2016-08-16 08:30:23,189] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal
[2016-08-16 08:30:23,195] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Retrieved active Access Token for Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID :raymond#carbon.super and Scope : openid from cache
[2016-08-16 08:30:23,203] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Access Token is valid for another 3264638ms
[2016-08-16 08:30:23,218] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext
Now i changed my redirect uri to:
RedirectUri = "http://localhost:57815/Account/ExternalLoginCallback/",
and logInfo in that function is always null
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
Googled around and found this post where someone was having similar problems.
Used Fiddler to look at the callback looks like a cookie has been set
So now Im left with the following situation:
Breakpoint in SecurityTokenValidated never hit
Breakpoint in AuthenticationFailed never hit
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync(); is always null in my Callback
Reason for this is OWIN middle-ware is expecting the OAUTH response in OAUTH 2.0 Form Post Response Mode [1] which is an optional spec and only Identity Server 5.2.0 (With a patch) upwards supports this.
[1] http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
AFAIK we don't have a Javascript sample that you can use directly. But that shouldn't be a problem at all. I came across [1] by simply googling. All you need to do is to replace the client_id and callback URL. Since we follow the OAuth/OpenID connect spec any OAuth Javascript client library should work with WSO2 Identity Server.
We do have a web app sample[2] and I wrote a blog post[3] earlier just to demonstrate the authorization code flow with WSO2 Identity Server.
[1] https://github.com/zalando/oauth2-client-js
[2] https://docs.wso2.com/display/IS510/OAuth+2.0+with+WSO2+Playground
[3] http://blog.farazath.com/2016/05/trying-out-oauth2-authorization-code.html
Related
I have a desktop Java app that I am migrating from Google Contacts API to People API. I have some of it working. For example, I can retrieve contact information. But when I tried to create a new contact, I get the following error:
com.google.api.client.googleapis.json.GoogleJsonResponseException: 403 Forbidden
POST https://people.googleapis.com/v1/people:createContact
{
"code" : 403,
"details" : [ {
"#type" : "type.googleapis.com/google.rpc.ErrorInfo",
"reason" : "ACCESS_TOKEN_SCOPE_INSUFFICIENT"
} ],
"errors" : [ {
"domain" : "global",
"message" : "Insufficient Permission",
"reason" : "insufficientPermissions"
} ],
"message" : "Request had insufficient authentication scopes.",
"status" : "PERMISSION_DENIED"
}
Here's the relevant code:
protected void createContact() throws Exception {
Credential credential = authorize(PeopleServiceScopes.CONTACTS, "people");
PeopleService service = new PeopleService.Builder(
httpTransport, JSON_FACTORY, credential).setApplicationName(APPLICATION_NAME).build();
Person contactToCreate = new Person();
List<Name> names = new ArrayList<Name>();
names.add(new Name().setGivenName("John").setFamilyName("Doe"));
contactToCreate.setNames(names);
Person createdContact = service.people().createContact(contactToCreate).execute();
System.out.println("CREATED Contact: " + createdContact.getNames().get(0).getDisplayName());
}
protected Credential authorize(String scope, String subDir) throws Exception {
File dataStoreDir = new File(System.getProperty("user.home"), ".store/myapp/" + cfg.dataStore + "/" + subDir);
// initialize the transport
httpTransport = GoogleNetHttpTransport.newTrustedTransport();
// initialize the data store factory
dataStoreFactory = new FileDataStoreFactory(dataStoreDir);
// load client secrets
GoogleClientSecrets clientSecrets = GoogleClientSecrets.load(JSON_FACTORY,
new InputStreamReader(SyncMgr.class.getResourceAsStream("/client_secrets.json")));
if (clientSecrets.getDetails().getClientId().startsWith("Enter")
|| clientSecrets.getDetails().getClientSecret().startsWith("Enter ")) {
System.out.println(
"Enter Client ID and Secret from https://code.google.com/apis/console/?api=calendar "
+ "into /client_secrets.json");
System.exit(1);
}
// set up authorization code flow
GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
httpTransport, JSON_FACTORY, clientSecrets,
Collections.singleton(scope)).setDataStoreFactory(dataStoreFactory).build();
// authorize
return new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver()).authorize(cfg.gUser);
}
When I first ran it, I had the scope set to CONTACTS_READONLY. And I got the consent screen. But then I changed the scope to CONTACTS when I added the code to create a new contact. And that's when I got the ACCESS_TOKEN_SCOPE_INSUFFICIENT error.
I saw in another post that I need to force your app to reauthorize the user when you change the scope, so that you get the consent screen again. But I'm not sure how to do that. Any suggestions?
Thanks.
UPDATE 1/4/22
I tried Gabriel's suggestion of removing access to the application. After removing access, I ran the application again. This time I got this error on the execute() call:
com.google.api.client.auth.oauth2.TokenResponseException: 400 Bad Request
POST https://oauth2.googleapis.com/token
{
"error" : "invalid_grant",
"error_description" : "Token has been expired or revoked."
}
And even the execute() statement that worked before to retrieve contacts is giving the same error now.
My application also used the Calendar API. I didn't touch that code. But when I try to use it, I get the same "invalid_grant" error. What do I do now?
You appear to be using the People.createContact method. If we take a look at the documentation we will see that this method requires a consent to the following scope of permissions from the user
Now if we check your code you apear to be using
Credential credential = authorize(PeopleServiceScopes.CONTACTS, "people");
Which is the exact scope needed. But you oringally had readonly there. So when your code ran the first time the user authorized to the read only scope and not the full contacts scope and your stuck.
The key here is this section of code.
// set up authorization code flow
GoogleAuthorizationCodeFlow flow = new GoogleAuthorizationCodeFlow.Builder(
httpTransport, JSON_FACTORY, clientSecrets,
Collections.singleton(scope)).setDataStoreFactory(dataStoreFactory).build();
// authorize
return new AuthorizationCodeInstalledApp(flow, new LocalServerReceiver()).authorize(cfg.gUser);
Kindly note I am not a Java developer I am a .net developer. The libraries are very close and i have been helping with questions this in both languages for years.
dataStoreFactory is where the consent from the user is stored. There should be a json file some where in your directory structure with the users name associated with it this is how your system reloads it. When your code runs it will look for a file in that directory with cfg.gUser name.
There should be a way in the Java client library to force it to rerequest authorization of the user. prompt type force. But i will have to look around to see how to do it in java.
The easiest solution now would be to find that directory and delete the file for the user or just change the users name cfg.gUser to cfg.gUser +"test" or something this will cause the name to change and the file name as well. Forcing it to prompt the user for authorization again.
This time when it requests consent take note which scope of permissions it asks for.
Token has been expired or revoked.
This is probably due to the fact that your refresh tokens are expiring. When your application is in the testing phase the refresh tokens are expired or revoked automatically by google after seven days.
This is something new and something that Google added in the last year or so. Unfortunately the client libraries were not designed to request access again if the refresh token was expired in this manner.
If you are looking to retrieve the consent screen again you can remove access to your application from your account settings by following the steps in this documentation and then try to authorize the app again. As you mentioned, the error received is due to the scope that was granted with authorization was CONTACTS_READONLY instead of CONTACTS when checking the authorization scope for this specific create contacts method.
I'm quite new with identityserver4 so correct me if I say something wrong. I have set up identityserver4 together with ASP Identity for usermanagement and protected my API with it, however I don't know how to get an access token without having to be redirected to the login page. I'm using postman to get an access token via the authorization tab using the following details:
new Client
{
ClientId = "postman-api",
ClientName = "Postman Test Client",
ClientSecrets = { new Secret("PostmanIsASecret".Sha256()) },
AllowedGrantTypes = GrantTypes.Implicit,
AllowAccessTokensViaBrowser = true,
RequireConsent = false,
RedirectUris = { "https://www.getpostman.com/oauth2/callback"},
PostLogoutRedirectUris = { "https://www.getpostman.com" },
AllowedCorsOrigins = { "https://www.getpostman.com" },
EnableLocalLogin = false,
RequirePkce = false,
AllowedScopes =
{
IdentityServerConstants.StandardScopes.OpenId,
IdentityServerConstants.StandardScopes.Profile,
IdentityServerConstants.StandardScopes.Email,
"jumsum.api"
}
}
I just want to login and get an access token without having to be redirected all the time. In the console I'm getting this:
IdentityServer4.ResponseHandling.AuthorizeInteractionResponseGenerator: Information: Showing login: User is not authenticated
I just want to pass a username and password via the http request body and get an access token back. What am I doing wrong?
You could add a client that accepts the client credentials flow and using this flow you can get an access token using just a username and password. This is a flow for machine-to-machine communication where no human user is involved.
Read more about that here
I have enabled EmailOTP Identity Provider, using WSO2 Identity Server as Email Provider.
In my Service PRovider, I have enabled EmailOTP as the second step of Authentication.
Angular UI application is my front end, when I provide username/password on the login page (user OpenId Connect), the authorization code is getting generated, but the second step is not being invoked, i.e., OTP page is not being displayed and Email is not being sent to the recipient with OTP.
I have followed the steps mentioned here, except making Gmail as Identity Provider.
OpenIdConnect Configuration:
Local and Outbound Authentication Configuration:
EmailOTP IDP Configuration (did not use Gmail or SendGrid):
EMail Adapter and Authenticator Configuration:
[output_adapter.email]
from_address= "sender#domain.com"
username= "username#domain.com"
password= "password"
hostname= "smpt.hostname"
port= 25
enable_start_tls= false
enable_authentication= true
[authentication.authenticator.basic.parameters]
showAuthFailureReason = true
[authentication.authenticator.email_otp]
name ="EmailOTP"
enable=true
[authentication.authenticator.email_otp.parameters]
EMAILOTPAuthenticationEndpointURL = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotp.jsp"
EmailOTPAuthenticationEndpointErrorPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotpError.jsp"
EmailAddressRequestPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailAddress.jsp"
usecase = "local"
secondaryUserstore = "primary"
EMAILOTPMandatory = false
sendOTPToFederatedEmailAttribute = false
federatedEmailAttributeKey = "email"
EmailOTPEnableByUserClaim = true
CaptureAndUpdateEmailAddress = true
showEmailAddressInUI = true
useEventHandlerBasedEmailSender = true
Script based authentication Configuration:
var onLoginRequest = function(context) {
executeStep(1);
executeStep(2);
};
OpenId Connect Configuration.
https://is.docs.wso2.com/en/5.10.0/learn/configuring-email-otp/#configuring-email-otp
Endpoint details:
https://localhost:5004/oauth2/authorize?response_type=code&scope=openid&redirect_uri=http://localhost&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256§oken=<sec_token>
Tenant Domain Error:
The tenant domain user is being treated as a user of carbon.super domain.
TID: [-1234] [] [2021-02-01 17:13:47,683] [85d31877-3090-4139-9efb-d40f85c2e2eb] DEBUG {org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator}
- OTP Expiration Time not specified default value will be used
TID: [-1234] [] [2021-02-01 17:13:47,684] [85d31877-3090-4139-9efb-d40f85c2e2eb] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Exception in Authentication Framework java.lang.NullPointerException
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.publishAuthenticationStepAttempt(AbstractApplicationAuthenticator.java:170)
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:94)
at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.process(EmailOTPAuthenticator.java:139)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:506)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:480)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:179)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185) er} -
Error occurred while getting claims for user: tanoj123#carbon.super from userstore. org.wso2.carbon.user.core.UserStoreException: 30007 - UserNotFound:
User tanoj123 does not exist in: PRIMARY
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:205)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValues(AbstractUserStoreManager.java:1758)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInLocalDialect(DefaultOIDCClaimsCallbackHandler.java:466)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:420)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.retrieveClaimsForLocalUser(DefaultOIDCClaimsCallbackHandler.java:296)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:146)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.handleCustomClaims(DefaultOIDCClaimsCallbackHandler.java:85)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims_aroundBody4(APIMJWTGenerator.java:166)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims(APIMJWTGenerator.java:156)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody_aroundBody2(APIMJWTGenerator.java:95)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody(APIMJWTGenerator.java:92)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT_aroundBody0(APIMJWTGenerator.java:69)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT(APIMJWTGenerator.java:60)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken_aroundBody4(APIMTokenIssuerUtil.java:210)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken(APIMTokenIssuerUtil.java:173)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken_aroundBody0(APIMTokenIssuer.java:102)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken(APIMTokenIssuer.java:51)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.getNewAccessToken(AbstractAuthorizationGrantHandler.java:491)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.createNewTokenBean(AbstractAuthorizationGrantHandler.java:390)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.generateNewAccessToken(AbstractAuthorizationGrantHandler.java:344)
In the shared logs, the following line can be observed.
BasicAuthRequestPathAuthenticator can handle the request
It means canHandle() method of the BasicAuthRequestPathAuthenticator has returned true since sectoken query parameter is defined. Then, the request path authentication has taken place.
BasicAuth RequestPathAuthentication does not support MFA and it is like the password grant. The user gets authenticated by just validating the passed credentials.
If your goal is to have the login page on your client application (Angular SPA), you can pass the username and password as two different parameters (POST OR GET; POST is recommended since the password will not be passed in the URL) in the oauth2/authorize request and get into the default basic authenticator instead of the RequestPathAuthenticator. Then MFA will work as expected.
I am trying to call MSCRM 365 web services using SOAPUI, this is what i have done so far
Downloaded Organization WSDL from my cRM instance
Uploaded in SOAPUI
Added three header parameters - Content-Type, SOAPAction and Accept
Added Username and Password in Request Properties
Whenever I send a request to MSCRM, I get "HTTP ERROR 401 - Unauthorized: Access is denied"
Anyone have any ideas?
Thanks,
Nitesh
Since this is Dynamics 365 it does not authenticate using Username / Password. Instead you will need to use OAuth as shown in the link
https://msdn.microsoft.com/en-us/library/gg327838.aspx
// TODO Substitute your correct CRM root service address,
string resource = "https://mydomain.crm.dynamics.com";
// TODO Substitute your app registration values that can be obtained after you
// register the app in Active Directory on the Microsoft Azure portal.
string clientId = "e5cf0024-a66a-4f16-85ce-99ba97a24bb2";
string redirectUrl = "http://localhost/SdkSample";
// Authenticate the registered application with Azure Active Directory.
AuthenticationContext authContext =
new AuthenticationContext("https://login.windows.net/common", false);
AuthenticationResult result = authContext.AcquireToken(resource, clientId, new
Uri(redirectUrl));
Use the access token in message requests:
using (HttpClient httpClient = new HttpClient())
{
httpClient.Timeout = new TimeSpan(0, 2, 0); // 2 minutes
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", result.AccessToken);
Another options would be to shift from Xrm.Client to Xrm.Tools.Connection. See the example in this site.
https://msdn.microsoft.com/en-us/library/jj602970.aspx
I'm doing an agent SAML2.0 SSO using the code that is in this url:
http://svn.wso2.org/repos/wso2/people/asela/wso2-samples/sso_webapp/
but it does not work the logout. Excuse my English.
I am told, when the identity server sends responses of the authentication, sends a session index value in it and you need to return exactly the same value in the logout request to the identity server. How I can get the index value of the session with SAML 2.0?
This is the code of my class LogoutRequestBuilder
public LogoutRequest buildLogoutRequest(String subject, String reason) {
Util.doBootstrap();
LogoutRequest logoutReq = new org.opensaml.saml2.core.impl.LogoutRequestBuilder().buildObject();
logoutReq.setID(Util.createID());
DateTime issueInstant = new DateTime();
logoutReq.setIssueInstant(issueInstant);
logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000));
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject();
issuer.setValue(Util.getProperty(SSOConstants.ISSUER_ID));
logoutReq.setIssuer(issuer);
NameID nameId = new NameIDBuilder().buildObject();
nameId.setFormat(SSOConstants.SAML_NAME_ID_POLICY);
nameId.setValue(subject);
logoutReq.setNameID(nameId);
SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
sessionIndex.setSessionIndex(Util.createID());
logoutReq.getSessionIndexes().add(sessionIndex);
logoutReq.setReason(reason);
return logoutReq;
}
}
If single logout is enabled in service provider registration in WSO2IS. Within the SAML response you get will contain the SessionIndex.
So that value has to be stored somewhere to send back in the logout request.
This is an old sample you are using. [1] This document contain the sso sample which has single log out enabled.
[1] https://docs.wso2.com/display/IS500/Configuring+SAML2+SSO