When using an access with userid & passsword based entitlement, and use of class "entitlementServiceClient", method "getDecision", the program always receives an error: "Invalid Status"
Is there anything missing in the usage of this class:
org.wso2.carbon.identity.entitlement.ui.client.EntitlementServiceClient;
my statements are:
//initialize authentication admin stub
UnitTest1 remoteEntitlementClient = new UnitTest1();
//login using authentication admin stub providing valid credentials
remoteEntitlementClient.login(userid, password);
//initialize entitlement service stub with obtained authentication cookie
remoteEntitlementClient.initUnitTest1();
String decision = entitlementServiceClient.getDecision(myRequest);
System.out.println("\nXACML Decision is received : " + decision);
The authorization process seems to works fine and it receives a valid login confirmation and cookie (see log below).
oc2615188332 entitlement]$ sh ./testit.sh
Jul 17, 2015 8:10:37 PM org.apache.axiom.util.stax.dialect.StAXDialectDetector detectDialect
WARNING: Unable to determine dialect of the StAX implementation at jar:file:/home/claudef/tmp/wso2/entitlement/lib/axiom_1.2.11.wso2v4.jar!/
The user admin logged in successfully.
The IdP authorization cookie is: JSESSIONID=CDEEA143EB95A5AABEB07F5A401633B4; Path=/; Secure=null; HttpOnly=null
XACML Decision is received : Invalid Status
Elapsed seconds decimal: 6.937248979
Elapsed seconds rounded: 6.937
Entitlement flow finished successfully
Thanks in advance for support and advice.
Regards,
Claude
Related
I have enabled EmailOTP Identity Provider, using WSO2 Identity Server as Email Provider.
In my Service PRovider, I have enabled EmailOTP as the second step of Authentication.
Angular UI application is my front end, when I provide username/password on the login page (user OpenId Connect), the authorization code is getting generated, but the second step is not being invoked, i.e., OTP page is not being displayed and Email is not being sent to the recipient with OTP.
I have followed the steps mentioned here, except making Gmail as Identity Provider.
OpenIdConnect Configuration:
Local and Outbound Authentication Configuration:
EmailOTP IDP Configuration (did not use Gmail or SendGrid):
EMail Adapter and Authenticator Configuration:
[output_adapter.email]
from_address= "sender#domain.com"
username= "username#domain.com"
password= "password"
hostname= "smpt.hostname"
port= 25
enable_start_tls= false
enable_authentication= true
[authentication.authenticator.basic.parameters]
showAuthFailureReason = true
[authentication.authenticator.email_otp]
name ="EmailOTP"
enable=true
[authentication.authenticator.email_otp.parameters]
EMAILOTPAuthenticationEndpointURL = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotp.jsp"
EmailOTPAuthenticationEndpointErrorPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotpError.jsp"
EmailAddressRequestPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailAddress.jsp"
usecase = "local"
secondaryUserstore = "primary"
EMAILOTPMandatory = false
sendOTPToFederatedEmailAttribute = false
federatedEmailAttributeKey = "email"
EmailOTPEnableByUserClaim = true
CaptureAndUpdateEmailAddress = true
showEmailAddressInUI = true
useEventHandlerBasedEmailSender = true
Script based authentication Configuration:
var onLoginRequest = function(context) {
executeStep(1);
executeStep(2);
};
OpenId Connect Configuration.
https://is.docs.wso2.com/en/5.10.0/learn/configuring-email-otp/#configuring-email-otp
Endpoint details:
https://localhost:5004/oauth2/authorize?response_type=code&scope=openid&redirect_uri=http://localhost&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256§oken=<sec_token>
Tenant Domain Error:
The tenant domain user is being treated as a user of carbon.super domain.
TID: [-1234] [] [2021-02-01 17:13:47,683] [85d31877-3090-4139-9efb-d40f85c2e2eb] DEBUG {org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator}
- OTP Expiration Time not specified default value will be used
TID: [-1234] [] [2021-02-01 17:13:47,684] [85d31877-3090-4139-9efb-d40f85c2e2eb] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Exception in Authentication Framework java.lang.NullPointerException
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.publishAuthenticationStepAttempt(AbstractApplicationAuthenticator.java:170)
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:94)
at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.process(EmailOTPAuthenticator.java:139)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:506)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:480)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:179)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185) er} -
Error occurred while getting claims for user: tanoj123#carbon.super from userstore. org.wso2.carbon.user.core.UserStoreException: 30007 - UserNotFound:
User tanoj123 does not exist in: PRIMARY
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:205)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValues(AbstractUserStoreManager.java:1758)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInLocalDialect(DefaultOIDCClaimsCallbackHandler.java:466)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:420)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.retrieveClaimsForLocalUser(DefaultOIDCClaimsCallbackHandler.java:296)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:146)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.handleCustomClaims(DefaultOIDCClaimsCallbackHandler.java:85)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims_aroundBody4(APIMJWTGenerator.java:166)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims(APIMJWTGenerator.java:156)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody_aroundBody2(APIMJWTGenerator.java:95)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody(APIMJWTGenerator.java:92)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT_aroundBody0(APIMJWTGenerator.java:69)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT(APIMJWTGenerator.java:60)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken_aroundBody4(APIMTokenIssuerUtil.java:210)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken(APIMTokenIssuerUtil.java:173)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken_aroundBody0(APIMTokenIssuer.java:102)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken(APIMTokenIssuer.java:51)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.getNewAccessToken(AbstractAuthorizationGrantHandler.java:491)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.createNewTokenBean(AbstractAuthorizationGrantHandler.java:390)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.generateNewAccessToken(AbstractAuthorizationGrantHandler.java:344)
In the shared logs, the following line can be observed.
BasicAuthRequestPathAuthenticator can handle the request
It means canHandle() method of the BasicAuthRequestPathAuthenticator has returned true since sectoken query parameter is defined. Then, the request path authentication has taken place.
BasicAuth RequestPathAuthentication does not support MFA and it is like the password grant. The user gets authenticated by just validating the passed credentials.
If your goal is to have the login page on your client application (Angular SPA), you can pass the username and password as two different parameters (POST OR GET; POST is recommended since the password will not be passed in the URL) in the oauth2/authorize request and get into the default basic authenticator instead of the RequestPathAuthenticator. Then MFA will work as expected.
Using flask-ldap3-login to query AD for my web app logins. Works for everyone; but, for users who have "()" in their First name in AD. Here's the Debug log.
UN-SUCCESSFULL LOGIN
DEBUG:root:Validating LDAPLoginForm against LDAP
DEBUG:flask_ldap3_login:Opening connection with bind user 'mybinduser#mydomain.com'
DEBUG:flask_ldap3_login:Successfully bound to LDAP as 'mybinduser#mydomain.com' for search_bind method
DEBUG:flask_ldap3_login:Performing an LDAP Search using filter '(&(objectclass=person)(sAMAccountName=ebadu))', base 'DC=mydomain,DC=com', and scope 'SUBTREE'
DEBUG:flask_ldap3_login:Opening connection with bind user 'CN=Badu\, Ericka (EB),OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Directly binding a connection to a server with user:'CN=Badu\, ericka (EB),OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Authentication was successful for user 'ebadu'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectclass=group)(uniqueMember=CN=Badu\, Ericka (EB),OU=HELPDESK,DC=mydomain,DC=com))' , base 'DC=mydomain,DC=com' and scope 'LEVEL'
ERROR:flask_ldap3_login:malformed filter
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8629604c50>
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8628eabf98>
SUCCESFULL LOGIN
DEBUG:root:Validating LDAPLoginForm against LDAP
DEBUG:flask_ldap3_login:Opening connection with bind user 'mybinduser#mydomain.com'
DEBUG:flask_ldap3_login:Successfully bound to LDAP as 'mybinduser#mydomain.com' for search_bind method
DEBUG:flask_ldap3_login:Performing an LDAP Search using filter '(&(objectclass=person)(sAMAccountName=mpeters))', base 'DC=mydomain,DC=com', and scope 'SUBTREE'
DEBUG:flask_ldap3_login:Opening connection with bind user 'CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Directly binding a connection to a server with user:'CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com'
DEBUG:flask_ldap3_login:Authentication was successful for user 'mpeters'
DEBUG:flask_ldap3_login:Searching for groups for specific user with filter '(&(objectclass=group)(uniqueMember=CN=Peters\, Mike,OU=HELPDESK,DC=mydomain,DC=com))' , base 'DC=mydomain,DC=com' and scope 'LEVEL'
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8629683828>
DEBUG:flask_ldap3_login:Destroying connection at <0x7f8628e91048>
The AD logs says "An account was successfully logged on"; however, the user does not log in to the app. The user has no issues login in with the AD credentials anywhere else.
What might be the issue?
This is the flask-ldap3-login code:
LDAP_USER_RDN_ATTR = 'cn'
LDAP_USER_LOGIN_ATTR = 'sAMAccountName'
LDAP_BASE_DN = 'DC=mydomain,DC=com'
LDAP_REQUIRED_GROUP = 'ou=helpdesk,dc=mydomain,dc=com'
LDAP_USER_SEARCH_SCOPE = 'SUBTREE'
But "malformed filter" usually means that the LDAP query sent to AD isn't valid somehow. I asked about odd characters on the account, since if some special characters are not encoded properly, they can be misinterpreted as special characters used in LDAP queries.
It could be a bug in your code, or a bug in flask-ldap3-login. If you show your code, I might be able to give you some pointers.
Also, see if you can enable debug logging. It may tell you what the actual filter is that made it bomb. I'm not familiar with flask-ldap3-login, but, looking at the documentation, this might do it?:
app.config['DEBUG'] = True
SOLVED! Seems to be solved in the latest version of flask-ldap3-login. I did not upgrade but modified existing code:
Replaced this:
`search_filter = '(&{group_filter}({members_attr}={user_dn}))'.format('`
`group_filter=self.config.get('LDAP_GROUP_OBJECT_FILTER'),`
`members_attr=self.config.get('LDAP_GROUP_MEMBERS_ATTR'),`
`user_dn=dn`
with this:
`safe_dn = ldap3.utils.conv.escape_filter_chars(dn)`
`search_filter = '(&{group_filter}({members_attr}={user_dn}))'.format(`
`group_filter=self.config.get('LDAP_GROUP_OBJECT_FILTER'),`
`members_attr=self.config.get('LDAP_GROUP_MEMBERS_ATTR'),`
`user_dn=safe_dn`
I am trying to call MSCRM 365 web services using SOAPUI, this is what i have done so far
Downloaded Organization WSDL from my cRM instance
Uploaded in SOAPUI
Added three header parameters - Content-Type, SOAPAction and Accept
Added Username and Password in Request Properties
Whenever I send a request to MSCRM, I get "HTTP ERROR 401 - Unauthorized: Access is denied"
Anyone have any ideas?
Thanks,
Nitesh
Since this is Dynamics 365 it does not authenticate using Username / Password. Instead you will need to use OAuth as shown in the link
https://msdn.microsoft.com/en-us/library/gg327838.aspx
// TODO Substitute your correct CRM root service address,
string resource = "https://mydomain.crm.dynamics.com";
// TODO Substitute your app registration values that can be obtained after you
// register the app in Active Directory on the Microsoft Azure portal.
string clientId = "e5cf0024-a66a-4f16-85ce-99ba97a24bb2";
string redirectUrl = "http://localhost/SdkSample";
// Authenticate the registered application with Azure Active Directory.
AuthenticationContext authContext =
new AuthenticationContext("https://login.windows.net/common", false);
AuthenticationResult result = authContext.AcquireToken(resource, clientId, new
Uri(redirectUrl));
Use the access token in message requests:
using (HttpClient httpClient = new HttpClient())
{
httpClient.Timeout = new TimeSpan(0, 2, 0); // 2 minutes
httpClient.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", result.AccessToken);
Another options would be to shift from Xrm.Client to Xrm.Tools.Connection. See the example in this site.
https://msdn.microsoft.com/en-us/library/jj602970.aspx
Im trying to set up WSO2 Identity Server to use OpenId connect. I have currently applied the following settings shown Here: Setup WSO2.
What it boiles down to is that i use the Resident Identity Provider and i have setup a Service Provider for my app "CoolApp".
I configured "OAuth/OpenID Connect Configuration" and set a callback URL.
Is there a simple example how to use this in javascript?
I have played around with identityserver3 and they have a client oidc-client.js which works nicely in combination with identityserver3. However i cant seem to get it working with WSO2 identity server.
I was going about the issue in a wrong way, what i actually wanted was to protect my website using the owin middleware like they tried here and here.
so now i have the following:
app.SetDefaultSignInAsAuthenticationType("ClientCookie");
app.UseCookieAuthentication(new CookieAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = "ClientCookie",
CookieName = CookieAuthenticationDefaults.CookiePrefix + "ClientCookie",
ExpireTimeSpan = TimeSpan.FromMinutes(5)
});
// ***************************************************************************
// Approach 1 : ResponseType = "id_token token"
// ***************************************************************************
app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
{
AuthenticationMode = AuthenticationMode.Active,
AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType,
SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType(),
Authority = " https://localhost:9443/oauth2/",
ClientId = "fgx4M5e27NJqgRIs8nu5aL7Jw3oa",
ClientSecret = "dwGdRDCFY7Soa7CB5K5smkiuMmYa",
RedirectUri = "http://localhost:57815/Account/ExternalLoginCallback/",
ResponseType = "id_token token",
Scope = "openid",
Configuration = new OpenIdConnectConfiguration
{
AuthorizationEndpoint = "https://localhost:9443/oauth2/authorize",
TokenEndpoint = "https://localhost:9443/oauth2/token",
UserInfoEndpoint = "https://localhost:9443/oauth2/userinfo",
},
Notifications = new OpenIdConnectAuthenticationNotifications
{
SecurityTokenValidated = n =>
{
var token = n.ProtocolMessage.AccessToken;
// persist access token in cookie
if (!string.IsNullOrEmpty(token))
{
n.AuthenticationTicket.Identity.AddClaim(
new Claim("access_token", token));
}
return Task.FromResult(0);
},
AuthenticationFailed = notification =>
{
if (string.Equals(notification.ProtocolMessage.Error, "access_denied", StringComparison.Ordinal))
{
notification.HandleResponse();
notification.Response.Redirect("/");
}
return Task.FromResult<object>(null);
}
}
});
I put a break point in the SecurityTokenValidated and AuthenticationFailed. Go to the page and i get redirected to the WSO2 identity server as expected. When i login and return to the page both of my break points are NOT hit and im not logged in.
Im using WSO2 Identity Server 5.1.0.
#farasath, could you please help me and the others out looks like we are all running into the same issue and havent found a solution yet.
During further investigation i found out that using the code flow with response_type = "code" will not work either, as the OIDC middleware doesn't support it (see here and here).
Found a suggestion by #pinpoint that ASP.net core does support this. But this is not really an option.
#Hos answered here:
With WSO2 Identity Server 5.0.0 OpenID Connect "id_token" response type is not implemented.
Im not getting the error response he mentioned in his post, but the results for me stay the same using these versions, the breakpoints never get hit. So now i'm wondering should this actually work in 5.1.0 or in the 5.2.0-Beta or is this still WIP.
#farasath, Thank you for your reply here are the logs
[2016-08-16 08:11:39,998] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa and callback_uri http://localhost:57815/
[2016-08-16 08:11:40,074] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa ,App Name : CoolApp, Callback URL : http://localhost:57815/
[2016-08-16 08:11:50,948] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : raymond#carbon.super, Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorization Response Type : id_token token, Requested callback URI : http://localhost:57815/, Requested Scope : openid
[2016-08-16 08:11:50,967] INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The default OAuth token issuer will be used. No custom token generator is set.
[2016-08-16 08:11:50,985] INFO {org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO} - Thread pool size for session persistent consumer : 100
[2016-08-16 08:11:50,991] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenPersistenceTask} - Access Token context persist consumer is started
... This one repeats about 100 times ...
[2016-08-16 08:11:51,031] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} - Successfully created AppInfoCache under OAuthCacheManager
[2016-08-16 08:11:51,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal
[2016-08-16 08:11:52,180] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - No active access token found in cache for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID : raymond#carbon.super and Scope : openid
[2016-08-16 08:11:52,199] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - No access token found in database for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID : raymond#carbon.super and Scope : openid. Therefore issuing new access token
[2016-08-16 08:11:52,208] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenPersistenceTask} - Access Token Data persisting Task is started to run
[2016-08-16 08:11:52,208] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Persisted Access Token for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorized User : raymond#carbon.super, Timestamp : 2016-08-16 08:11:52.207, Validity period (s) : 3600, Scope : openid, Callback URL : http://localhost:57815/, Token State : ACTIVE and User Type : APPLICATION_USER
[2016-08-16 08:11:52,233] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Access Token was added to OAuthCache for cache key : fgx4M5e27NJqgRIs8nu5aL7Jw3oa:raymond#carbon.super:openid
[2016-08-16 08:11:52,298] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext
Second time i ran it i got this log:
[2016-08-16 08:30:17,216] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa and callback_uri http://localhost:57815/
[2016-08-16 08:30:17,222] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa ,App Name : CoolApp, Callback URL : http://localhost:57815/
[2016-08-16 08:30:23,178] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : raymond#carbon.super, Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorization Response Type : id_token token, Requested callback URI : http://localhost:57815/, Requested Scope : openid
[2016-08-16 08:30:23,189] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal
[2016-08-16 08:30:23,195] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Retrieved active Access Token for Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID :raymond#carbon.super and Scope : openid from cache
[2016-08-16 08:30:23,203] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} - Access Token is valid for another 3264638ms
[2016-08-16 08:30:23,218] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext
Now i changed my redirect uri to:
RedirectUri = "http://localhost:57815/Account/ExternalLoginCallback/",
and logInfo in that function is always null
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();
Googled around and found this post where someone was having similar problems.
Used Fiddler to look at the callback looks like a cookie has been set
So now Im left with the following situation:
Breakpoint in SecurityTokenValidated never hit
Breakpoint in AuthenticationFailed never hit
var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync(); is always null in my Callback
Reason for this is OWIN middle-ware is expecting the OAUTH response in OAUTH 2.0 Form Post Response Mode [1] which is an optional spec and only Identity Server 5.2.0 (With a patch) upwards supports this.
[1] http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html
AFAIK we don't have a Javascript sample that you can use directly. But that shouldn't be a problem at all. I came across [1] by simply googling. All you need to do is to replace the client_id and callback URL. Since we follow the OAuth/OpenID connect spec any OAuth Javascript client library should work with WSO2 Identity Server.
We do have a web app sample[2] and I wrote a blog post[3] earlier just to demonstrate the authorization code flow with WSO2 Identity Server.
[1] https://github.com/zalando/oauth2-client-js
[2] https://docs.wso2.com/display/IS510/OAuth+2.0+with+WSO2+Playground
[3] http://blog.farazath.com/2016/05/trying-out-oauth2-authorization-code.html
I'm doing an agent SAML2.0 SSO using the code that is in this url:
http://svn.wso2.org/repos/wso2/people/asela/wso2-samples/sso_webapp/
but it does not work the logout. Excuse my English.
I am told, when the identity server sends responses of the authentication, sends a session index value in it and you need to return exactly the same value in the logout request to the identity server. How I can get the index value of the session with SAML 2.0?
This is the code of my class LogoutRequestBuilder
public LogoutRequest buildLogoutRequest(String subject, String reason) {
Util.doBootstrap();
LogoutRequest logoutReq = new org.opensaml.saml2.core.impl.LogoutRequestBuilder().buildObject();
logoutReq.setID(Util.createID());
DateTime issueInstant = new DateTime();
logoutReq.setIssueInstant(issueInstant);
logoutReq.setNotOnOrAfter(new DateTime(issueInstant.getMillis() + 5 * 60 * 1000));
IssuerBuilder issuerBuilder = new IssuerBuilder();
Issuer issuer = issuerBuilder.buildObject();
issuer.setValue(Util.getProperty(SSOConstants.ISSUER_ID));
logoutReq.setIssuer(issuer);
NameID nameId = new NameIDBuilder().buildObject();
nameId.setFormat(SSOConstants.SAML_NAME_ID_POLICY);
nameId.setValue(subject);
logoutReq.setNameID(nameId);
SessionIndex sessionIndex = new SessionIndexBuilder().buildObject();
sessionIndex.setSessionIndex(Util.createID());
logoutReq.getSessionIndexes().add(sessionIndex);
logoutReq.setReason(reason);
return logoutReq;
}
}
If single logout is enabled in service provider registration in WSO2IS. Within the SAML response you get will contain the SessionIndex.
So that value has to be stored somewhere to send back in the logout request.
This is an old sample you are using. [1] This document contain the sso sample which has single log out enabled.
[1] https://docs.wso2.com/display/IS500/Configuring+SAML2+SSO