I am writing some administrative policies on ALFA plugin but I find out there's no such function of it. Does anyone know this aspect?
You would have to generate the issuer element separately using an ant script and some logic to generate the value of the issuer field e.g. by adding the dn of a certificate.
It all depends on how your XACML engine implements delegation.
ALFA itself doesn't do anything to the issuer field.
Cheers,
David.
Related
My team is trying to expose WSO2-IS through a reverse proxy. With our team setup, each new application is exposed under a single context-root, and we're hoping to do the same for wso2.
Using the oauth2/authorize endpoint as an example, we would like to expose the endpoint through our proxy as
https://<domain name>/wso2-is/oauth2/authorize rather than the default
https://<domain name>/oauth2/authorize
It turns out we would need this same configuration for a number of webapps under wso2is, including:
oauth2
oidc
commonauth
logincontext
authorizationendpoint
I've found information online for how to do this with the admin console, but I haven't found any info on how to do it for these public endpoints.
Has anyone been able to accomplish this, or does someone know whether or not WSO2 was built to support this use case?
You can follow the official documentation on Adding a Custom Proxy Path.
I'm trying to do something that seemed simple but ends up being difficult because I lack the expertise.
I have an APIM deployed with no customisation security-wise (don't worry, it's not production!). So it's only got carbon.jks.
I authenticate users in an application with SAML2 against an IDS, then use the APIM with an app secret for a user token generated from the SAML2 token. I get from the APIM an OAuth token which I use to call APIs in the APIM. (note that I managed to resolve this thanks to another post here some time ago :-) )
The backend that implements the APIs receives a JWT as a result, with header, user information and app information, and a signature.
For my first tests I write my own "hello world" backend, that logs the JWT.
I use http://jwt.io which manages to read my JWT without any problem. But it tells me the signature is invalid.
To make the signature valid I would need a valid public key.
I don't know where to find that key.
I have run the command line described in RSA Public Key of WSO2carbon and generated a .cert file. I have examined the .cert file in portecle (http://portecle.sourceforge.net/) but found nothing of interest, however opening it in Windows gave me a field "public key", which looks like "30 81 89 02 81 81 00 94 a[...]", quite long and obviously hex.
I tried this, and also its base64-encoded representation, in http://jwt.io but no success.
Because I was wondering where my public key is, I have also read:
How to validate a JWT from WSO2 API Manager
(and the referenced link https://asankad.org/2013/12/05/obtaining-certificate-used-to-sign-a-jwt/ )
However the code provided is a bit on its own, with not even a mention of language. I assume it's node.js, but no info about libs or anything.
Here are some more precise questions:
WSO2 APIM offers only SHA256withRSA (which is a flavor of SHA2 IIUC). wso2carbon.jks cert that I found were sha1. So I'm supposing that could not have worked anyway. How can APIM generate SHA256 with SHA1 certificates?
WSO2 APIM offers only SHA256withRSA. http://jwt.io gives the choice between RS256 and HS256, one uses a key, the other a secret (public/private). I'm guessing I need to use RS256? (but again the only keys I have seem to come from SHA1 certs)
has anyone succeeded in what I'm doing? Install WSO2 APIM, generate a JWT and validate the JWT against http://jwt.io, including signature?
If I use a lib such as https://github.com/tymondesigns/jwt-auth to validate the JWT, will it work? I was told that this lib doesn't support SHA256.
in the APIM I'm in a tenancy, called sandbox. If I go to the super-tenancy carbon I see wso2carbon.jks. If I go to my own tenancy's carbon I see sandbox.jks, but it's empty, and on the deployment machine there's no corresponding file. How does that work out, does the tenancy JKS exist only when used, or is it stored in the DB and not filesystem?
how much can I show of my tokens, JWT etc on a public forum? :-) (if it helps to help me, I'm willing to share!)
Thanks for any tips!
(maybe all I need is the default public key, seeing as I'm using the default keystore!)
Answering myself in case anyone has the same issue.
Two things helped me out:
first, to validate in jwt.io, I needed to change the cert encoding by running the following command: openssl x509 -inform der -in somekey.cer -out somekey.pem
then I was using the super-tenant keystore instead of the tenancy keystore. I had looked into this but not found any tenancy keystore on the APIM VM. I had to:
log in as tenant admin in APIM carbon portal
navigate to configure / keystores
there was a keystore for the tenancy (called sandbox1.jks), click on public key
save the downloaded sandbox1.cert and convert it to pem using the above command
The resulting pem worked fine with jwt.io using RS256
Hope this helps others!
I am fairly new to wso2is.
I added an SP with oauth/oidc and got the client credentials.
But when I call the token endpoint to generate an access token (client_credentials flow), I get a guid/reference token. How do I get a self-contained JWT?
Also, the discovery endpoint and introspection not available in 5.2.0?
TIA.
As of now there are is no out of the box solution to get self-contained JWT as an access token from WSO2 Identity Server. However, we have an extension point[1] to write one to suit your requirements.
If I give you the steps in short,
Write an accessToken issuer class implementing this interface. Instead of the GUID, you return the signed JWT.
Create jar and add it to IS_HOME/repository/components/dropins
Add the fully qualified classname to IS_HOME/repository/conf/identity/identity.xml by adding a <IdentityOAuthTokenGenerator> tag under <OAuth> section.
Check out the default accessTokenIssuer code to get an idea[2]. Discovery endpoint and Introspection endpoint have been added in IS 5.3.0. Try out the alpha version from [3]
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/676c4d845842556a560874804373a422940492a9/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/OauthTokenIssuer.java#L25-L25
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/676c4d845842556a560874804373a422940492a9/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/OauthTokenIssuerImpl.java
[3] https://github.com/wso2/product-is/releases/download/v5.3.0-alpha/wso2is-5.3.0-alpha.zip
Update
Follow this blog post https://medium.com/#hasinthaindrajee/self-contained-access-tokens-with-wso2-identity-server-82111631d5b6#.s0q3xt6od to get your use case done :)
I'm running the wso2is-4.6.0
I've created a policy like allowing a user with a specific role to access a resource.
When I TryIt, the wso2is manager just propose me a Subject Name (urn:oasis:names:tc:xacml:1.0:subject:subject-id). I've seen in previous version of wso2Is see here that it was possible to define a Subject Attribute Name (in my case it would be http://wso2.org/claims/role).
The result is that I can't test my request with the current version as the attributeId generated by wso2 tryIt tool refer to a subject-id where I need a http://wso2.org/claims/role
Any way to have this Tryit page more customizable ?
Thanks for your help and support
Regards
Vpl
TryIt is a simple tool that you can create the XACML request. It can not support all options that are available. However when its some to new version, It seems to be that attribute Id selection has been removed. But you can file the attribute values and create the sample XACML request in XML view. Then you would find that the attribute id of created XACML request would be urn:oasis:names:tc:xacml:1.0:subject:subject-id. Therefore you can easily modify it to http://wso2.org/claims/role and try out the policy.
how can i dynamically configure rampart on the service side? I mean I'd like to use different service keys for different clients.
Any hint or link to a tutorial is a big help.
thanks
To clarify, you want the ability to issue a different token depending on the client credentials? This sounds a lot like Security Token Service (STS)
It is possible to accept a range of credential options. Rampart makes you implement your own callback class to verify the initial credentials.
You can implement your own TokenIssuer to customize the response (http://axis.apache.org/axis2/java/rampart/setting-up-sts.html) and either bundle that inside your service archive or externalize it. You can use whatever criteria is fit for determining the responsetoken.