OpenID, using delegation, seems to be returning openid1_claimed_id instead of openid.claimed_id
That looks like “an OpenID 1 version of claimed_id” but I can't find it documented anywhere.
Miscellaneous details:
OpenID URL: http://www.zellyn.com/
Delegated to: http://zellyn.myopenid.com/
Using django-socialregistration
# Another query parameter that gets added to the return_to for
# OpenID 1; if the user's session state is lost, use this claimed
# identifier to do discovery when verifying the response.
openid1_return_to_identifier_name = 'openid1_claimed_id'
-- from the python-openid source.
Related
I am trying to set up WSO2 Identity Server behind a reverse proxy for SSL offloading. For example, let's say if WSO2 IS is available at say https://<some-ip>:9443/, I am trying to put it behind reverse proxy with address such as https://<domain name>/is/. Note the context path /is and SSL port 443. I thought that this will be trivial enough but sadly I am unable to find any conclusive documentation for achieving the same.
My applications are using OIDC to connect to WSO2 IS and using Azure Application Gateway as reverse proxy - typically all API calls works well but neither of UI (or flows involving redirections) works due to context. I can also fix redirects by URL rewriting at reverse proxy but that still doesn't solve problems. For example, login page will appear but XHR call from the same will go to /logincontext instead of /is/logincontext. Where can I set up the proxy context path in WSO2 IS? I already tried setting the same in .toml file (equivalent of setting it in carbon.xml) but it seems to be affecting only Management Portal.
WSo2 IS documentation talks about setting it up behind ngnix but that documentation is not using any path context. I could find reverse proxy documentation for other WSO2 product such as WSO2 API Manager but it only involves updating carbon.xml and that doesn't work for WSO2 IS. I am not a java person and hence, finding it difficult to figure out web app organization of WSO2.
Any help/link to documentation/guide to set up with proxy context will be useful.
I know that this answer comes a little bit late but recently I had a similar issue and here it is how I made it work, maybe it could be helpful for someone. I was using WSO2 IS 5.11.0.
Note:
I checked similar questions on stackoverflow and found a few but none was enough by itself for my case.
Maybe the solution I came up with is not the best or the most correct but it is the only one I could make work.
Here's how I did, assuming the context path is is:
Open Carbon Management Console and go to Identity Providers -> Resident. Then, go to Inbound Authentication Configuration -> OAuth2/OpenID Connect Configuration. Here, change the hostname under Identity Provider Entity ID to https://domain_name:443/is/<remaining path>.
Make sure that the port number is present or absent both here and in the client application. If there is a mismatch between the two, for some reason, it won't work (or at least it didn't for me).
Open the file deployment.toml and modify it as follows:
under the [server] section, add your proxy context at the end of the base_path url, e.g. base_path = "https://$ref{server.hostname}:${carbon.management.port}/is";
of course, also add proxy_context_path = "is" (actually, this last line should be enough but for some reason in my case it wasn't, so I had to modify the base path too);
under [transport.https.properties] add proxyPort="443".
For the record, I also turned off compression, by adding:
[transport.http.properties]
compression="off"
[transport.https.properties]
...
compression="off"
and set the token issuer URL equal to the entity id set up in Carbon, with:
[oauth]
use_entityid_as_issuer_in_oidc_discovery = true
but found out that these last two steps (turning off compression and setting the entity id as issuer) weren't needed.
Disable the csrf guard by setting org.owasp.csrfguard.Enabled = false
in the file /repository/resources/conf/templates/repository/conf/security/Owasp.CsrfGuard.Carbon.properties.j2.
This step was necessary for me to avoid the 403 Error after logging in on the Carbon Console (turning off compression didn't work).
Lastly, if you use nginx as reverse proxy (as I did), add these two lines in the location used for wso2:
proxy_redirect https://domain_name/oauth2/ https://domain_name/is/oauth2/;
proxy_redirect https://domain_name/carbon/ https://domain_name/is/carbon/;
These are needed (or at least were for me) because some URLs are not under the context path. In particular, the last one allows you to open the Carbon Console at https://domain_name/is/carbon/.
References:
wso2 api manger carbon page gives 403 Forbidden
WSO2 Identity Server login returns a 403
WSO2 Identity Server port configuration
To understand the template-based configuration model adopted from version 5.9.0 onwards, see:
https://apim.docs.wso2.com/en/latest/reference/understanding-the-new-configuration-model/
https://mcvidanagama.medium.com/understand-wso2-api-managers-new-configuration-model-6425a2710faa
Here are some useful configuration mappings from the old xml to the new toml based model:
https://github.com/ayshsandu/samples/tree/master/config-mapping
I have followed this link to configure Microsoft Windows Live login
https://docs.wso2.com/display/IS510/Configuring+Microsoft+Windows+Live
In WSO2 log, I can see the Remote Claim that I received from IDP
[2016-05-03 15:47:14,027] DEBUG {org.wso2.carbon.identity.application.authentication.framework.handler.claims.impl.DefaultClaimHandler} - Executing c
laim handler. isFederatedClaims = true and remote claims = [emails:{"business":null,"personal":null,"preferred":"xyz#gmail.com","account":"xyz#gmail.com"},gender:null,name:,last_name:,id:048ea1532ffb8000,locale:en_US,first_name:,
]
I am just wondering how to map the email to local claim URI http://wso2.org/claims/emailaddress because the remote claim contains nested tag (emails:{ business: ..., personal: ... }).
Thanks
Since the remote claim contains a nested tag, you have to extend DefaultClaimHandler and write a claim handler to support nested tag.
You can configure new claim hanlder in
IS_HOME/repository/conf/identity/application-authentication.xml
(in 'ApplicationAuthentication.Extensions.ClaimHandler' element.)
<ClaimHandler>com.wso2.sample.claim.handler.CustomClaimHandler</ClaimHandler>
Thanks
Isura
I'm using django-openid-provider (https://bitbucket.org/romke/django_openid_provider/) and need to test it's features before deploying on a real server. I've tried to construct POST request by documentation of OpenID 2.0 and send it to django's test server to get openid token.
My post looks like so:
http://192.168.232.151:8008/openid/
BODY:
openid.ns:http://specs.openid.net/auth/2.0
openid.mode:associate
openid.assoc_type:HMAC-SHA256
openid.session_type:DH-SHA256
Also i tried to provide it with public key (such as openid.dh_modulus, openid.dh_gen, openid.dh_consumer_public) for Diffie-Hellman algorythm, and sniffing traffic of OpenID authentication for get additional keys in request, but allways got 500 Internal server error
with
Exception Type: ProtocolError
Exception Value:
No mode value in message <openid.message.Message {('http://openid.net/signon/1.0', u'ns:http://specs.openid.net/auth/2.0\nopenid.mode:associate\nopenid.assoc_type:HMAC-SHA256\nopenid.session_type:DH-SHA256'): u'DH-SHA256EABv%252BfEoZlgh%252BeU71rlInEppkiuX\nopenid.dh_modulus:ANz5OguIOXLsDhmYmsWizjEOHTdxfo2Vcbt2I3MYZuYe91ouJ4mLBX%2BYkcLiemOcPym2CBRYHNOyyjmG0mg3BVd9RcLn5S3IHHoXGHblzqdLFEi%2F368Ygo79JRnxTkXjgmY0rxlJ5bU1zIKaSDuKdiI%2BXUkKJX8Fvf8W8vsixYOr\nopenid.dh_gen:Ag%3D%3D\nopenid.dh_consumer_public:AJs12O5ypo2N%2FL0RJiiOgu9llg2dFsnjthyH49dx6FXz52iDXNkS7gquOm6KEr%2BUfTmktyVMA5DrZwJ%2BrX1jk7sKmXJMmi9%2B7N5fa0wvz%2Fi6nrvg8Oqw31kh%2BtbD9ansUeATSlCfUoRCqeUHEABv%2BfEoZlgh%2BeU71rlInEppkiuX'}>
Debugging the django-openid module I've discovered that constructing Message object raises this error but can not find values of parameters to satisfy openid-provider server
Please show me what I'm doing wrong? Am i choosing the hard way, can I use something that emulates consumer site with openid-client locally. Or maybe someone have correct example of such POST request?
Thanks
You are probably best off using a publicly accessible OpenID consumer or an OpenID client library to test django-openid-provider, since constructing an OpenID request manually is inconvenient.
In the past, I've used mod_auth_openid (an Apache module) for testing against django_openid_provider, it works well.
If you are really intent on manually providing the HTTP requests against the OpenID endpoint:
OpenID uses GET requests, not POST requests.
The parameters should be passed in the query string, not in the body.
Using httpie, here's an example of a valid request against an OpenID provider , assuming:
The OpenID endpoint is http://192.168.232.151:8008/openid/
You've used django-openid-provider to create an openid called myopenid
The OpenID consumer (relaying party) is http://www.example.com/protected/
The OpenID consumer is protected using mod_auth_openid
Here's the initial request:
$ http get http://192.168.232.151:8008/openid/ \
openid.assoc_handle=={HMAC-SHA256}{42a4370e}{G804lQ====} \
openid.claimed_id==http://192.168.232.151:8008/openid/myopenid/ \
openid.identity==http://192.168.232.151:8008/openid/myopenid/ \
openid.mode==checkid_setup \
openid.ns==http://specs.openid.net/auth/2.0 \
openid.realm==http://www.example.com/protected/ \
openid.return_to==http://www.example.com/protected/?modauthopenid.nonce=qAgqlNCdLl \
openid.trust_root==http://www.example.com/protected/
This is equivalent to:
$ curl http://192.168.232.151:8008/openid/?openid.assoc_handle=%7BHMAC-SHA256%7D%7B42a4370e%7D%7BG804lQ%3D%3D%3D%3D%7D&openid.claimed_id=http%3A%2F%2F192.168.232.151%3A8008%2Fopenid%2Fmyopenid%2F&openid.identity=http%3A%2F%2F192.168.232.151%3A8008%2Fopenid%2Fmyopenid%2F&openid.mode=checkid_setup&openid.ns=http%3A%2F%2Fspecs.openid.net%2Fauth%2F2.0&openid.realm=http%3A%2F%2Fwww.example.com%2Fprotected%2F&openid.return_to=http%3A%2F%2Fwww.example.com%2Fprotected%2F%3Fmodauthopenid.nonce%3DqAgqlNCdLl&openid.trust_root=http%3A%2F%2Fwww.example.com%2Fprotected%2F
Note that the openid.assoc_handle and modauthopenid.nonce values are not valid in this example, you'd have to generate proper values for those.
If this succeeds, then the server should redirect you via 302 to http://www.example.com/protected/ with a number of query parameter arguments.
Also note that this is only the initial step in the protocol, there are additional requests involved.
But you really don't want to manually craft these OpenID HTTP requests. Use an OpenID library or an OpenID consumer instead.
If I enable the option giving in Advanced Settings is gives me BAD Request or error code 400
If I enable this option, what is the required value of AppSecret_Proof parameter?
If you visit github and have a look at their PHP SDK's code, you'll find how they generate appsecret_proof's value.
This part was recently added so you have to refer to the latest version of PHP SDK. To activate/inactivate, as you already know, you have to visit App Dashboard > Setting > Advanced.
EDIT: 2013-08-09
Now they have official document.
From the documentation article Securing Graph API Requests:
The app secret proof is a sha256 hash of your access token, using the app secret as the key. Here's what the call looks like in PHP:
$appsecret_proof = hash_hmac('sha256', $access_token, $app_secret);
I am using django-openid from http://github.com/simonw/django-openid.
But no matter whatever openid i enter it gives out this error: "Error using OpenID", "The OpenID was invalid"
Update:
Got it to work with django-openid. It seems the error was because i was using localhost. So i had to create a local openid server to make it work.
Also i found out a better implementation of django openid, django-openid-auth hosted at https://launchpad.net/django-openid-auth.
A working example of django-openid-auth # http://www.rohanjain.in/.
From what I have heard Django-openid is incomplete. You might want to try out Django-Socialauth instead. It supports OpenID and gives you a few other options as well.