WSO2 自定义声明处理程序未被要求输入密码 grant_type

Question

我一直在使用 WSO2IS 作为 OIDC 提供商。我已经实现了一个自定义声明处理程序，它工作正常并在 WSO2 收到 grant_type "Authorization_code" 时被调用。当服务提供商发送带有 grant_type=password 的请求时，问题就开始了。在这种情况下，WSO2 成功验证了用户并返回了 JWT，但是...没有自定义声明，因为 WSO2 没有调用自定义声明处理程序。

这是我在文件 <IS_HOME>/repository/conf/identity/application-authentication.xml 中为 grant_type=authorization_code 调用的自定义声明处理程序所做的配置。

<ClaimHandler>com.wso2.carbon.identity.custom.claim.handler.CustomClaimHandler</ClaimHandler>

这是来自 WSO2 的调试日志：

TID: [-1234] [] [2018-04-06 11:34:38,199] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Created singleton instance for org.wso2.carbon.identity.auth.service.handler.HandlerManager TID: [-1234] [] [2018-04-06 11:34:38,200] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler for the given handler list. TID: [-1234] [] [2018-04-06 11:34:38,200] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler : DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager) TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID EjQvbCf0pclp6eVO5lxTq23_lxQa, User ID userldap, Scope : [ openid, email] and Grant Type : password TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : password Strict client validation set to : null TID: [-1234] [] [2018-04-06 11:34:38,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were fetched from the database. TID: [-1234] [] [2018-04-06 11:34:38,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,207] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Oauth App validation success for consumer key: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,209] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - Pre authenticator is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,210] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,210] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.DefaultClaimMetadataStore} - Assigned mapped attribute : ref from user store domain : PRIMARY for claim : http://wso2.org/claims/identity/accountDisabled in tenant : -1234 TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - post get user claim values is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.governance.store.InMemoryIdentityDataStore} - Loaded UserIdentityClaimsDO from cache for user :userldap with claims: {} TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.recovery.handler.AdminForcedPasswordResetHandler} - Handling event : PRE_AUTHENTICATION TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.recovery.handler.AdminForcedPasswordResetHandler} - PreAuthenticate - AdminForcedPasswordResetHandler for user : userldap@carbon.super TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,216] DEBUG {org.wso2.carbon.identity.recovery.handler.AccountConfirmationValidationHandler} - PreAuthenticate TID: [-1234] [] [2018-04-06 11:34:38,216] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,217] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.DefaultClaimMetadataStore} - Assigned mapped attribute : accountLock from user store domain : PRIMARY for claim : http://wso2.org/claims/identity/accountLocked in tenant : -1234 TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - post get user claim values is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.governance.store.InMemoryIdentityDataStore} - Loaded UserIdentityClaimsDO from cache for user :userldap with claims: {} TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,222] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - post authenticator is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,222] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received. Username : userldap@carbon.superScope : email openid , Authentication State : true TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : userldap@carbon.super Client Id : EjQvbCf0pclp6eVO5lxTq23_lxQa Scope : email openid TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : userldap@carbon.super Client Id : EjQvbCf0pclp6eVO5lxTq23_lxQa Scope : email openid TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthTokenReqMessageContext to threadlocal TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - SP wise token expiry time feature is applied for tenant id : -1234and consumer key : EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Service Provider specific expiry time enabled for application : EjQvbCf0pclp6eVO5lxTq23_lxQa. Application access token expiry time : null, User access token expiry time : null, Refresh token expiry time : null TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - OAuth application id : EjQvbCf0pclp6eVO5lxTq23_lxQa, access token validity time in milliseconds : 3600000 TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Infinite lifetime Access Token e88de89f-70d4-33d5-b447-5cd0135fd682 found in cache TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthTokenReqMessageContext TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access token issued to client Id: EjQvbCf0pclp6eVO5lxTq23_lxQa username: userldap@carbon.super and scopes: email openid TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Issuing ID token for client: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Loading Basic Application Data of AdministradorOmnicanalidad TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - ApplicationID: 21 ApplicationName: AdministradorOmnicanalidad UserName: userldap TenantDomain: carbon.super TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Clients of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,233] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Steps of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,236] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Claim Mappings of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,237] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Role Mapping of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,241] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,241] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO} - Retrieve access token for tokenId: e88de89f-70d4-33d5-b447-5cd0135fd682 with flag includeExpired: false TID: [-1234] [] [2018-04-06 11:34:38,244] DEBUG {org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder} - Using issuer https://localhost:9445/oauth2/token Subject userldap ID Token life time 3600 Current time 1523032478 Nonce Value null Signature Algorithm RS256 TID: [-1234] [] [2018-04-06 11:34:38,244] DEBUG {org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback} - Adding claims for user userldap@carbon.super to id token. TID: [-1234] [] [2018-04-06 11:34:38,247] DEBUG {org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback} - User attributes not found in cache. Trying to retrieve attribute for user userldap@carbon.super TID: [-1234] [] [2018-04-06 11:34:38,249] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Loading Basic Application Data of AdministradorOmnicanalidad TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - ApplicationID: 21 ApplicationName: AdministradorOmnicanalidad UserName: userldap TenantDomain: carbon.super TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Clients of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Steps of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,255] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Claim Mappings of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,256] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Role Mapping of Application 21

如果有人能指出我遗漏了什么，或者我还能尝试什么，那将是一个很大的帮助。

谢谢。

Answer 1

声明处理程序作为身份服务器中驻留的身份验证框架中身份验证过程的一部分参与。

当您使用授权授予类型时，用户身份验证是通过身份验证框架处理的。这也意味着任何使用自定义索赔处理程序的索赔 added/modified 都将被处理。

但是，当您使用密码授予类型时，用户身份验证和声明检索将通过用户所在的相应用户存储进行。由于此身份验证不是通过身份验证框架进行的，因此您的自定义声明处理程序将不会参与。

Answer 2

是否有任何特定原因为 OIDC 编写自定义索赔处理程序？

如果您想通过 OIDC 获得自定义声明，您可以按照以下步骤操作。

转到管理控制台->声明->添加->添加外部声明->select 方言 URI 为 http://wso2.org/oidc/claim，将您的自定义声明 URI 作为外部声明 URI , 映射适当的本地声明。
在 OIDC 方言下成功添加自定义声明后，您必须在下面的 openid scope.The 路径下的注册表中提及新添加的自定义声明 URI。 Registry->Browse->/_system/config/oidc 然后点击属性的Add按钮。在那里你可以看到范围值。

WSO2 自定义声明处理程序未被要求输入密码 grant_type

WSO2 Custom claim handler not being called for password grant_type

wso2

wso2is