通过文件将服务提供商添加到 WSO2 身份服务器不起作用

Adding Service Provider to WSO2 Identity Server via file is not working

我想在 WSO2 IDS 中配置一个从一开始就可用的服务提供者。为此,我遵循了以下说明:Adding a service provider

然而,当我启动 IDS 并尝试发起调用以检索令牌时,我收到以下响应:

{
    "error_description": "A valid OAuth client could not be found for client_id: service-provider-fuga",
    "error": "invalid_client"
}

WSO2 IDS终端内的日志显示如下:

[2021-08-05 14:06:55,111] [0d5f9d6c-5f87-4dc3-a87f-cb473cd4127c] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error while finding application state for application with client_id: 1ou1fLDyFA9BEqywVtrR6vAxc48a org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException: Cannot find an application associated with the given consumer key : 1ou1fLDyFA9BEqywVtrR6vAxc48a
    at org.wso2.carbon.identity.oauth.dao.OAuthAppDAO.handleRequestForANonExistingConsumerKey(OAuthAppDAO.java:1154)
    at org.wso2.carbon.identity.oauth.dao.OAuthAppDAO.getAppInformation(OAuthAppDAO.java:354)
    at org.wso2.carbon.identity.oauth2.util.OAuth2Util.getAppInformationByClientId(OAuth2Util.java:1887)

我发起的请求如下:https://localhost:9443/oauth2/token?grant_type=password&client_id=service-provider-fuga&client_secret=...&username=user&password=...

放在/home/wso2carbon/wso2-config-volume/repository/conf/identity/service-providers/service-provider.xml中的服务提供者文件如下:

<?xml version="1.0" encoding="UTF-8"?>
<ServiceProvider>
    <ApplicationName>service-provider-fuga</ApplicationName>
    <Description>Service Provider configuration for FUGA</Description>
    <JwksUri/>
    <InboundAuthenticationConfig>
        <InboundAuthenticationRequestConfigs>
            <InboundAuthenticationRequestConfig>
                <InboundAuthKey>1ou1fLDyFA9BEqywVtrR6vAxc48a</InboundAuthKey>
                <InboundAuthType>oauth2</InboundAuthType>
                <InboundConfigType>standardAPP</InboundConfigType>
                <inboundConfiguration><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<oAuthAppDO>
    <oauthConsumerKey>1ou1fLDyFA9BEqywVtrR6vAxc48a</oauthConsumerKey>
    <oauthConsumerSecret>...</oauthConsumerSecret>
    <applicationName>service-provider-fuga</applicationName>
    <callbackUrl></callbackUrl>
    <oauthVersion>OAuth-2.0</oauthVersion>
    <grantTypes>refresh_token password </grantTypes>
    <scopeValidators/>
    <pkceSupportPlain>true</pkceSupportPlain>
    <pkceMandatory>false</pkceMandatory>
    <state>ACTIVE</state>
    <userAccessTokenExpiryTime>3600</userAccessTokenExpiryTime>
    <applicationAccessTokenExpiryTime>3600</applicationAccessTokenExpiryTime>
    <refreshTokenExpiryTime>86400</refreshTokenExpiryTime>
    <idTokenExpiryTime>3600</idTokenExpiryTime>
    <audiences/>
    <bypassClientCredentials>true</bypassClientCredentials>
    <renewRefreshTokenEnabled>true</renewRefreshTokenEnabled>
    <requestObjectSignatureValidationEnabled>false</requestObjectSignatureValidationEnabled>
    <idTokenEncryptionEnabled>false</idTokenEncryptionEnabled>
    <idTokenEncryptionAlgorithm>null</idTokenEncryptionAlgorithm>
    <idTokenEncryptionMethod>null</idTokenEncryptionMethod>
    <tokenType>JWT</tokenType>
</oAuthAppDO>
]]></inboundConfiguration>
                <Properties/>
            </InboundAuthenticationRequestConfig>
        </InboundAuthenticationRequestConfigs>
    </InboundAuthenticationConfig>
    <LocalAndOutBoundAuthenticationConfig>
        <AuthenticationSteps>
            <AuthenticationStep>
                <StepOrder>1</StepOrder>
                <LocalAuthenticatorConfigs>
                    <LocalAuthenticatorConfig>
                        <Name>FugaAuthenticator</Name>
                        <DisplayName>FUGA Authenticator</DisplayName>
                        <IsEnabled>true</IsEnabled>
                        <Properties/>
                    </LocalAuthenticatorConfig>
                </LocalAuthenticatorConfigs>
                <FederatedIdentityProviders/>
                <SubjectStep>false</SubjectStep>
                <AttributeStep>false</AttributeStep>
            </AuthenticationStep>
        </AuthenticationSteps>
        <AuthenticationType>local</AuthenticationType>
        <alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
        <UseTenantDomainInUsername>false</UseTenantDomainInUsername>
        <UseUserstoreDomainInRoles>true</UseUserstoreDomainInRoles>
        <UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
        <SkipConsent>false</SkipConsent>
        <skipLogoutConsent>false</skipLogoutConsent>
        <EnableAuthorization>false</EnableAuthorization>
    </LocalAndOutBoundAuthenticationConfig>
    <RequestPathAuthenticatorConfigs/>
    <InboundProvisioningConfig>
        <ProvisioningUserStore/>
        <IsProvisioningEnabled>false</IsProvisioningEnabled>
        <IsDumbModeEnabled>false</IsDumbModeEnabled>
    </InboundProvisioningConfig>
    <OutboundProvisioningConfig>
        <ProvisioningIdentityProviders/>
    </OutboundProvisioningConfig>
    <ClaimConfig>
        <RoleClaimURI/>
        <LocalClaimDialect>true</LocalClaimDialect>
        <IdpClaim/>
        <ClaimMappings/>
        <AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
        <SPClaimDialects/>
    </ClaimConfig>
    <PermissionAndRoleConfig>
        <Permissions/>
        <RoleMappings/>
        <IdpRoles/>
    </PermissionAndRoleConfig>
    <IsSaaSApp>true</IsSaaSApp>
    <ImageUrl/>
    <AccessUrl/>
    <IsDiscoverable>true</IsDiscoverable>
</ServiceProvider>

当我尝试通过 WSO2 IDS 的管理控制台手动上传文件时,出现应用程序已存在的错误。

当我在没有服务提供商流程的情况下启动 IDS 并手动上传时,身份验证请求正在运行。

发生这种情况的 WSO2 IDS 版本是 5.10。

WSO2 IS 不支持通过/repository/conf/identity/service-providers/内的文件添加OAuth应用配置。因为对于 oAuth 应用程序,我们需要数据库中的条目来管理为应用程序颁发的令牌。因此基于文件的存储不适用于 OAuth 应用程序。

When I attempt to upload the file manually via the management console of WSO2 IDS is get an error that the application already exists.

这是意料之中的事情,尽管 WSO2 IS 不支持来自基于文件的配置的 OAuth 应用程序。将文件放在 /repository/conf/identity/service-providers/ 中将被视为系统中的应用程序(因为 WSO2 IS 支持同一应用程序的多个入站协议 - SAML 或 OAuth)

用我们采取的方法回答我自己的问题。可能对其他人有好处。

由于我们正在使用 Helm 将 WSO2 身份服务器部署到 kubernetes 环境中,因此我们决定创建一个作业,通过 WSO2 管理 API 插入服务提供商。创建的作业如下所示:

apiVersion: batch/v1
kind: Job
metadata:
  name: {{ .Release.Name }}-identityserver.service-provider-fuga
  labels:
    system: identity-service
spec:
  template:
    spec:
      restartPolicy: OnFailure
      initContainers:
        - name: wait-for-ids
          image: groundnuty/k8s-wait-for:v1.3
          args:
            - "pod"
            - "-ldeployment=identityserver"
      containers:
        - name: import-service-provider-fuga
          image: curlimages/curl:7.72.0
          args:
          - /bin/sh
          - -ec
          - "curl --location --request POST 'http://{{ .Release.Name }}-identityserver-service:9763/api/server/v1/applications/import' --header 'Authorization: Basic YWRtaW46c3VwZXJTZWNyZXQ=' --form 'file=@\"/service-provider.xml\"'"
          volumeMounts:
            - name: identity-server-conf
              mountPath: /service-provider.xml
              subPath: service-provider.xml
      volumes:
        - name: identity-server-conf
          configMap:
            name: {{ .Release.Name }}-identityserver.cm

wait-for-ids 容器使作业等待所有 IDS pods 为 运行。工作的中心部分调用 IDS 管理 API 导入服务提供者。服务提供商 xml 文件存储在配置映射中。

我们最终在 IDS 启动后通过 kubernetes 作业添加了服务提供者。作业如下所示:

apiVersion: batch/v1
kind: Job
metadata:
  name: {{ .Release.Name }}-identityserver.service-provider-fuga
  labels:
    system: identity-service
spec:
  template:
    spec:
      restartPolicy: OnFailure
      initContainers:
        - name: wait-for-ids
          image: groundnuty/k8s-wait-for:v1.3
          args:
            - "pod"
            - "-ldeployment=identityserver"
      containers:
        - name: import-service-provider-fuga
          image: curlimages/curl:7.72.0
          args:
          - /bin/sh
          - -ec
          - "curl --location --request POST 'http://{{ .Release.Name }}-identityserver-service:9763/api/server/v1/applications/import' --header 'Authorization: Basic {{ (printf "%s:%s" .Values.identityserver.management.admin.user .Values.identityserver.management.admin.password) | b64enc }}' --form 'file=@\"/service-provider-fuga.xml\"'"
          volumeMounts:
            - name: identity-server-conf
              mountPath: /service-provider-fuga.xml
              subPath: service-provider-fuga.xml
      volumes:
        - name: identity-server-conf
          configMap:
            name: {{ .Release.Name }}-identityserver.cm

服务提供商的配置通过配置映射共享。