通过文件将服务提供商添加到 WSO2 身份服务器不起作用
Adding Service Provider to WSO2 Identity Server via file is not working
我想在 WSO2 IDS 中配置一个从一开始就可用的服务提供者。为此,我遵循了以下说明:Adding a service provider
然而,当我启动 IDS 并尝试发起调用以检索令牌时,我收到以下响应:
{
"error_description": "A valid OAuth client could not be found for client_id: service-provider-fuga",
"error": "invalid_client"
}
WSO2 IDS终端内的日志显示如下:
[2021-08-05 14:06:55,111] [0d5f9d6c-5f87-4dc3-a87f-cb473cd4127c] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error while finding application state for application with client_id: 1ou1fLDyFA9BEqywVtrR6vAxc48a org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException: Cannot find an application associated with the given consumer key : 1ou1fLDyFA9BEqywVtrR6vAxc48a
at org.wso2.carbon.identity.oauth.dao.OAuthAppDAO.handleRequestForANonExistingConsumerKey(OAuthAppDAO.java:1154)
at org.wso2.carbon.identity.oauth.dao.OAuthAppDAO.getAppInformation(OAuthAppDAO.java:354)
at org.wso2.carbon.identity.oauth2.util.OAuth2Util.getAppInformationByClientId(OAuth2Util.java:1887)
我发起的请求如下:https://localhost:9443/oauth2/token?grant_type=password&client_id=service-provider-fuga&client_secret=...&username=user&password=...
放在/home/wso2carbon/wso2-config-volume/repository/conf/identity/service-providers/service-provider.xml
中的服务提供者文件如下:
<?xml version="1.0" encoding="UTF-8"?>
<ServiceProvider>
<ApplicationName>service-provider-fuga</ApplicationName>
<Description>Service Provider configuration for FUGA</Description>
<JwksUri/>
<InboundAuthenticationConfig>
<InboundAuthenticationRequestConfigs>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>1ou1fLDyFA9BEqywVtrR6vAxc48a</InboundAuthKey>
<InboundAuthType>oauth2</InboundAuthType>
<InboundConfigType>standardAPP</InboundConfigType>
<inboundConfiguration><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<oAuthAppDO>
<oauthConsumerKey>1ou1fLDyFA9BEqywVtrR6vAxc48a</oauthConsumerKey>
<oauthConsumerSecret>...</oauthConsumerSecret>
<applicationName>service-provider-fuga</applicationName>
<callbackUrl></callbackUrl>
<oauthVersion>OAuth-2.0</oauthVersion>
<grantTypes>refresh_token password </grantTypes>
<scopeValidators/>
<pkceSupportPlain>true</pkceSupportPlain>
<pkceMandatory>false</pkceMandatory>
<state>ACTIVE</state>
<userAccessTokenExpiryTime>3600</userAccessTokenExpiryTime>
<applicationAccessTokenExpiryTime>3600</applicationAccessTokenExpiryTime>
<refreshTokenExpiryTime>86400</refreshTokenExpiryTime>
<idTokenExpiryTime>3600</idTokenExpiryTime>
<audiences/>
<bypassClientCredentials>true</bypassClientCredentials>
<renewRefreshTokenEnabled>true</renewRefreshTokenEnabled>
<requestObjectSignatureValidationEnabled>false</requestObjectSignatureValidationEnabled>
<idTokenEncryptionEnabled>false</idTokenEncryptionEnabled>
<idTokenEncryptionAlgorithm>null</idTokenEncryptionAlgorithm>
<idTokenEncryptionMethod>null</idTokenEncryptionMethod>
<tokenType>JWT</tokenType>
</oAuthAppDO>
]]></inboundConfiguration>
<Properties/>
</InboundAuthenticationRequestConfig>
</InboundAuthenticationRequestConfigs>
</InboundAuthenticationConfig>
<LocalAndOutBoundAuthenticationConfig>
<AuthenticationSteps>
<AuthenticationStep>
<StepOrder>1</StepOrder>
<LocalAuthenticatorConfigs>
<LocalAuthenticatorConfig>
<Name>FugaAuthenticator</Name>
<DisplayName>FUGA Authenticator</DisplayName>
<IsEnabled>true</IsEnabled>
<Properties/>
</LocalAuthenticatorConfig>
</LocalAuthenticatorConfigs>
<FederatedIdentityProviders/>
<SubjectStep>false</SubjectStep>
<AttributeStep>false</AttributeStep>
</AuthenticationStep>
</AuthenticationSteps>
<AuthenticationType>local</AuthenticationType>
<alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
<UseTenantDomainInUsername>false</UseTenantDomainInUsername>
<UseUserstoreDomainInRoles>true</UseUserstoreDomainInRoles>
<UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
<SkipConsent>false</SkipConsent>
<skipLogoutConsent>false</skipLogoutConsent>
<EnableAuthorization>false</EnableAuthorization>
</LocalAndOutBoundAuthenticationConfig>
<RequestPathAuthenticatorConfigs/>
<InboundProvisioningConfig>
<ProvisioningUserStore/>
<IsProvisioningEnabled>false</IsProvisioningEnabled>
<IsDumbModeEnabled>false</IsDumbModeEnabled>
</InboundProvisioningConfig>
<OutboundProvisioningConfig>
<ProvisioningIdentityProviders/>
</OutboundProvisioningConfig>
<ClaimConfig>
<RoleClaimURI/>
<LocalClaimDialect>true</LocalClaimDialect>
<IdpClaim/>
<ClaimMappings/>
<AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
<SPClaimDialects/>
</ClaimConfig>
<PermissionAndRoleConfig>
<Permissions/>
<RoleMappings/>
<IdpRoles/>
</PermissionAndRoleConfig>
<IsSaaSApp>true</IsSaaSApp>
<ImageUrl/>
<AccessUrl/>
<IsDiscoverable>true</IsDiscoverable>
</ServiceProvider>
当我尝试通过 WSO2 IDS 的管理控制台手动上传文件时,出现应用程序已存在的错误。
当我在没有服务提供商流程的情况下启动 IDS 并手动上传时,身份验证请求正在运行。
发生这种情况的 WSO2 IDS 版本是 5.10。
WSO2 IS 不支持通过/repository/conf/identity/service-providers/
内的文件添加OAuth应用配置。因为对于 oAuth 应用程序,我们需要数据库中的条目来管理为应用程序颁发的令牌。因此基于文件的存储不适用于 OAuth 应用程序。
When I attempt to upload the file manually via the management console
of WSO2 IDS is get an error that the application already exists.
这是意料之中的事情,尽管 WSO2 IS 不支持来自基于文件的配置的 OAuth 应用程序。将文件放在 /repository/conf/identity/service-providers/
中将被视为系统中的应用程序(因为 WSO2 IS 支持同一应用程序的多个入站协议 - SAML 或 OAuth)
用我们采取的方法回答我自己的问题。可能对其他人有好处。
由于我们正在使用 Helm 将 WSO2 身份服务器部署到 kubernetes 环境中,因此我们决定创建一个作业,通过 WSO2 管理 API 插入服务提供商。创建的作业如下所示:
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-identityserver.service-provider-fuga
labels:
system: identity-service
spec:
template:
spec:
restartPolicy: OnFailure
initContainers:
- name: wait-for-ids
image: groundnuty/k8s-wait-for:v1.3
args:
- "pod"
- "-ldeployment=identityserver"
containers:
- name: import-service-provider-fuga
image: curlimages/curl:7.72.0
args:
- /bin/sh
- -ec
- "curl --location --request POST 'http://{{ .Release.Name }}-identityserver-service:9763/api/server/v1/applications/import' --header 'Authorization: Basic YWRtaW46c3VwZXJTZWNyZXQ=' --form 'file=@\"/service-provider.xml\"'"
volumeMounts:
- name: identity-server-conf
mountPath: /service-provider.xml
subPath: service-provider.xml
volumes:
- name: identity-server-conf
configMap:
name: {{ .Release.Name }}-identityserver.cm
wait-for-ids
容器使作业等待所有 IDS pods 为 运行。工作的中心部分调用 IDS 管理 API 导入服务提供者。服务提供商 xml 文件存储在配置映射中。
我们最终在 IDS 启动后通过 kubernetes 作业添加了服务提供者。作业如下所示:
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-identityserver.service-provider-fuga
labels:
system: identity-service
spec:
template:
spec:
restartPolicy: OnFailure
initContainers:
- name: wait-for-ids
image: groundnuty/k8s-wait-for:v1.3
args:
- "pod"
- "-ldeployment=identityserver"
containers:
- name: import-service-provider-fuga
image: curlimages/curl:7.72.0
args:
- /bin/sh
- -ec
- "curl --location --request POST 'http://{{ .Release.Name }}-identityserver-service:9763/api/server/v1/applications/import' --header 'Authorization: Basic {{ (printf "%s:%s" .Values.identityserver.management.admin.user .Values.identityserver.management.admin.password) | b64enc }}' --form 'file=@\"/service-provider-fuga.xml\"'"
volumeMounts:
- name: identity-server-conf
mountPath: /service-provider-fuga.xml
subPath: service-provider-fuga.xml
volumes:
- name: identity-server-conf
configMap:
name: {{ .Release.Name }}-identityserver.cm
服务提供商的配置通过配置映射共享。
我想在 WSO2 IDS 中配置一个从一开始就可用的服务提供者。为此,我遵循了以下说明:Adding a service provider
然而,当我启动 IDS 并尝试发起调用以检索令牌时,我收到以下响应:
{
"error_description": "A valid OAuth client could not be found for client_id: service-provider-fuga",
"error": "invalid_client"
}
WSO2 IDS终端内的日志显示如下:
[2021-08-05 14:06:55,111] [0d5f9d6c-5f87-4dc3-a87f-cb473cd4127c] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Error while finding application state for application with client_id: 1ou1fLDyFA9BEqywVtrR6vAxc48a org.wso2.carbon.identity.oauth.common.exception.InvalidOAuthClientException: Cannot find an application associated with the given consumer key : 1ou1fLDyFA9BEqywVtrR6vAxc48a
at org.wso2.carbon.identity.oauth.dao.OAuthAppDAO.handleRequestForANonExistingConsumerKey(OAuthAppDAO.java:1154)
at org.wso2.carbon.identity.oauth.dao.OAuthAppDAO.getAppInformation(OAuthAppDAO.java:354)
at org.wso2.carbon.identity.oauth2.util.OAuth2Util.getAppInformationByClientId(OAuth2Util.java:1887)
我发起的请求如下:https://localhost:9443/oauth2/token?grant_type=password&client_id=service-provider-fuga&client_secret=...&username=user&password=...
放在/home/wso2carbon/wso2-config-volume/repository/conf/identity/service-providers/service-provider.xml
中的服务提供者文件如下:
<?xml version="1.0" encoding="UTF-8"?>
<ServiceProvider>
<ApplicationName>service-provider-fuga</ApplicationName>
<Description>Service Provider configuration for FUGA</Description>
<JwksUri/>
<InboundAuthenticationConfig>
<InboundAuthenticationRequestConfigs>
<InboundAuthenticationRequestConfig>
<InboundAuthKey>1ou1fLDyFA9BEqywVtrR6vAxc48a</InboundAuthKey>
<InboundAuthType>oauth2</InboundAuthType>
<InboundConfigType>standardAPP</InboundConfigType>
<inboundConfiguration><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<oAuthAppDO>
<oauthConsumerKey>1ou1fLDyFA9BEqywVtrR6vAxc48a</oauthConsumerKey>
<oauthConsumerSecret>...</oauthConsumerSecret>
<applicationName>service-provider-fuga</applicationName>
<callbackUrl></callbackUrl>
<oauthVersion>OAuth-2.0</oauthVersion>
<grantTypes>refresh_token password </grantTypes>
<scopeValidators/>
<pkceSupportPlain>true</pkceSupportPlain>
<pkceMandatory>false</pkceMandatory>
<state>ACTIVE</state>
<userAccessTokenExpiryTime>3600</userAccessTokenExpiryTime>
<applicationAccessTokenExpiryTime>3600</applicationAccessTokenExpiryTime>
<refreshTokenExpiryTime>86400</refreshTokenExpiryTime>
<idTokenExpiryTime>3600</idTokenExpiryTime>
<audiences/>
<bypassClientCredentials>true</bypassClientCredentials>
<renewRefreshTokenEnabled>true</renewRefreshTokenEnabled>
<requestObjectSignatureValidationEnabled>false</requestObjectSignatureValidationEnabled>
<idTokenEncryptionEnabled>false</idTokenEncryptionEnabled>
<idTokenEncryptionAlgorithm>null</idTokenEncryptionAlgorithm>
<idTokenEncryptionMethod>null</idTokenEncryptionMethod>
<tokenType>JWT</tokenType>
</oAuthAppDO>
]]></inboundConfiguration>
<Properties/>
</InboundAuthenticationRequestConfig>
</InboundAuthenticationRequestConfigs>
</InboundAuthenticationConfig>
<LocalAndOutBoundAuthenticationConfig>
<AuthenticationSteps>
<AuthenticationStep>
<StepOrder>1</StepOrder>
<LocalAuthenticatorConfigs>
<LocalAuthenticatorConfig>
<Name>FugaAuthenticator</Name>
<DisplayName>FUGA Authenticator</DisplayName>
<IsEnabled>true</IsEnabled>
<Properties/>
</LocalAuthenticatorConfig>
</LocalAuthenticatorConfigs>
<FederatedIdentityProviders/>
<SubjectStep>false</SubjectStep>
<AttributeStep>false</AttributeStep>
</AuthenticationStep>
</AuthenticationSteps>
<AuthenticationType>local</AuthenticationType>
<alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
<UseTenantDomainInUsername>false</UseTenantDomainInUsername>
<UseUserstoreDomainInRoles>true</UseUserstoreDomainInRoles>
<UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
<SkipConsent>false</SkipConsent>
<skipLogoutConsent>false</skipLogoutConsent>
<EnableAuthorization>false</EnableAuthorization>
</LocalAndOutBoundAuthenticationConfig>
<RequestPathAuthenticatorConfigs/>
<InboundProvisioningConfig>
<ProvisioningUserStore/>
<IsProvisioningEnabled>false</IsProvisioningEnabled>
<IsDumbModeEnabled>false</IsDumbModeEnabled>
</InboundProvisioningConfig>
<OutboundProvisioningConfig>
<ProvisioningIdentityProviders/>
</OutboundProvisioningConfig>
<ClaimConfig>
<RoleClaimURI/>
<LocalClaimDialect>true</LocalClaimDialect>
<IdpClaim/>
<ClaimMappings/>
<AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
<SPClaimDialects/>
</ClaimConfig>
<PermissionAndRoleConfig>
<Permissions/>
<RoleMappings/>
<IdpRoles/>
</PermissionAndRoleConfig>
<IsSaaSApp>true</IsSaaSApp>
<ImageUrl/>
<AccessUrl/>
<IsDiscoverable>true</IsDiscoverable>
</ServiceProvider>
当我尝试通过 WSO2 IDS 的管理控制台手动上传文件时,出现应用程序已存在的错误。
当我在没有服务提供商流程的情况下启动 IDS 并手动上传时,身份验证请求正在运行。
发生这种情况的 WSO2 IDS 版本是 5.10。
WSO2 IS 不支持通过/repository/conf/identity/service-providers/
内的文件添加OAuth应用配置。因为对于 oAuth 应用程序,我们需要数据库中的条目来管理为应用程序颁发的令牌。因此基于文件的存储不适用于 OAuth 应用程序。
When I attempt to upload the file manually via the management console of WSO2 IDS is get an error that the application already exists.
这是意料之中的事情,尽管 WSO2 IS 不支持来自基于文件的配置的 OAuth 应用程序。将文件放在 /repository/conf/identity/service-providers/
中将被视为系统中的应用程序(因为 WSO2 IS 支持同一应用程序的多个入站协议 - SAML 或 OAuth)
用我们采取的方法回答我自己的问题。可能对其他人有好处。
由于我们正在使用 Helm 将 WSO2 身份服务器部署到 kubernetes 环境中,因此我们决定创建一个作业,通过 WSO2 管理 API 插入服务提供商。创建的作业如下所示:
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-identityserver.service-provider-fuga
labels:
system: identity-service
spec:
template:
spec:
restartPolicy: OnFailure
initContainers:
- name: wait-for-ids
image: groundnuty/k8s-wait-for:v1.3
args:
- "pod"
- "-ldeployment=identityserver"
containers:
- name: import-service-provider-fuga
image: curlimages/curl:7.72.0
args:
- /bin/sh
- -ec
- "curl --location --request POST 'http://{{ .Release.Name }}-identityserver-service:9763/api/server/v1/applications/import' --header 'Authorization: Basic YWRtaW46c3VwZXJTZWNyZXQ=' --form 'file=@\"/service-provider.xml\"'"
volumeMounts:
- name: identity-server-conf
mountPath: /service-provider.xml
subPath: service-provider.xml
volumes:
- name: identity-server-conf
configMap:
name: {{ .Release.Name }}-identityserver.cm
wait-for-ids
容器使作业等待所有 IDS pods 为 运行。工作的中心部分调用 IDS 管理 API 导入服务提供者。服务提供商 xml 文件存储在配置映射中。
我们最终在 IDS 启动后通过 kubernetes 作业添加了服务提供者。作业如下所示:
apiVersion: batch/v1
kind: Job
metadata:
name: {{ .Release.Name }}-identityserver.service-provider-fuga
labels:
system: identity-service
spec:
template:
spec:
restartPolicy: OnFailure
initContainers:
- name: wait-for-ids
image: groundnuty/k8s-wait-for:v1.3
args:
- "pod"
- "-ldeployment=identityserver"
containers:
- name: import-service-provider-fuga
image: curlimages/curl:7.72.0
args:
- /bin/sh
- -ec
- "curl --location --request POST 'http://{{ .Release.Name }}-identityserver-service:9763/api/server/v1/applications/import' --header 'Authorization: Basic {{ (printf "%s:%s" .Values.identityserver.management.admin.user .Values.identityserver.management.admin.password) | b64enc }}' --form 'file=@\"/service-provider-fuga.xml\"'"
volumeMounts:
- name: identity-server-conf
mountPath: /service-provider-fuga.xml
subPath: service-provider-fuga.xml
volumes:
- name: identity-server-conf
configMap:
name: {{ .Release.Name }}-identityserver.cm
服务提供商的配置通过配置映射共享。