问题
I am integrating WSO2AM with our in-house proprietary Identity Provider (IDP). I was following the wso2 documentation "Exchanging SAML2 Bearer Tokens with OAuth2 - SAML Extension Grant Type". I have added Identity Providers in API Manager's management console and added public certificate .pem of IDP. Next I added wso2am as service provider on our IDP. I have generated a saml token from idp and i now i am ready to exchange it for OAuth token from API Manager. I am getting following error:
{
"error": "invalid_grant",
"error_description": "Provided Authorization Grant is invalid"
}
Following are my parameters to API call:
curl -X POST -H "Content-Type: application/x-www-form-urlencoded" -H "Authorization: Basic xxxxxx" -H "Cache-Control: no-cache" -H "Postman-Token: 83896bce-7243-7580-a616-19232c372ff7" -d 'grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=xxxxxx&scope=PRODUCTION' "https://<wso2am-host>:9443/oauth2/token"
Where assertion is base64 encoded SAML token and Authorization is Base64 encoded consumer key:consumer secret.
please advise whats wrong. thanks.
回答1:
I faced similar issue because of audience restriction did not match. Audience element in the saml response had the ip address and the configuration when creation the SP had domain name. But AM does a string match to check the audience thus it failed. You can enable debug and trouble shoot the issue more.
add below line in /repository/conf/log4j.prorperties and start the server for debug
log4j.logger.org.wso2.carbon.identity.oauth2=DEBUG
来源:https://stackoverflow.com/questions/41817168/wso2am-saml-provided-authorization-grant-is-invalid