问题
I configured the WSO2 Identity Server to be a Key manager to WSO2 API Manager.
This is What I have been done
- I Created Application in API Manager and Published it. [OK]
- I Created API and subscribed in the Store. [OK]
- I am using NodeJS Application as Client Application and Go as a Resource Provider
This is the Passport Configuration using passport-saml strategy:
passport.use(new SamlStrategy({ path: configSaml.path, entryPoint: configSaml.entryPoint, issuer: configSaml.issuer, decryptionPvk: configSaml.decryptionPvk, validateInResponseTo: true }, function(profile, done) { done(null, profile) } ));It works greate
This where I got the Problem when I try to get the Access token from Saml 2.0 bearer, this is the code:
app.post('/login/callback',function(req, res, next) { passport.authenticate('saml', function(err, user, info) { Log.d("OAuth Callback", arguments); if (err) { return next(err); } if (!user) { return res.redirect('/login'); } //req.logIn(user, function(err) { // if (err) { return next(err); } // return res.send(user); //}); request.post({ url: "https://localhost:9444/oauth2/token", headers: { 'Content-Type' : 'application/x-www-form-urlencoded', 'charset': "UTF-8", "Authorization": "Basic " + new Buffer("Ihd6BrTufShu7GPR4QXlypoIlsca:gTyBdDVd0zGQZRr29NhPoooHpeka").toString("base64") }, body:"grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=" + require("base64-url").encode(user.getAssertionXml()) + "&scope=PRODUCTION" }, function(err,httpResponse,body){ Log.d("Http Error", err); res.json(body); }) })(req, res, next); });the body response:
"{\"error\":\"invalid_grant\",\"error_description\":\"Provided Authorization Grant is invalid.\"}"the Console debug it prints:
[2016-01-12 10:57:27,645] DEBUG - SAML2BearerGrantHandler SAML Token Issuer verification failed or Issuer not registered [2016-01-12 10:57:27,645] DEBUG - AccessTokenIssuer Invalid Grant provided by the client, id=Ihd6BrTufShu7GPR4QXlypoIlsca, user-name=null to application=admin-AT-safarifoneict.com_SamarimartWebPortal_PRODUCTION [2016-01-12 10:57:27,646] DEBUG - AccessTokenIssuer OAuth-Error-Code=invalid_grant client-id=Ihd6BrTufShu7GPR4QXlypoIlsca grant-type=urn:ietf:params:o auth:grant-type:saml2-bearer scope=PRODUCTION
Any Help will be appreciated
回答1:
"Identity Provider Entity Id" value in your IDP configuration must be equal to the issuer value of the SAML2 Assertion. Please refer this for more details.
When you configure WSO2IS as Key Manager, your /token end point would be in WSO2IS. So; your SAML2 SSO provider & OAuth2 provider is same (WSO2IS). In that case, you do not need to configure a new IDP configuration.
However, you can verify this by extracting the SAML2 Assertion, Just find the issuer value in SAML2 Assertion and verify it is equal to the value which you have configured as "Identity Provider Entity Id"
来源:https://stackoverflow.com/questions/34738716/wso2-saml2bearergranthandler-saml-token-issuer-verification-failed-or-issuer-not