问题
I'm trying to get the SAML2BearerGrantHandler in APIM 2.0.0 up and running. I'm using Auth0 as the IdP with their SAML2 add on.
I've created the IdP in carbon console, uploaded the signing cert etc. I sort of followed this document to test the grant: https://docs.wso2.com/display/AM200/SAML+Extension+Grant
I get back an assertion, but when I try to get a token, I get this error:
[2016-12-22 14:14:07,493] DEBUG - Starting to unmarshall Apache XML-Security-based SignatureImpl element {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,493] DEBUG - Constructing Apache XMLSignature object {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,493] DEBUG - Adding canonicalization and signing algorithms, and HMAC output length to Signature {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,493] DEBUG - Adding KeyInfo to Signature {org.opensaml.xml.signature.impl.SignatureUnmarshaller}
[2016-12-22 14:14:07,496] DEBUG - Attempting to validate signature using key from supplied credential {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG - Creating XMLSignature object {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG - Validating signature with signature algorithm URI: http://www.w3.org/2000/09/xmldsig#rsa-sha1 {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG - Validation credential key algorithm 'RSA', key instance class 'sun.security.rsa.RSAPublicKeyImpl' {org.opensaml.xml.signature.SignatureValidator}
[2016-12-22 14:14:07,496] DEBUG - signatureMethodURI = http://www.w3.org/2000/09/xmldsig#rsa-sha1 {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,497] DEBUG - jceSigAlgorithm = SHA1withRSA {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,497] DEBUG - jceSigProvider = SunRsaSign {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,498] DEBUG - PublicKey = Sun RSA public key, 2048 bits
modulus: 26353633891041219443555298896940833763013288672547189529990760782389210433157310523660493244822551263271160825380041450279478692306592200788388889392222651352619319200257986531144181422406322904036906144840963109856120111801402390951198592877952280076297215745933238289610251813795329247172444398191149065258417196041849903979764273498745394547327839617271694646395229047487503702861075929157239530326410733377150539916753245430560066336565896803919667301164361866985565847943467875326115118253431566885711860811510147756117932985644696034426336566866370975790479374077388749068216645015606582681408478883949754138717
public exponent: 65537 {org.apache.xml.security.signature.XMLSignature}
[2016-12-22 14:14:07,498] ERROR - Error while validating the signature. {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler}
org.opensaml.xml.validation.ValidationException: Unable to evaluate key against signature
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:74)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler.validateGrant(SAML2BearerGrantHandler.java:472)
at org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:194)
at org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:219)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.getAccessToken(OAuth2TokenEndpoint.java:246)
at org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:110)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:209)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:650)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:120)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:505)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.event.receiver.core.internal.tenantmgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:48)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:956)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:442)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1082)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:623)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1756)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1715)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
Caused by: org.apache.xml.security.signature.XMLSignatureException: Signature length not correct: got 0 but was expecting 256
Original Exception was java.security.SignatureException: Signature length not correct: got 0 but was expecting 256
at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineVerify(SignatureBaseRSA.java:93)
at org.apache.xml.security.algorithms.SignatureAlgorithm.verify(SignatureAlgorithm.java:301)
at org.apache.xml.security.signature.XMLSignature.checkSignatureValue(XMLSignature.java:723)
at org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:69)
... 58 more
Caused by: java.security.SignatureException: Signature length not correct: got 0 but was expecting 256
at sun.security.rsa.RSASignature.engineVerify(RSASignature.java:189)
at java.security.Signature$Delegate.engineVerify(Signature.java:1219)
at java.security.Signature.verify(Signature.java:652)
at org.apache.xml.security.algorithms.implementations.SignatureBaseRSA.engineVerify(SignatureBaseRSA.java:91)
... 61 more
So, it seems that the assertion is read ok, but I'm stuck verifying the signature. Did anyone have this issue before and solved it?
-- UPDATE: this is the assertion that's generated by Auth0:
<?xml version="1.0" encoding="UTF-8"?><saml:Assertion xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" ID="nieapeeiianlpgnhhkmildecgaajocfbpdonepgi" IssueInstant="2016-12-27T08:37:07.712Z" Version="2.0"><saml:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">urn:spronq.eu.auth0.com</saml:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#">
<ds:SignedInfo>
<ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/>
<ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/>
<ds:Reference URI="#nieapeeiianlpgnhhkmildecgaajocfbpdonepgi">
<ds:Transforms>
<ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/>
<ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="ds saml xs xsi"/></ds:Transform>
</ds:Transforms>
<ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/>
<ds:DigestValue>z7dAuipcj9k945anY2H4BpJJ00w=</ds:DigestValue>
</ds:Reference>
</ds:SignedInfo>
<ds:SignatureValue/>
<ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIIC7jCCAdagAwIBAgIJa9PaSP2xH3taMA0GCSqGSIb3DQEBBQUAMB4xHDAaBgNVBAMTE3Nwcm9u
cS5ldS5hdXRoMC5jb20wHhcNMTYxMDEyMDYyMDQyWhcNMzAwNjIxMDYyMDQyWjAeMRwwGgYDVQQD
ExNzcHJvbnEuZXUuYXV0aDAuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0MLQ
btTBiUvTRlDMZ8ynAaNQWxuKvoL7FBI47rw1apxLfTtYnBBIeD4NC0XHkEP0hJ8cWKz/z37PmCS9
HNZpIk8yuIQS8pZiafEdMIiBBuFqrDJ1okrTt9koweAs+Gmu1oJIENpFRg5Ud81t1nWqj89m9pOp
F7MBx/z6ZZcUDKBaB+XnrOtZzH4Oo//+AlkFmPHVuU8S0Zva68RC9SLnoxLGpm+ZM4aoHFlP/tOO
kHKh+4w4HLBzXy+fzG6wktEisvGhkAgvcV4PmuVdFXZmj1JCQLGA4O4Itzl4P2337TOK4tMCwSFd
CclqhNBjtITe5tJ+CeBDZD7+8lDvNrtAXQIDAQABoy8wLTAMBgNVHRMEBTADAQH/MB0GA1UdDgQW
BBRMyIkyGViVCCV8fPj7XZY/gjzLGjANBgkqhkiG9w0BAQUFAAOCAQEAx4D72OFZ1KaTrCOYfz7E
Z6OuWHZ21R3zdvJes+JBUcp9imnzvJTBi0IkjK1lOjuBddcPsSI7aGK5Da+zqbiR2TvbWnEphlYY
rPgVsQEp1OhelQwmQALd6C/28HFVUF/rC74LmSP5akXTl5itTt2H04P0dHbTF8/sBTSqfm1PLdp/
gseJTUszQTVNE6oM1U70VAZ4cRR5B8Qkb0Y54nRGllv8FdShxVf2GBaZIOriolh8wojNE47igXOm
nfvfWeZydyV9LVFi9uaT3LOiuct9s+MeFj8WDcUy3QwumVdXwh3a8R82PlPdlTXkZC/UDqSP26t5
0bgZF3esedF3TCqA9w==</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml:Subject><saml:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">d.kruitbosch@vanlanschot.com</saml:NameID><saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml:SubjectConfirmationData InResponseTo="0" NotOnOrAfter="2016-12-27T08:42:07.712Z" Recipient="https://localhost:8243/token"/></saml:SubjectConfirmation></saml:Subject><saml:Conditions NotBefore="2016-12-27T08:37:07.712Z" NotOnOrAfter="2016-12-27T08:42:07.712Z"><saml:AudienceRestriction><saml:Audience>https://localhost:8243/token</saml:Audience></saml:AudienceRestriction></saml:Conditions><saml:AuthnStatement AuthnInstant="2016-12-27T08:37:07.774Z"><saml:AuthnContext><saml:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml:AuthnContextClassRef></saml:AuthnContext></saml:AuthnStatement><saml:AttributeStatement><saml:Attribute Name="w"><saml:AttributeValue xmlns:xs="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">s</saml:AttributeValue></saml:Attribute></saml:AttributeStatement></saml:Assertion>
Thanks,
Danny
回答1:
So I solved this, with a lot of manual steps. But at least I know the saml bearer token is working.
I couldn't get it to work with the SAMLAssertionCreator.jar that's linked in the WSO2 documentation. So what I did is the following:
- Changed the SAML settings in Auth0 to set the proper Audience and Recipient values.
- In Auth0 used the debug tool of the SAML Addon to create an SAML assertion.
- Copied the SAML response, copied
<Assertion>...</Assertion>
part, minified the XML and encoded it (using http://kjur.github.io/jsjws/tool_b64uenc.html). - Created a test in Postman and used the encoded assertion to get an access token.
This works, so know I can start creating my client to use these steps and have a way to verify everything.
Regards,
Danny
来源:https://stackoverflow.com/questions/41284297/saml2bearergranthandler-unable-to-verify-signature