WSO2 Identity Server OpenId Connect Owin

时间:2016-08-11 12:53:31

标签: wso2 owin wso2is openid-connect

我试图设置WSO2 Identity Server以使用OpenId连接。我目前已应用Here: Setup WSO2显示的以下设置。

它归结为我使用Resident Identity Provider并为我的应用程序“CoolApp”设置了服务提供商。

我配置了“OAuth / OpenID Connect配置”并设置了回调网址。

是否有一个简单的例子如何在javascript中使用它?

我玩过identityserver3,他们有一个客户端oidc-client.js,与identityserver3结合使用效果很好。但是我似乎无法使用WSO2身份服务器。

我以错误的方式处理这个问题,我真正想要的是使用owin中间件来保护我的网站,就像他们尝试herehere一样。

所以现在我有以下内容:

app.SetDefaultSignInAsAuthenticationType("ClientCookie");

        app.UseCookieAuthentication(new CookieAuthenticationOptions
        {
            AuthenticationMode = AuthenticationMode.Active,
            AuthenticationType = "ClientCookie",
            CookieName = CookieAuthenticationDefaults.CookiePrefix + "ClientCookie",
            ExpireTimeSpan = TimeSpan.FromMinutes(5)
        });

        // ***************************************************************************
        // Approach 1 : ResponseType = "id_token token"
        // ***************************************************************************
        app.UseOpenIdConnectAuthentication(new OpenIdConnectAuthenticationOptions
        {
            AuthenticationMode = AuthenticationMode.Active,
            AuthenticationType = OpenIdConnectAuthenticationDefaults.AuthenticationType,
            SignInAsAuthenticationType = app.GetDefaultSignInAsAuthenticationType(),
            Authority = "   https://localhost:9443/oauth2/",
            ClientId = "fgx4M5e27NJqgRIs8nu5aL7Jw3oa",
            ClientSecret = "dwGdRDCFY7Soa7CB5K5smkiuMmYa",
            RedirectUri = "http://localhost:57815/Account/ExternalLoginCallback/",
            ResponseType = "id_token token",
            Scope = "openid",

            Configuration = new OpenIdConnectConfiguration
            {
                AuthorizationEndpoint = "https://localhost:9443/oauth2/authorize",
                TokenEndpoint = "https://localhost:9443/oauth2/token",
                UserInfoEndpoint = "https://localhost:9443/oauth2/userinfo",
            },

            Notifications = new OpenIdConnectAuthenticationNotifications
            {
                SecurityTokenValidated = n =>
                {
                    var token = n.ProtocolMessage.AccessToken;

                    // persist access token in cookie
                    if (!string.IsNullOrEmpty(token))
                    {
                        n.AuthenticationTicket.Identity.AddClaim(
                            new Claim("access_token", token));
                    }
                    return Task.FromResult(0);
                },

                AuthenticationFailed = notification =>
                {

                    if (string.Equals(notification.ProtocolMessage.Error, "access_denied", StringComparison.Ordinal))
                    {
                        notification.HandleResponse();

                        notification.Response.Redirect("/");
                    }

                    return Task.FromResult<object>(null);
                }
            }
        });

我在SecurityTokenValidated和AuthenticationFailed中设置了一个断点。转到该页面,我按预期重定向到WSO2身份服务器。当我登录并返回页面时,我的两个断点都没有被击中而且我没有登录。

我正在使用WSO2 Identity Server 5.1.0。

@farasath,你能帮助我和其他人看起来好像我们都遇到了同样的问题但还没有找到解决方案。

在进一步调查期间,我发现使用带有response_type =“code”的代码流也无法正常工作,因为OIDC中间件不支持它(请参阅herehere)。 / p>

发现@pinpoint建议ASP.net核心确实支持这一点。但这不是一个真正的选择。

@Hos回答here

  

使用WSO2 Identity Server 5.0.0 OpenID Connect“id_token”响应类型未实现。

我没有收到他在帖子中提到的错误回复,但是我使用这些版本的结果保持不变,断点永远不会被击中。所以现在我想知道这实际上是在5.1.0或5.2.0-Beta中工作还是仍然是WIP。

@farasath,谢谢你的答复,这里是日志

[2016-08-16 08:11:39,998] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Validate Client information request for client_id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa and callback_uri http://localhost:57815/
[2016-08-16 08:11:40,074] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Registered App found for the given Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa ,App Name : CoolApp, Callback URL : http://localhost:57815/
[2016-08-16 08:11:50,948] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Authorization Request received for user : raymond@carbon.super, Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorization Response Type : id_token token, Requested callback URI : http://localhost:57815/, Requested Scope : openid
[2016-08-16 08:11:50,967]  INFO {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} -  The default OAuth token issuer will be used. No custom token generator is set.
[2016-08-16 08:11:50,985]  INFO {org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO} -  Thread pool size for session persistent consumer : 100
[2016-08-16 08:11:50,991] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenPersistenceTask} -  Access Token context persist consumer is started
... This one repeats about 100 times ...
[2016-08-16 08:11:51,031] DEBUG {org.wso2.carbon.identity.oauth2.authz.AuthorizationHandlerManager} -  Successfully created AppInfoCache under OAuthCacheManager
[2016-08-16 08:11:51,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Added OAuthAuthzReqMessageContext to threadlocal
[2016-08-16 08:11:52,180] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} -  No active access token found in cache for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID : raymond@carbon.super and Scope : openid
[2016-08-16 08:11:52,199] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} -  No access token found in database for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID : raymond@carbon.super and Scope : openid. Therefore issuing new access token
[2016-08-16 08:11:52,208] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenPersistenceTask} -  Access Token Data persisting Task is started to run
[2016-08-16 08:11:52,208] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} -  Persisted Access Token for Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorized User : raymond@carbon.super, Timestamp : 2016-08-16 08:11:52.207, Validity period (s) : 3600, Scope : openid, Callback URL : http://localhost:57815/, Token State : ACTIVE and User Type : APPLICATION_USER
[2016-08-16 08:11:52,233] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} -  Access Token was added to OAuthCache for cache key : fgx4M5e27NJqgRIs8nu5aL7Jw3oa:raymond@carbon.super:openid
[2016-08-16 08:11:52,298] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Cleared OAuthAuthzReqMessageContext

第二次我跑了它我得到了这个日志:

[2016-08-16 08:30:17,216] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Validate Client information request for client_id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa and callback_uri http://localhost:57815/
[2016-08-16 08:30:17,222] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Registered App found for the given Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa ,App Name : CoolApp, Callback URL : http://localhost:57815/
[2016-08-16 08:30:23,178] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Authorization Request received for user : raymond@carbon.super, Client ID : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, Authorization Response Type : id_token token, Requested callback URI : http://localhost:57815/, Requested Scope : openid
[2016-08-16 08:30:23,189] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Added OAuthAuthzReqMessageContext to threadlocal
[2016-08-16 08:30:23,195] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} -  Retrieved active Access Token for Client Id : fgx4M5e27NJqgRIs8nu5aL7Jw3oa, User ID :raymond@carbon.super and Scope : openid from cache
[2016-08-16 08:30:23,203] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.TokenResponseTypeHandler} -  Access Token is valid for another 3264638ms
[2016-08-16 08:30:23,218] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} -  Cleared OAuthAuthzReqMessageContext

现在我将我的重定向uri更改为:     RedirectUri =“http://localhost:57815/Account/ExternalLoginCallback/”,

并且该函数中的logInfo始终为null     var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();

用Google搜索并发现this post有人遇到类似问题。

使用Fiddler查看回调,看起来已经设置了cookie Screenshot

所以现在我离开了以下情况:

  • SecurityTokenValidated中的断点从未命中
  • AuthenticationFailed中的断点从未命中
  • var loginInfo = await AuthenticationManager.GetExternalLoginInfoAsync();在我的Callback
    • 中始终为null

2 个答案:

答案 0 :(得分:1)

原因是OWIN中间件期望OAUTH 2.0表单后响应模式[1]中的OAUTH响应,这是一个可选规范,只有Identity Server 5.2.0(带补丁)向上支持这个。

[1] http://openid.net/specs/oauth-v2-form-post-response-mode-1_0.html

答案 1 :(得分:0)

AFAIK我们没有您可以直接使用的Javascript示例。但那不应该成为一个问题。我通过谷歌搜索来找到[1]。您需要做的就是替换client_id和回调URL。由于我们遵循OAuth / OpenID连接规范,因此任何OAuth Javascript客户端库都应与WSO2 Identity Server配合使用。

我们确实有一个网络应用示例[2],我之前写了一篇博文[3],只是为了演示WSO2 Identity Server的授权代码流。

[1] https://github.com/zalando/oauth2-client-js

[2] https://docs.wso2.com/display/IS510/OAuth+2.0+with+WSO2+Playground

[3] http://blog.farazath.com/2016/05/trying-out-oauth2-authorization-code.html

相关问题
最新问题