通常,对于OIDC发现,可以匿名请求.well已知的URI。 WSO2 5.3.0 doc中的示例声明必须为请求提供管理级别凭证:
https://docs.wso2.com/display/IS530/OpenID+Connect+Discovery
curl -v -k --user admin:admin https _:_ // localhost:9443 / oauth2 / oidcdiscovery / .well-known / openid-configuration
(下划线不是typpo,但是绕过URL计数限制)
我可以确认导致curl -v -k https _:_ // localhost:9443 / oauth2 / oidcdiscovery / .well-known / openid-configuration返回401未授权。
(下划线不是typpo,但是绕过URL计数限制)
我尝试在注册表中为/ _system / config / oidc配置权限,使用" SYSTEM / wso2.anonymous.role允许READ"我仍然得到一个401. Adiing the权利" SYSTEM / wso2.anonymous.role被允许给AUTHORIZE"返回200但空体。
关于如何解决OIDC发现(获取OIDC配置)而不必提供任何信誉(匿名)的任何建议?
由于
JF
答案 0 :(得分:5)
经过多次试验,可以通过在{WSO2_base_path} /repository/conf/identity/identity.xml中注释.well-know行来提供匿名访问:
<ResourceAccessControl>
<Resource context="(.*)/api/identity/user/(.*)" secured="true" http-method="all"/>
<Resource context="(.*)/api/identity/recovery/(.*)" secured="true" http-method="all"/>
<!--<Resource context="(.*)/.well-known(.*)" secured="true" http-method="all"/>-->
<Resource context="(.*)/identity/register(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
</Resource>
<Resource context="(.*)/identity/connect/register(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
</Resource>
<Resource context="(.*)/oauth2/introspect(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
</Resource>
<Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/pep</Permissions>
</Resource>
</ResourceAccessControl>
答案 1 :(得分:0)
您可以使用类似Apache2 Reverse Proxy to an end-point that requires BasicAuth but want to hide this from user的内容将代理转发到该端点,或者考虑到数据是相对静态的,您可以只下载数据并从其他地方的未受保护的端点提供数据。
但我想最好找到关闭基本身份验证的配置设置,因为它没有用处。