WSO2是Mattermost CE的服务提供商

时间:2018-12-12 21:40:45

标签: git oauth-2.0 wso2is keycloak mattermost

我正在尝试将WSO2is用作Mattermost CE的服务提供商。我的想法是在WSO2is中使用Mattermost GitHub社交登录功能,而不是GitHub。

为此,我已经使用Oauth服务提供商配置了Wso2is,效果很好。我能够验证自己的身份,并且Mattermost接受令牌。但是,Mattermost无法登录。

经过深入挖掘,我强烈建议此问题来自于Claims。 Mattermost和Wso2is不能说相同的“语言”。我尝试了许多失败的配置,尤其是使用http://wso2.org/oidc/claim

我想知道是否有人知道如何使用Mattermost配置Wso2is?

有关信息,这是我测试过的配置之一:

<?xml version="1.0" encoding="UTF-8"?><ServiceProvider>
  <ApplicationName>Mattermost</ApplicationName>
  <Description>test</Description>
  <InboundAuthenticationConfig>
    <InboundAuthenticationRequestConfigs>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>Mattermost</InboundAuthKey>
        <InboundAuthType>openid</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>Mattermost</InboundAuthKey>
        <InboundAuthType>passivests</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <Properties/>
      </InboundAuthenticationRequestConfig>
      <InboundAuthenticationRequestConfig>
        <InboundAuthKey>_FPI1OvbJHV_3In6kdYiQMmnIZIa</InboundAuthKey>
        <InboundAuthType>oauth2</InboundAuthType>
        <InboundConfigType>standardAPP</InboundConfigType>
        <inboundConfiguration><![CDATA[<?xml version="1.0" encoding="UTF-8" standalone="yes"?>
<oAuthAppDO>
    <oauthConsumerKey>_FPI1OvbJHV_3In6kdYiQMmnIZIa</oauthConsumerKey>
    <oauthConsumerSecret>tPelnXdrnQjr0cpn2pxPT9YuQkUa</oauthConsumerSecret>
    <applicationName>Mattermost</applicationName>
    <callbackUrl>https://team.ticoop.fr/signup/gitlab/complete</callbackUrl>
    <oauthVersion>OAuth-2.0</oauthVersion>
    <grantTypes>refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer implicit password client_credentials iwa:ntlm authorization_code urn:ietf:params:oauth:grant-type:jwt-bearer </grantTypes>
    <scopeValidators/>
    <pkceSupportPlain>true</pkceSupportPlain>
    <pkceMandatory>false</pkceMandatory>
    <userAccessTokenExpiryTime>3600</userAccessTokenExpiryTime>
    <applicationAccessTokenExpiryTime>3600</applicationAccessTokenExpiryTime>
    <refreshTokenExpiryTime>84600</refreshTokenExpiryTime>
    <idTokenExpiryTime>3600</idTokenExpiryTime>
    <audiences/>
    <bypassClientCredentials>false</bypassClientCredentials>
    <requestObjectSignatureValidationEnabled>false</requestObjectSignatureValidationEnabled>
    <idTokenEncryptionEnabled>false</idTokenEncryptionEnabled>
    <idTokenEncryptionAlgorithm>null</idTokenEncryptionAlgorithm>
    <idTokenEncryptionMethod>null</idTokenEncryptionMethod>
    <backChannelLogoutUrl></backChannelLogoutUrl>
    <tokenType>JWT</tokenType>
</oAuthAppDO>
]]></inboundConfiguration>
        <Properties/>
      </InboundAuthenticationRequestConfig>
    </InboundAuthenticationRequestConfigs>
  </InboundAuthenticationConfig>
  <LocalAndOutBoundAuthenticationConfig>
    <AuthenticationSteps/>
    <AuthenticationType>default</AuthenticationType>
    <alwaysSendBackAuthenticatedListOfIdPs>false</alwaysSendBackAuthenticatedListOfIdPs>
    <subjectClaimUri>http://wso2.org/claims/emailaddress</subjectClaimUri>
    <UseTenantDomainInUsername>false</UseTenantDomainInUsername>
    <UseUserstoreDomainInRoles>true</UseUserstoreDomainInRoles>
    <UseUserstoreDomainInUsername>false</UseUserstoreDomainInUsername>
    <EnableAuthorization>false</EnableAuthorization>
  </LocalAndOutBoundAuthenticationConfig>
  <RequestPathAuthenticatorConfigs/>
  <InboundProvisioningConfig>
    <ProvisioningUserStore/>
    <IsProvisioningEnabled>false</IsProvisioningEnabled>
    <IsDumbModeEnabled>false</IsDumbModeEnabled>
  </InboundProvisioningConfig>
  <OutboundProvisioningConfig>
    <ProvisioningIdentityProviders/>
  </OutboundProvisioningConfig>
  <ClaimConfig>
    <RoleClaimURI/>
    <LocalClaimDialect>true</LocalClaimDialect>
    <IdpClaim/>
    <ClaimMappings>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/username</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/username</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/fullname</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/fullname</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/photourl</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/photourl</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/emailaddress</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/url</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/url</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/active</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/active</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/nickname</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/nickname</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
      <ClaimMapping>
        <LocalClaim>
          <ClaimUri>http://wso2.org/claims/identity/emailVerified</ClaimUri>
          <claimId>0</claimId>
        </LocalClaim>
        <RemoteClaim>
          <ClaimUri>http://wso2.org/claims/identity/emailVerified</ClaimUri>
          <claimId>0</claimId>
        </RemoteClaim>
        <RequestClaim>true</RequestClaim>
        <MandatoryClaim>false</MandatoryClaim>
      </ClaimMapping>
    </ClaimMappings>
    <AlwaysSendMappedLocalSubjectId>false</AlwaysSendMappedLocalSubjectId>
    <SPClaimDialects>
      <SPClaimDialect>http://wso2.org/oidc/claim</SPClaimDialect>
    </SPClaimDialects>
  </ClaimConfig>
  <PermissionAndRoleConfig>
    <Permissions/>
    <RoleMappings/>
    <IdpRoles/>
  </PermissionAndRoleConfig>
  <IsSaaSApp>false</IsSaaSApp>
</ServiceProvider>

注意:对于Wso2is,需要将Mattermost Gitlab配置URL从/ ouath /更改为/ oauth2/。

谢谢

致谢

1 个答案:

答案 0 :(得分:0)

我无法使用wso2is解决此问题。确实,wso2is确实没有发送带有令牌的声明。 此外,Git令牌结构使用整数作为ID,而不是字符串。因此,不可能使用几乎所有IAM生成的默认用户GUID。

为满足我的需求,我找到了另一个解决方案:KeyCloak。 KeyCloak可以正常工作,并且可以通过代码定义声明,因此可以自动生成Mattermost所需的整数ID。

此致

相关问题
最新问题