发行者与WSO2 Identity Server上的OpenID Connect发现不匹配 [英] Issuer mismatch with OpenID Connect discovery on WSO2 Identity Server
问题描述
我正在研究一个小的概念验证实现,涉及到 OpenID Connect 和 WSO2身份服务器 5.3.0.
I'm working on a small proof-of-concept implementation involving OpenID Connect and WSO2 Identity Server 5.3.0.
在客户端,我将python与 oic
库一起使用尝试使发现机制正常工作.我正在根据 oic
文档执行以下代码>:
On the client side, I'm using python with the oic
library to attempt to get the discovery mechanism working. I'm executing the following code, based on the oic
documentation:
from oic.oic import Client
oic_client = Client(verify_ssl=False)
uid = "admin@172.22.0.2"
issuer = oic_client.discover(uid)
provider_info = oic_client.provider_config(issuer)
这将导致以下错误:
oic.exception.IssuerMismatch: ' https://172.22.0.2:443/oauth2/oidcdiscovery '!= ' https://172.22.0.2:443/oauth2/token '
oic.exception.IssuerMismatch: 'https://172.22.0.2:443/oauth2/oidcdiscovery' != 'https://172.22.0.2:443/oauth2/token'
这里的问题是,使用默认配置时,discover()
步骤将返回issuer
值https://172.22.0.2:443/oauth2/oidcdiscovery
,但是随后的provider_config()
步骤将返回包含发行者值https://172.22.0.2:443/oauth2/token
的文档.
The problem here is that with the default configuration, the discover()
step will return an issuer
value of https://172.22.0.2:443/oauth2/oidcdiscovery
, but the subsequent provider_config()
step will return a document containing an issuer value of https://172.22.0.2:443/oauth2/token
.
由于oic库在将这种不匹配报告为错误时似乎是正确的. ="nofollow noreferrer"> OpenID Connect发现规范对提供者元数据(重点是我的)中显示的issuer
值进行了以下说明:
The oic
library seems to be correct in reporting this mismatch as an error, as the OpenID Connect Discovery specification states the following about the issuer
value presented in the provider metadata (emphasis mine):
必填.使用
https
方案的URL,不进行查询或 OP断言为其发行者标识符的片段组件.如果 支持发卡行发现(请参阅第2节),此值必须为 与WebFinger返回的发行人值相同.这也必须 与由此发出的ID令牌中的iss
索赔值相同 发行人.
REQUIRED. URL using the
https
scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to theiss
Claim value in ID Tokens issued from this Issuer.
所以,我的问题是:
- 我是否正确地说(至少在默认配置下)WSO2 Identity Server的行为至少在发现方面不符合OpenID Connect规范?
- 是否可以以符合规范的方式配置WSO2 Identity Server?我尝试在
identity.xml
文件中指定OIDCDiscoveryEPUrl
和IDTokenIssuerID
的各种组合,但到目前为止还算不上运气.
- Am I correct in concluding that (at least with the default configuration) WSO2 Identity Server does not behave conform to the OpenID Connect specification, at least as far as discovery is concerned?
- Is it possible to configure WSO2 Identity Server in such a way that will conform to the spec? I have tried specifying various combinations of
OIDCDiscoveryEPUrl
andIDTokenIssuerID
in theidentity.xml
file, but no luck so far.
目前,在阅读了oic
源代码之后,我正在使用以下变通方法来忽略发行者的不匹配:
For now, after reading through the oic
source code, I'm using the following workaround to ignore the issuer mismatch:
oic_client.allow["issuer_mismatch"] = True
但是,我更希望找到一种解决方案,使WSO2 Identity Server能够按照规范运行.
I would, however, much prefer to find a solution in which WSO2 Identity Server is made to behave according to spec.
推荐答案
我观察到以下问题,并且能够通过更改位于WSO2-IS管理控制台中的居民身份提供者实体ID 来解决->身份提供者->居民->入站身份验证配置-> OAuth2/OpenID Connect配置.检查主机名和端口,并根据IDP配置进行更改.
I observed the below issue and was able to resolve by changing the resident Identity provider entity ID located in the WSO2-IS management console->Identity Providers-> Resident-> Inbound Authentication Configuration -> OAuth2/OpenID Connect Configuration. Check the hostname and port and change according to the IDP configuration.
错误:
错误-实用程序发行者不匹配,预期 https://localhost:9444/oauth2/token https://localhost:9443/oauth2/token
ERROR - Util Issuers do not match, expected https://localhost:9444/oauth2/token got https://localhost:9443/oauth2/token
谢谢
这篇关于发行者与WSO2 Identity Server上的OpenID Connect发现不匹配的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!