发行者与WSO2 Identity Server上的OpenID Connect发现不匹配 [英] Issuer mismatch with OpenID Connect discovery on WSO2 Identity Server

问题描述

我正在研究一个小的概念验证实现，涉及到 OpenID Connect 和 WSO2身份服务器 5.3.0.

I'm working on a small proof-of-concept implementation involving OpenID Connect and WSO2 Identity Server 5.3.0.

在客户端，我将python与 oic 库一起使用尝试使发现机制正常工作.我正在根据 oic文档执行以下代码>:

On the client side, I'm using python with the oic library to attempt to get the discovery mechanism working. I'm executing the following code, based on the oic documentation:

from oic.oic import Client

oic_client = Client(verify_ssl=False)

uid = "admin@172.22.0.2"
issuer = oic_client.discover(uid)
provider_info = oic_client.provider_config(issuer)

这将导致以下错误:

oic.exception.IssuerMismatch: ' https://172.22.0.2:443/oauth2/oidcdiscovery '！= ' https://172.22.0.2:443/oauth2/token '

oic.exception.IssuerMismatch: 'https://172.22.0.2:443/oauth2/oidcdiscovery' != 'https://172.22.0.2:443/oauth2/token'

这里的问题是，使用默认配置时，discover()步骤将返回issuer值https://172.22.0.2:443/oauth2/oidcdiscovery，但是随后的provider_config()步骤将返回包含发行者值https://172.22.0.2:443/oauth2/token的文档.

The problem here is that with the default configuration, the discover() step will return an issuer value of https://172.22.0.2:443/oauth2/oidcdiscovery, but the subsequent provider_config() step will return a document containing an issuer value of https://172.22.0.2:443/oauth2/token.

由于oic库在将这种不匹配报告为错误时似乎是正确的. ="nofollow noreferrer"> OpenID Connect发现规范对提供者元数据(重点是我的)中显示的issuer值进行了以下说明:

The oic library seems to be correct in reporting this mismatch as an error, as the OpenID Connect Discovery specification states the following about the issuer value presented in the provider metadata (emphasis mine):

必填.使用https方案的URL，不进行查询或 OP断言为其发行者标识符的片段组件.如果 支持发卡行发现(请参阅第2节)，此值必须为 与WebFinger返回的发行人值相同.这也必须 与由此发出的ID令牌中的iss索赔值相同 发行人.

REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

所以，我的问题是:

1. 我是否正确地说(至少在默认配置下)WSO2 Identity Server的行为至少在发现方面不符合OpenID Connect规范?
2. 是否可以以符合规范的方式配置WSO2 Identity Server?我尝试在identity.xml文件中指定OIDCDiscoveryEPUrl和IDTokenIssuerID的各种组合，但到目前为止还算不上运气.

1. Am I correct in concluding that (at least with the default configuration) WSO2 Identity Server does not behave conform to the OpenID Connect specification, at least as far as discovery is concerned?
2. Is it possible to configure WSO2 Identity Server in such a way that will conform to the spec? I have tried specifying various combinations of OIDCDiscoveryEPUrl and IDTokenIssuerID in the identity.xml file, but no luck so far.

目前，在阅读了oic源代码之后，我正在使用以下变通方法来忽略发行者的不匹配:

For now, after reading through the oic source code, I'm using the following workaround to ignore the issuer mismatch:

oic_client.allow["issuer_mismatch"] = True

但是，我更希望找到一种解决方案，使WSO2 Identity Server能够按照规范运行.

I would, however, much prefer to find a solution in which WSO2 Identity Server is made to behave according to spec.

推荐答案

我观察到以下问题，并且能够通过更改位于WSO2-IS管理控制台中的居民身份提供者实体ID 来解决->身份提供者->居民->入站身份验证配置-> OAuth2/OpenID Connect配置.检查主机名和端口，并根据IDP配置进行更改.

I observed the below issue and was able to resolve by changing the resident Identity provider entity ID located in the WSO2-IS management console->Identity Providers-> Resident-> Inbound Authentication Configuration -> OAuth2/OpenID Connect Configuration. Check the hostname and port and change according to the IDP configuration.

错误:

错误-实用程序发行者不匹配，预期 https://localhost:9444/oauth2/token https://localhost:9443/oauth2/token

ERROR - Util Issuers do not match, expected https://localhost:9444/oauth2/token got https://localhost:9443/oauth2/token

谢谢

这篇关于发行者与WSO2 Identity Server上的OpenID Connect发现不匹配的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！