WSO2 SAML2BearerGrantHandler SAML 令牌颁发者验证失败或颁发者未注册 [英] WSO2 SAML2BearerGrantHandler SAML Token Issuer verification failed or Issuer not registered

问题描述

我将 WSO2 身份服务器配置为 WSO2 API 管理器的密钥管理器.

I configured the WSO2 Identity Server to be a Key manager to WSO2 API Manager.

• 我在 API Manager 中创建了应用程序并发布了它.[确定]
• 我创建了 API 并在商店中订阅.[确定]
• 我使用 NodeJS 应用程序作为客户端应用程序并使用 Go 作为资源提供程序

• 这是使用passport-saml策略的Passport配置:

• I Created Application in API Manager and Published it. [OK]
• I Created API and subscribed in the Store. [OK]
• I am using NodeJS Application as Client Application and Go as a Resource Provider

• This is the Passport Configuration using passport-saml strategy:

 passport.use(new SamlStrategy({
    path: configSaml.path,
    entryPoint: configSaml.entryPoint,
    issuer: configSaml.issuer,
    decryptionPvk: configSaml.decryptionPvk,
    validateInResponseTo: true
},
function(profile, done) {
    done(null, profile)
}
));

效果很好

当我尝试从 Saml 2.0 持有者获取访问令牌时遇到问题，这是代码:

This where I got the Problem when I try to get the Access token from Saml 2.0 bearer, this is the code:

app.post('/login/callback',function(req, res, next) {
passport.authenticate('saml', function(err, user, info) {
    Log.d("OAuth Callback", arguments);
    if (err) { return next(err); }
    if (!user) { return res.redirect('/login'); }
    //req.logIn(user, function(err) {
    //    if (err) { return next(err); }
    //    return res.send(user);
    //});

    request.post({
        url: "https://localhost:9444/oauth2/token",
        headers: {
            'Content-Type' : 'application/x-www-form-urlencoded',
            'charset': "UTF-8",
            "Authorization": "Basic " + new Buffer("Ihd6BrTufShu7GPR4QXlypoIlsca:gTyBdDVd0zGQZRr29NhPoooHpeka").toString("base64")
        },
        body:"grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=" +
            require("base64-url").encode(user.getAssertionXml()) +
            "&scope=PRODUCTION"
    }, function(err,httpResponse,body){
        Log.d("Http Error", err);
        res.json(body);
    })
})(req, res, next);
});

身体反应:

"{\"error\":\"invalid_grant\",\"error_description\":\"Provided Authorization Grant is invalid.\"}"

它打印的控制台调试:

the Console debug it prints:

[2016-01-12 10:57:27,645] DEBUG - SAML2BearerGrantHandler SAML Token Issuer verification failed or Issuer not registered
[2016-01-12 10:57:27,645] DEBUG - AccessTokenIssuer Invalid Grant provided by the client, id=Ihd6BrTufShu7GPR4QXlypoIlsca, user-name=null to application=admin-AT-safarifoneict.com_SamarimartWebPortal_PRODUCTION
[2016-01-12 10:57:27,646] DEBUG - AccessTokenIssuer OAuth-Error-Code=invalid_grant client-id=Ihd6BrTufShu7GPR4QXlypoIlsca grant-type=urn:ietf:params:o auth:grant-type:saml2-bearer scope=PRODUCTION

任何帮助将不胜感激

推荐答案

IDP 配置中的身份提供者实体 ID"值必须等于 SAML2 断言的颁发者值.请参考这个更多详情.

"Identity Provider Entity Id" value in your IDP configuration must be equal to the issuer value of the SAML2 Assertion. Please refer this for more details.

当您将 WSO2IS 配置为密钥管理器时，您的/token 端点将在 WSO2IS 中.所以;您的 SAML2 SSO 提供商和OAuth2 提供程序相同 (WSO2IS).在这种情况下，您不需要配置新的 IDP 配置.

When you configure WSO2IS as Key Manager, your /token end point would be in WSO2IS. So; your SAML2 SSO provider & OAuth2 provider is same (WSO2IS). In that case, you do not need to configure a new IDP configuration.

但是，您可以通过提取 SAML2 断言来验证这一点，只需在 SAML2 断言中找到颁发者值并验证它是否等于您配置为身份提供者实体 ID"的值

However, you can verify this by extracting the SAML2 Assertion, Just find the issuer value in SAML2 Assertion and verify it is equal to the value which you have configured as "Identity Provider Entity Id"

这篇关于WSO2 SAML2BearerGrantHandler SAML 令牌颁发者验证失败或颁发者未注册的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！