wso2 身份服务器 5.10.1 - 基于角色的自适应用户身份验证 var hasRole 始终为 false [英] wso2 indentity server 5.10.1 - role-based adaptive user authentication var hasRole is always false

问题描述

我们将 WSO2 5.10.1 用于 SSO，我正在尝试使自适应 MFA 正常工作，但遇到了一些问题.基于 IP 的自适应认证模板有效，但由于某种原因，基于角色的模板不起作用.出于某种原因，变量 hasRole 总是返回 false，即使我的测试用户是名为 staff2 的内部角色的成员.Staff2 是一个仅包含测试用户的内部角色.

We use WSO2 5.10.1 for SSO and I am trying to get adaptive MFA working but having some trouble. The IP-based adaptive authentication template works, but for some reason, the role-based template does not. For some reason, the variable hasRole always returns false, even though my test user is a member of the internal role called staff2. staff2 is an internal role containing only the test user.

带有信息的 wso2carbon.log 如下.我还包括了我正在使用的脚本，它是基于角色的默认模板，以及我为了在日志中获取更多信息而进行的一些修改.

The wso2carbon.log with the info is below. I also included the script I am using, which is the default role-based template PLUS a few modifications I made to get a little more information in the log.

日志:

TID: [-1234] [] [2021-02-02 10:14:34,684] [badcbf3d-288c-4d3a-8abc-372763d87e0b]  INFO {org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsLogger} - Working so far
TID: [-1234] [] [2021-02-02 10:14:34,684] [badcbf3d-288c-4d3a-8abc-372763d87e0b]  INFO {org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsLogger} - false string info
TID: [-1234] [] [2021-02-02 10:14:34,684] [badcbf3d-288c-4d3a-8abc-372763d87e0b]  INFO {org.wso2.carbon.identity.application.authentication.framework.config.model.graph.js.JsLogger} - <testuser> Has one of Roles: [staff2]

我的代码:

// Role-Based from Template...

// This script will step up authentication for any user belonging
// to one of the given roles
// If the user has any of the below roles, authentication will be stepped up
var rolesToStepUp = ['staff2'];

var onLoginRequest = function(context) {
    executeStep(1, {
        onSuccess: function (context) {
            // Extracting authenticated subject from the first step
            var user = context.currentKnownSubject;
            // Checking if the user is assigned to one of the given roles
            var hasRole = hasAnyOfTheRoles(user, rolesToStepUp);
            Log.info('Working so far');
            Log.info(hasRole + ' string info');
            if (5 > 1) {
                Log.info(user.username + ' Has one of Roles: ' + rolesToStepUp.toString());
                executeStep(2);
            }
        }
    });
};

// End of Role-Based.......

推荐答案

如下更改您的 rolesToStepUp 变量并尝试.

Change your rolesToStepUp variable as follows and try out.

var rolesToStepUp = ['Internal/staff2'];

如果您将变量用作 var rolesToStepUp = ['staff2'];，它会检查用户在 PRIMARY 用户存储中是否具有名为staff2"的角色.例如，如果您通过选择域-PRIMARY 和角色名称-staff2 创建一个角色，则分配到该角色的用户将能够根据您的脚本执行 2 个步骤.

If you use the variable as var rolesToStepUp = ['staff2'];, it checks whether the user has a role named 'staff2' in the PRIMARY userstore. For example, if you create a Role by selection domain- PRIMARY and role name- staff2, the user who gets assigned to that role will be able to go through 2 steps according to your script.

如果要使用附加到 PRIMARY 用户存储的角色以外的角色，则需要在 var rolesToStepUp 数组中定义域.由于您创建了内部角色，var rolesToStepUp 应定义为 var rolesToStepUp = ['Internal/staff2'];

If you want to use a role other than a role attached to PRIMARY userstore, you need to define the domain in the var rolesToStepUp array. Since you have created an internal role, var rolesToStepUp should be defined as var rolesToStepUp = ['Internal/staff2'];

这篇关于wso2 身份服务器 5.10.1 - 基于角色的自适应用户身份验证 var hasRole 始终为 false的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！