Git Product home page Git Product logo

identity-inbound-auth-oauth's Introduction

identity-inbound-auth-oauth

Building from the source

If you want to build identity-inbound-auth-oauth from the source code:

  1. Install Java 11 (or Java 17)
  2. Install Apache Maven 3.x.x (https://maven.apache.org/download.cgi#)
  3. Get a clone or download the source from this repository (https://github.com/wso2-extensions/identity-inbound-auth-oauth)
  4. Run the Maven command mvn clean install from the identity-inbound-auth-oauth directory.

ℹ️ Important note for Mac (with Apple Silicon) users

There are JDKs that target different types of architectures available to download for macOS. The test class NTLMAuthenticationGrantHandlerTest (in components/org.wso2.carbon.identity.oauth/src/test/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/iwa/ntlm/NTLMAuthenticationGrantHandlerTest.java) will throw an UnsatisfiedLinkError if the installed JDK in your machine targets the aarch64 (ARM) architecture. Therefore, if you want to run the test class NTLMAuthenticationGrantHandlerTest please make sure that a JDK that targets x64 architecture is installed in your machine.

identity-inbound-auth-oauth's People

Contributors

anjuchamantha avatar ashensw avatar chamathns avatar chanikaruchini avatar chinthakaj98 avatar chitharakarunasekera avatar darshanasbg avatar dmhp avatar dushaniw avatar emswbandara avatar hasinthaindrajee avatar indunilrathnayake avatar inthirakumaaran avatar isurad avatar janakamarasena avatar madurangasiriwardena avatar mefarazath avatar nilasini avatar omindu avatar piraveena avatar pulasthi7 avatar rivindum avatar sachinisiriwardene avatar sadilchamishka avatar sandushi avatar senthalan avatar thanujalk avatar thumimku avatar wso2-jenkins-bot avatar yoshani avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

madurangasiriwardena pushpalanka pulasthi7 yasiruk johannnallathamby isurad cdwijayarathna sumedhassk mefarazath indunilrathnayake gayanm brockmjh nuwand harsha89 darshanasbg bhathiya kasungayan hasinthaindrajee uvindra lahirue isharak cnapagoda lmanohara rushmin nuwandi-is manojgunayadev denuwanthi iceman91176 jkaushalya madura brucecloud sajithab danushkaf lakshangamage gdrdabarera godwinamila pasindutennage milanperera janakiblr ayshsandu sinthuja kasunbg jmalvarezf dinuish94 msmshariq nilasini emswbandara pubudu538 dimuthud ruwanta vidurananayakkara hasinidilanka inthirakumaaran mingpengxiao supunharsha omindu sugirjan dewnimw piraveena isuri97 sherenem kencorbettjr isurulucky thanujalk nipunibhagya ramindu90 harsha1979 sagara-gunathunga tharindu1st niveathika chathurangishyalika dharshanaw madurangara chirankavinda123 dinethuwu shanchathusanda93 minoli shavidissa ykarachev sachithud thusithak abdulrehman1717 senthalan vihanga-liyanage milindaperera jgora chamndesilva dushaniw sachi-d lasanthadlpds nuwandiw deshanktd test-coverage-enforce-bot madawas rsdickerson pranavan15 biruntha megala21 ruwany sameeragunarathne

identity-inbound-auth-oauth's Issues

DCR code not compatible with .yaml

Description:
org.wso2.carbon.identity.oauth2.dcr.endpoint code is not compatible with api.identity.oauth.dcr.endpoint.yaml.

Swagger generate breaks the code in some places.

Abtract Class is missing for OAuthReqMessageContext

Description:
Although OAuthTokenReqMessageContext and OAuthAuthzReqMessageContext classes have many common attributes and methods, there are written separately. It is better to create an abstract class and then extend these classes from that.

Suggested Labels:
enhancement

Suggested Assignees:
@mefarazath @JKAUSHALYA

Affected Product Version:
5.4

OS, DB, other environment details and versions:
N/A

Steps to reproduce:
N/A

Related Issues:

N/A

[Refresh_token] - Wrong Query - Error

----- Error occurrence -----

When you run the call to refresh_token service and the database is DB2, the following error occurs:

{
"error_description": "Error when validating a refresh token",
"error": "invalid_grant"
}

This occurs because the query of constant 'RETRIEVE_ACCESS_TOKEN_VALIDATION_DATA_DB2SQL' in class org.wso2.carbon.identity.oauth2.dao.SQLQueries is wrong.

----- Solution -----

Fix the query to:

PS.: Fix is in bold text

SELECT ACCESS_TOKEN,
AUTHZ_USER,
ACCESS_TOKEN_SELECTED.TENANT_ID,
USER_DOMAIN,
TOKEN_SCOPE,
TOKEN_STATE,
REFRESH_TOKEN_TIME_CREATED,
REFRESH_TOKEN_VALIDITY_PERIOD,
ACCESS_TOKEN_SELECTED.TOKEN_ID,
GRANT_TYPE,
SUBJECT_IDENTIFIER
FROM
(SELECT ACCESS_TOKEN,
AUTHZ_USER,
TOKEN_STATE,
REFRESH_TOKEN_TIME_CREATED,
REFRESH_TOKEN_VALIDITY_PERIOD,
TOKEN_ID,
GRANT_TYPE,
SUBJECT_IDENTIFIER,
TENANT_ID,
USER_DOMAIN
FROM $accessTokenStoreTable
WHERE CONSUMER_KEY_ID =
(SELECT ID
FROM IDN_OAUTH_CONSUMER_APPS
WHERE CONSUMER_KEY = ?)
AND REFRESH_TOKEN = ?
ORDER BY TIME_CREATED DESC FETCH FIRST 1 ROWS ONLY) ACCESS_TOKEN_SELECTED
LEFT JOIN IDN_OAUTH2_ACCESS_TOKEN_SCOPE ON ACCESS_TOKEN_SELECTED.TOKEN_ID = IDN_OAUTH2_ACCESS_TOKEN_SCOPE.TOKEN_ID

SQLSyntaxErrorException from OpenID-Connect component when using the Oracle database environment ( ORA-00933: SQL command not properly ended )

Description:
OpenID-Connect component failed to execute the insert query to store data in IDN_OIDC_REQ_OBJECT_REFERENCE table even the passed values are valid and can be executed from the SQLPlus interface.
The error log is shown below.

[2018-08-02 09:39:41,210] ERROR {org.wso2.carbon.identity.oauth2.dao.AuthorizationCodeDAOImpl} - Error when storing the request object reference
java.sql.SQLSyntaxErrorException: ORA-00933: SQL command not properly ended

at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:396)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:879)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:207)
at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedStatement.java:1044)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1329)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3584)
at oracle.jdbc.driver.OraclePreparedStatement.execute(OraclePreparedStatement.java:3685)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.execute(OraclePreparedStatementWrapper.java:1376)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.tomcat.jdbc.pool.StatementFacade$StatementProxy.invoke(StatementFacade.java:114)
at com.sun.proxy.$Proxy20.execute(Unknown Source)
at org.wso2.carbon.identity.openidconnect.dao.RequestObjectDAOImpl.insertRequestObjectData(RequestObjectDAOImpl.java:80)
at org.wso2.carbon.identity.openidconnect.RequestObjectService.addRequestObject(RequestObjectService.java:53)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.persistRequestObject(OAuth2AuthzEndpoint.java:1106)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleRequestObject(OAuth2AuthzEndpoint.java:1392)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleOIDCRequestObject(OAuth2AuthzEndpoint.java:1360)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.populateOauthParameters(OAuth2AuthzEndpoint.java:1309)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleOAuthAuthorizationRequest(OAuth2AuthzEndpoint.java:1073)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleInitialAuthorizationRequest(OAuth2AuthzEndpoint.java:702)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.webapp.mgt.filter.AuthorizationHeaderFilter.doFilter(AuthorizationHeaderFilter.java:85)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)

[2018-08-02 09:39:41,219] ERROR {org.wso2.carbon.identity.openidconnect.RequestObjectService} - Error while persisting the Request Object against sessionDataKey: 8a612242-cc88-4671-80c0-597793c45f6b
org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error when storing the request object reference
at org.wso2.carbon.identity.openidconnect.dao.RequestObjectDAOImpl.insertRequestObjectData(RequestObjectDAOImpl.java:102)
at org.wso2.carbon.identity.openidconnect.RequestObjectService.addRequestObject(RequestObjectService.java:53)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.persistRequestObject(OAuth2AuthzEndpoint.java:1106)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleRequestObject(OAuth2AuthzEndpoint.java:1392)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleOIDCRequestObject(OAuth2AuthzEndpoint.java:1360)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.populateOauthParameters(OAuth2AuthzEndpoint.java:1309)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleOAuthAuthorizationRequest(OAuth2AuthzEndpoint.java:1073)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleInitialAuthorizationRequest(OAuth2AuthzEndpoint.java:702)
at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:199)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.webapp.mgt.filter.AuthorizationHeaderFilter.doFilter(AuthorizationHeaderFilter.java:85)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:748)
Caused by: java.sql.SQLSyntaxErrorException: ORA-00933: SQL command not properly ended

at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:445)
at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:396)
at oracle.jdbc.driver.T4C8Oall.processError(T4C8Oall.java:879)
at oracle.jdbc.driver.T4CTTIfun.receive(T4CTTIfun.java:450)
at oracle.jdbc.driver.T4CTTIfun.doRPC(T4CTTIfun.java:192)
at oracle.jdbc.driver.T4C8Oall.doOALL(T4C8Oall.java:531)
at oracle.jdbc.driver.T4CPreparedStatement.doOall8(T4CPreparedStatement.java:207)
at oracle.jdbc.driver.T4CPreparedStatement.executeForRows(T4CPreparedStatement.java:1044)
at oracle.jdbc.driver.OracleStatement.doExecuteWithTimeout(OracleStatement.java:1329)
at oracle.jdbc.driver.OraclePreparedStatement.executeInternal(OraclePreparedStatement.java:3584)
at oracle.jdbc.driver.OraclePreparedStatement.execute(OraclePreparedStatement.java:3685)
at oracle.jdbc.driver.OraclePreparedStatementWrapper.execute(OraclePreparedStatementWrapper.java:1376)
at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
at java.lang.reflect.Method.invoke(Method.java:498)
at org.apache.tomcat.jdbc.pool.StatementFacade$StatementProxy.invoke(StatementFacade.java:114)
at com.sun.proxy.$Proxy20.execute(Unknown Source)
at org.wso2.carbon.identity.openidconnect.dao.RequestObjectDAOImpl.insertRequestObjectData(RequestObjectDAOImpl.java:80)
... 68 more

Suggested Labels:
bug

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

DefaultTokenBuilder does not add "at_hash" field to the ID token claims

Description:
When an access token is requested, the given response with id token does not contain the "at_hash" property.

Suggested Labels:

Suggested Assignees:

Affected Product Version:
IS 5.5.6-rc3

OS, DB, other environment details and versions:

Steps to reproduce:
Setup a service provider with Oauth/OpenID Connect configuration.

Send a request with password grant type.

Related Issues:

Make consent valid for login session in OIDC

Description:
Currently when we provide consent as 'approve' from the dialog box it maintains the consent per request not for sessions. This limitation impacts OIDC session management as well. Because, to get session management to work, either consent should be skipped or should be approved always by the user. So we should introduce a configuration to support user consents per login sessions as well.

Steps to reproduce:

  1. Configure IS server with playground app
  2. Send an authorization request using authorization code grant type
  3. For the consent provide 'approve' from the dialogue box.
  4. In the same user session again invoke authorization EP using the same grant.
  5. It will ask for the consent again.
    We need to have a way to configure consent per user login session.

Import packages missing in org.wso2.carbon.identity.oauth.common jar

Description:

Missing the package javax.servlet.http has caused the following error using the OpenID Connect Implicit Client flow. Apart from javax.servlet.http, there might be other packages than needs to be imported as well.

java.lang.ClassNotFoundException: javax.servlet.http.HttpServletRequest cannot be found by org.wso2.carbon.identity.oauth.common_5.3.4
	org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:501)
	org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:421)
	org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:412)
	org.eclipse.osgi.internal.baseadaptor.DefaultClassLoader.loadClass(DefaultClassLoader.java:107)
	java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	org.wso2.carbon.identity.oauth.common.IDTokenResponseValidator.validateMethod(IDTokenResponseValidator.java:58)
	org.apache.oltu.oauth2.as.request.OAuthRequest.validate(OAuthRequest.java:61)
	org.apache.oltu.oauth2.as.request.OAuthRequest.<init>(OAuthRequest.java:52)
	org.apache.oltu.oauth2.as.request.OAuthAuthzRequest.<init>(OAuthAuthzRequest.java:43)
	org.wso2.carbon.identity.oauth2.model.CarbonOAuthAuthzRequest.<init>(CarbonOAuthAuthzRequest.java:38)
	org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleOAuthAuthorizationRequest(OAuth2AuthzEndpoint.java:774)
	org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:241)
	sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	java.lang.reflect.Method.invoke(Method.java:498)
	org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
	org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
	org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
	org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
	org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
	org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
	org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
	org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
	org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
	org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
	org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
	org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
	org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
	org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
	org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214)
	javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
	org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
	org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)

Issue in AbstractAuthorizationGrantHandler

Description:

Hi there,

I'm trying to follow https://docs.wso2.com/display/AM210/Securing+OAuth+Token+with+HMAC+Validation and am encountering an error with trying to use https://github.com/lahirus/oauth-hmac-extension/blob/master/src/main/java/com/sample/lahiru/wso2/hmac/oauth/OAuthHMACTokenIssuer.java as a alternative token generator.

When the sample OAuthHMACTokenIssuer calls

 public String accessToken(OAuthTokenReqMessageContext tokReqMsgCtx)

the validity period in the tokReqMsgCtx is always -1. I believe this is due to the code https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/AbstractAuthorizationGrantHandler.java#L272

AccessTokenDO newTokenBean = createNewTokenBean(tokReqMsgCtx, oAuthAppBean, existingTokenBean, timestamp,
                validityPeriodInMillis);
setDetailsToMessageContext(tokReqMsgCtx, validityPeriodInMillis, newTokenBean, timestamp);

Here createNewTokenBean has a tokReqMsgCtx with default values (e.g. validityPeriod has not been set yet). Since the validity period is -1, the enhanced token (with expiry timestamp and HMAC field) always fails validation.

I think the solution is to change the order of the calls above so that tokReqMsgCtx has all the details needed to create the access token (with the correct timestamp field).

P.S. The OAuthHMACTokenIssuer sample works fine in the 'implicit grant' case (since it doesn't use the AbstractAuthorizationGrantHandler class) - only the 'authorization code grant' case seems broken.

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

Possible ArrayIndexOutOfBoundsException

Following code[1] could lead to ArrayIndexOutOfBoundsException if we pass requestBody as "access_token=&", because then arrAccessToken[1] will be just "&" and "&".split("&") will return an empty array.

if (requestBody.contains("access_token=")) {
    arrAccessToken = requestBody.trim().split("access_token=");
    if (arrAccessToken[1].contains("&")) {
        arrAccessTokenNew = arrAccessToken[1].split("&");
        return arrAccessTokenNew[0];
    }
}

Suggested solution is to use arrAccessToken[1].split("&", 2). This will avoid ArrayIndexOutOfBoundsException by returning a two element array always.

Ps: arrAccessToken[1].split("&", 1) will not work because it always returns the un-splited string in a single element array.

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.endpoint/src/main/java/org/wso2/carbon/identity/oauth/endpoint/user/impl/UserInforRequestDefaultValidator.java#L75

Updated federated user claims are not reflected in the ID token in authorization code grant

Description:

  1. Updated user attributes are not cached against access token
  • In federated scenario, if the claims have been updated, those are properly reflected in AuthorizationGrantCache against the authorization code.
  • But when caching the user attributes against the access token in AuthorizationGrantCache, if the access token is already exists, we are not considering the attributes saved against the authorization code.
  • So if the previously issued access token has not invalidated from cache, updated user claims are not added into the cache.
  • We need to consider the entry against authorization code when caching.
  1. Updated user attributes are not reflected in ID token
  • User attributes are added to the AuthorizationGrantCache against access token, after generating the ID token.
  • When generating the ID token, we get user attributes from the AuthorizationGrantCache which are stored against access token.
  • So if the previously issued access token is not invalidated in the cache, every time we are issuing ID token with invalid set of user claims where the updated claims are not reflected.
  • We need to add the user attributes to AuthorizationGrantCache against access token, before generating the ID token.

Suggested Labels:

Suggested Assignees:

Affected Product Version:
5.2.0, 5.3.0, 5.4.0

OS, DB, other environment details and versions:

Steps to reproduce:
playground app(OIDC) -> IS -> IS(SAML)

Related Issues:

Add support for setting the refresh token expiry time from token request msg context

Description:
Currently, the refresh token validity period can only be configured using the identity.xml configuration or using the service provider configuration. However, we need to provide support for setting the refresh token validity period from the token request message context also as any custom grant handlers that extends the default grant handlers should have the ability to change the refresh token validity period.

Synchronized block in AbstractAuthorizationGrantHandler causes DB connection issue

Description:
There is a syncronized block in AbstractAuthorizationGrantHandler

 public OAuth2AccessTokenRespDTO issue(OAuthTokenReqMessageContext tokReqMsgCtx) throws IdentityOAuth2Exception 

synchronized ((consumerKey + ":" + authorizedUser + ":" + scope).intern())
...
dbCalls()
...

This causes long running DB queries to timeout all other similar calls, with ThreadDeath
We need to improve this syncronization to handle at the DB level, as the syncronization does not help on cluster/multi-node scenario.

Running unit tests through IntelliJ Idea gives out an error

Description:
When individual unit tests are attempted to be run using the IntelliJ Idea, an erroneous output is given.
Screenshot 2020-04-15 at 10 13 56

OS, DB, other environment details and versions:
IntelliJ Idea version - 2020.1

Steps to reproduce:
Go to a unit test and click on the run button (green arrow to the right side of the test signature). The test will start running and produce the error in the issue description.

SimpleHTTPRequest tightly coupled to Tomcat Classes

identity-inbound-auth-oauth/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/token/handlers/grant/iwa/ntlm/util/SimpleHttpRequest.java

Line 21 in c922390

import org.apache.catalina.connector.Request;

This causes java doc plugin to fail when the transitive tomcat jars are missing. As a temporary fix, we have added the below transitive dependency,

<dependency>
            <groupId>org.apache.tomcat</groupId>
            <artifactId>tomcat-coyote</artifactId>
            <version>7.0.69</version>
</dependency>

Ideally, we should refactor this class and get rid of this dependency.

Form_post error response only redirects

Description:
When an error occurs in reponse_mode=form_post only a redirection with error attributes happen. But OIDC Certification test suite expects a form post to occur.

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

  1. Startup IS
  2. Open a new incognito tab (clear cache)
  3. Send an authorization request with prompt=none and response_type=form_post

Related Issues:

Updating the well-known-configuration does not work.

Description:
The well-known-configuration does not get updated with the changes made via carbon UI or directly editing the XML files (eg: oidc-scope-config.xml). In 5.7.0 registry has been removed and the values are been read from the DB. But the getOIDCScopes method in the OAuth2Util class is not properly updated to facilitate this change.

Suggested Labels:

Suggested Assignees:

Affected Product Version:
IS 5.7.0

OS, DB, other environment details and versions:

Steps to reproduce:

  1. Start the IS server.

  2. Check the well-known-config.

  3. Log in to the IS Management Console.

  4. Add a new scope or a new claim under OIDC Scope and Claims respectively.

(Step 5 can be done by directly editing the relevant XML files as well,
To change the scopes shown: edit repository/conf/identity/oidc-scope-config.xml
To change claims: edit repository/conf/claim-config.xml
To change response types: repository/conf/identity/identity.xml)

  1. Check the well-known-config.

  2. It will still show the old values.

Related Issues:

OIDC Discovery Endpoint does not return correct supported authentication methods

Description:
Open ID configurations retrieved through discovery endpoint [1] does not return the correct supported authentication mechanisms. It is hardcoded in the [2].

"token_endpoint_auth_methods_supported": [
        "client_secret_basic",
        "client_secret_post"
    ],

[1] curl -v -k --user admin:admin https://localhost:9446/oauth2/oidcdiscovery/.well-known/openid-configuration
[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java#L2544

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

TokenManagementDAOImpl.findTenantAndScopeOfResource() method does not for support Oracle database

Description:
Hi,

Following error is thrown in APIM when Oracle is used as the database

org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error getting scopes for resource - /pizzashack/1.0.0/1.0.0/menu:GET
	at org.wso2.carbon.identity.oauth2.dao.TokenManagementDAOImpl.findTenantAndScopeOfResource(TokenManagementDAOImpl.java:225)
	at org.wso2.carbon.identity.oauth2.validators.JDBCScopeValidator.validateScope(JDBCScopeValidator.java:98)
	at org.wso2.carbon.apimgt.keymgt.handlers.DefaultKeyValidationHandler.validateScopes(DefaultKeyValidationHandler.java:177)
	at org.wso2.carbon.apimgt.keymgt.service.APIKeyValidationService.validateKey(APIKeyValidationService.java:184)
	at org.wso2.carbon.apimgt.keymgt.service.thrift.APIKeyValidationServiceImpl.validateKey(APIKeyValidationServiceImpl.java:132)
	at org.wso2.carbon.apimgt.impl.generated.thrift.APIKeyValidationService$Processor$validateKey.getResult(APIKeyValidationService.java:352)
	at org.wso2.carbon.apimgt.impl.generated.thrift.APIKeyValidationService$Processor$validateKey.getResult(APIKeyValidationService.java:340)
	at org.apache.thrift.ProcessFunction.process(ProcessFunction.java:32)
	at org.apache.thrift.TBaseProcessor.process(TBaseProcessor.java:34)
	at org.apache.thrift.server.TThreadPoolServer$WorkerProcess.run(TThreadPoolServer.java:176)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)
Caused by: java.sql.SQLSyntaxErrorException: ORA-00933: SQL command not properly ended

	at oracle.jdbc.driver.T4CTTIoer.processError(T4CTTIoer.java:450)

SQL script in https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/5.6.x/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/dao/TokenManagementDAOImpl.java#L206 needs to support other database types.

For example, for ORACLE, it needs to be
SELECT Scopes.NAME, Scopes.TENANT_ID FROM IDN_OAUTH2_SCOPE Scopes, IDN_OAUTH2_RESOURCE_SCOPE ScopeResources WHERE RESOURCE_PATH = ? AND ScopeResources.SCOPE_ID = Scopes.SCOPE_ID

Please check for other databases as well

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

OIDC property specific functions are used to handle generic Service Provider properties

Description:
Currently, the IDN_OIDC_PROPERTY table is used to persist the OIDC specific properties of a service provider app. However, this table can (and is) used to store the generic app configs as well. The existing OIDC specific functions can be used in dealing with those generic configs as well. But the namings suggest that these methods only cater to the OIDC properties. It would be better to change the names to a generic form in order to avoid any confusion.

Discussion:
#1351 (comment)

Related Issues:
#1351

NullPointerException on calling User Info Endpoint

Upon successful login via open id connect, the service provider is successful in retrieving the claims from the user info endpoint. After updating the user profile or updating the Service Provider Configuration in WSO2 IS, I encountered this exception below. Upon quick inspection, the code segment and the exception implies that the cache entry is nullified because of the said actions on the UI, and since the code that triggered this doesn't handle null cache entry, therefore would cause NullPointerException on this code

Code origin of error:

identity-inbound-auth-oauth/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/openidconnect/AbstractUserInfoResponseBuilder.java

Line 298 in d89eda3

return cacheEntry.getRequestObject();

Exception encountered:

Caused by: java.lang.NullPointerException
	at org.wso2.carbon.identity.openidconnect.AbstractUserInfoResponseBuilder.getRequestObject(AbstractUserInfoResponseBuilder.java:298)
	at org.wso2.carbon.identity.openidconnect.AbstractUserInfoResponseBuilder.getResponseString(AbstractUserInfoResponseBuilder.java:82)
	at org.wso2.carbon.identity.oauth.endpoint.user.OpenIDConnectUserEndpoint.getUserClaims(OpenIDConnectUserEndpoint.java:80)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:497)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)

OSGI bundle issue for OIDC logout

Description:

Hi there, I just wanted to report an OSGI bundling issue in the org.wso2.carbon.identity.oidc.session component.

The error is

TID: [-1234] [] [2018-05-23 21:57:40,668] ERROR {org.apache.catalina.core.StandardWrapperValve} -  Servlet.service() for servlet [bridgeserv
let] in context with path [/] threw exception [Servlet execution threw an exception] with root cause
java.lang.ClassNotFoundException: org.apache.commons.collections.MapUtils cannot be found by org.wso2.carbon.identity.oidc.session_5.6.63
        at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:501)
        at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:421)
        at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:412)
        at org.eclipse.osgi.internal.baseadaptor.DefaultClassLoader.loadClass(DefaultClassLoader.java:107)

This has actually been reported in https://wso2.org/jira/browse/IDENTITY-7359 but I'm not sure how to get an account in that Jira to comment there.

The fix (which works for me) is

diff --git a/components/org.wso2.carbon.identity.oidc.session/pom.xml b/components/org.wso2.carbon.identity.oidc.session/pom.xml
index bbb4b53..6ef4d6c 100644
--- a/components/org.wso2.carbon.identity.oidc.session/pom.xml
+++ b/components/org.wso2.carbon.identity.oidc.session/pom.xml
@@ -155,6 +155,7 @@
                             org.apache.commons.lang; version="${commons-lang.wso2.osgi.version.range}",
                             org.apache.commons.lang.text; version="${commons-lang.wso2.osgi.version.range}",
                             org.apache.commons.logging.*; version="${commons-logging.osgi.version.range}",
+                            org.apache.commons.collections; version="${commons-collections.wso2.osgi.version.range}",
                             org.apache.http.*,
 
                             com.nimbusds.jose.*; version="${nimbusds.osgi.version.range}",
@@ -261,4 +262,4 @@
         </plugins>
     </build>

Suggested Labels:

Suggested Assignees:

Affected Product Version:
5.6.63 (probably others)

OS, DB, other environment details and versions:

Steps to reproduce:

Login via OIDC and then hit /oidc/logout on the WSO2 IS.

Related Issues:

OpenIdConnect CIBA [Client Initiated Back-channel Authentication] support for Identity Server.

Client-Initiated Back-channel Authentication [CIBA]

  • CIBA decouples the authentication process.
  • Supports the authentication request initiated by the client.
  • Authentication is initiated with or without customer acting on consumption devices.
  • Customer authenticates & authorize from authentication devices.

Sample flow:

Screenshot from 2019-11-08 18-00-02

Sequence flow :

cibaSequence

Design :

  • Design includes two main components
  1. Ciba Endpoint [responsible for authentication requests and responses]
  2. Ciba Module [supportive in the flow]

cibaFlow

1. Endpoint

  • PR #1210 is related to this.
  • The functionality of EndPoint is explained below in the diagram.

cibaEndPointFlow

2. Ciba Module

  • PR #1209 is related to this.
  • This module especially consists of
  1. responseTypeHandler
  2. grantHandler
  3. Utils
  4. DAO layer
  • And needed to add new logic at grantHandler to handle polling for tokens.
    cibaModulePolling

Additional Changes required

  • And in addition to the PR sent for the purposes served it is required to do additional changes in the identity-inbound-auth-oauth component.
    It is required to do changes to the modules below:
  1. ResponseTypeHandler [added 2 new methods : oauth module]
  2. AuthorizationHandlerManager [added 2 new methods : oauth module]
  3. OAuth2Service [added 2 new methods: oauth module]
  4. Authorize endpoint [added 2 new methods : endpoint module]

Reason for Change:

  • AuthorizationHandlerManager calls issue() method of responseTypeHandler when authentication is successful.
  • Same as when consent denied / authentication failed allowing AuthorizationHandlerManager to call responseTypeHandler to do the database update [inaddition to redirecting errorpage] is required for this feature.

PR : #1211

Support PS256 signing algorithm

Description:
PS256 is supported in nimbus, but it has not been added in the WSO2 implementation. There is a requirement to support PS256 before March 2019.

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

Hybrid flow authorization request being passed without nonce

Description:
When you send an authorization request with hybrid flow (response_type="code token" or "code id_token" or "code id_token token") without "nonce" the request get accepted instead of generating an error.

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

Signature Algorithms are hard coded in OAuth2Util.java

Description:

identity-inbound-auth-oauth/components/org.wso2.carbon.identity.oauth/src/main/java/org/wso2/carbon/identity/oauth2/util/OAuth2Util.java

Line 1537 in ff3ca8b

public static JWSAlgorithm mapSignatureAlgorithmForJWSAlgorithm(String signatureAlgorithm) throws IdentityOAuth2Exception {

Signature algorithms used to sign JWT id tokens are hard coded in this method with an if-else clause. Somewhere down the line when we have to support a new algorithm, we'll have to add a patch to fix this. Instead, we can use the com.nimbusds.jose.JWSAlgorithm#parse method to parse algorithms.

Suggested Labels:
Type/Improvement

Suggested Assignees:
N/A

Affected Product Version:
All

OS, DB, other environment details and versions:
N/A

Steps to reproduce:
N/A

Related Issues:
N/A

Subject Claim is not updated in the id_token when upon changing SP configurations

Description:

Steps to reproduce,

Configure a new OAuth Service Provider(SP)
Now enable following configurations from "Local & Outbound Authentication Configuration" section in the SP

(/)Use tenant domain in local subject identifier
(/)Use user store domain in local subject identifier

Test the corresponding client application of this SP with authorization_code grant type.

At this step I can see the sub claim of id_token is retrieved with /@ format

Now disable configurations for appending tenant domain and user store to subject by untick and saving configs mentioned in step#2
Test the application with authorization_code grant type for the same user used in step#3.
Still the sub claim of id_token is retrieved with /@ format(ex: TEST/[email protected]). But expected is to return plain username (ex: ayesha).
After troubleshooting, identified the cause for this as claims not getting properly reflected in the cache.

After cache timeout or upon token expiration sub claim get updated in the id_token as expected.

Identified the root cause for this is same as #779.

Suggested Labels:

Suggested Assignees:

Affected Product Version:

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

A sql exception is thrown when calling the authorize endpoint "The statement must be executed before any results can be obtained.

Description:
When calling the authorize endpoint an sql exception is thrown

Products Used
IS-KM-5.5.0
APIM2.2.0

Preconditions
1.Perform migration for ISKM from 530 to 540 to 550
2.Perform migration for APIM from 210 to 220
3.MSSQL Jar mssql-jdbc-6.4.0.jre8.jar


[2018-04-10 15:27:56,163] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  Executing OAuth client authenticators.
[2018-04-10 15:27:56,163] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  Retrieving registered OAuth client authenticator list.
[2018-04-10 15:27:56,163] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  Evaluating canAuthenticate of authenticator : BasicOAuthClientCredAuthenticator
[2018-04-10 15:27:56,163] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} -  Client id and secret neither present as Authorization header nor as body params. Hence returning false
[2018-04-10 15:27:56,163] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  BasicOAuthClientCredAuthenticator authenticator cannot handle this request.
[2018-04-10 15:27:56,163] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  Evaluating canAuthenticate of authenticator : PrivateKeyJWTClientAuthenticator
[2018-04-10 15:27:56,163] DEBUG {org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator} -  Authenticate Requested with clientAssertionType : null
[2018-04-10 15:27:56,163] DEBUG {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} -  PrivateKeyJWTClientAuthenticator authenticator cannot handle this request.
[2018-04-10 15:27:56,236] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Validate Client information request for client_id : ZXJ7CyShFuKIZfmG6ZAlKkFnWska and callback_uri http://www.testuser.lk
[2018-04-10 15:27:56,252] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} -  Registered App found for the given Client Id : ZXJ7CyShFuKIZfmG6ZAlKkFnWska ,App Name : testuser-AT-gmail.com_testuserap_PRODUCTION, Callback URL : http://www.testuser.lk
[2018-04-10 15:27:56,321] DEBUG {org.wso2.carbon.identity.oauth2.dao.AuthorizationCodeDAOImpl} -  Successfully stored the Request Object reference: 9 for sessionDataKey: 466e775c-d617-4f5d-a757-5c4cb71dd602
[2018-04-10 15:27:56,325] ERROR {org.wso2.carbon.identity.oauth2.dao.AuthorizationCodeDAOImpl} -  Error when storing the request object claims.
com.microsoft.sqlserver.jdbc.SQLServerException: The statement must be executed before any results can be obtained.
	at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:228)
	at com.microsoft.sqlserver.jdbc.SQLServerStatement.getGeneratedKeys(SQLServerStatement.java:2121)
	at sun.reflect.GeneratedMethodAccessor103.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.tomcat.jdbc.pool.StatementFacade$StatementProxy.invoke(StatementFacade.java:114)
	at com.sun.proxy.$Proxy19.getGeneratedKeys(Unknown Source)
	at org.wso2.carbon.identity.openidconnect.dao.RequestObjectDAOImpl.insertRequestObjectClaims(RequestObjectDAOImpl.java:188)
	at org.wso2.carbon.identity.openidconnect.dao.RequestObjectDAOImpl.insertRequestObjectData(RequestObjectDAOImpl.java:91)
	at org.wso2.carbon.identity.openidconnect.RequestObjectService.addRequestObject(RequestObjectService.java:53)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.persistRequestObject(OAuth2AuthzEndpoint.java:1101)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleRequestObject(OAuth2AuthzEndpoint.java:1386)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleOIDCRequestObject(OAuth2AuthzEndpoint.java:1354)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.populateOauthParameters(OAuth2AuthzEndpoint.java:1303)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleOAuthAuthorizationRequest(OAuth2AuthzEndpoint.java:1068)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleInitialAuthorizationRequest(OAuth2AuthzEndpoint.java:699)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:198)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.wso2.carbon.webapp.mgt.filter.AuthorizationHeaderFilter.doFilter(AuthorizationHeaderFilter.java:85)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
	at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
	at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
[2018-04-10 15:27:56,332] ERROR {org.wso2.carbon.identity.openidconnect.RequestObjectService} -  Error while persisting the Request Object against sessionDataKey: 466e775c-d617-4f5d-a757-5c4cb71dd602
org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error when storing the request object claims.
	at org.wso2.carbon.identity.openidconnect.dao.RequestObjectDAOImpl.insertRequestObjectClaims(RequestObjectDAOImpl.java:209)
	at org.wso2.carbon.identity.openidconnect.dao.RequestObjectDAOImpl.insertRequestObjectData(RequestObjectDAOImpl.java:91)
	at org.wso2.carbon.identity.openidconnect.RequestObjectService.addRequestObject(RequestObjectService.java:53)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.persistRequestObject(OAuth2AuthzEndpoint.java:1101)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleRequestObject(OAuth2AuthzEndpoint.java:1386)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleOIDCRequestObject(OAuth2AuthzEndpoint.java:1354)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.populateOauthParameters(OAuth2AuthzEndpoint.java:1303)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleOAuthAuthorizationRequest(OAuth2AuthzEndpoint.java:1068)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.handleInitialAuthorizationRequest(OAuth2AuthzEndpoint.java:699)
	at org.wso2.carbon.identity.oauth.endpoint.authz.OAuth2AuthzEndpoint.authorize(OAuth2AuthzEndpoint.java:198)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:188)
	at org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:104)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:204)
	at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:101)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:58)
	at org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:94)
	at org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:272)
	at org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121)
	at org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:249)
	at org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:248)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:222)
	at org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:153)
	at org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:171)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:289)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.doGet(AbstractHTTPServlet.java:214)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
	at org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:265)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.wso2.carbon.webapp.mgt.filter.AuthorizationHeaderFilter.doFilter(AuthorizationHeaderFilter.java:85)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.wso2.carbon.ui.filters.cache.ContentTypeBasedCachePreventionFilter.doFilter(ContentTypeBasedCachePreventionFilter.java:53)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:219)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:80)
	at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
	at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
	at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
	at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1775)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1734)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:748)
Caused by: com.microsoft.sqlserver.jdbc.SQLServerException: The statement must be executed before any results can be obtained.
	at com.microsoft.sqlserver.jdbc.SQLServerException.makeFromDriverError(SQLServerException.java:228)
	at com.microsoft.sqlserver.jdbc.SQLServerStatement.getGeneratedKeys(SQLServerStatement.java:2121)
	at sun.reflect.GeneratedMethodAccessor103.invoke(Unknown Source)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.apache.tomcat.jdbc.pool.StatementFacade$StatementProxy.invoke(StatementFacade.java:114)
	at com.sun.proxy.$Proxy19.getGeneratedKeys(Unknown Source)
	at org.wso2.carbon.identity.openidconnect.dao.RequestObjectDAOImpl.insertRequestObjectClaims(RequestObjectDAOImpl.java:188)
	... 69 more

OIDC Scopes menus are being displayed even without any permissions

Description:
The https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/v6.0.53/components/org.wso2.carbon.identity.oauth.ui/src/main/resources/META-INF/component.xml is causing the issue due to required permissions is not included in the file. This causes the OIDC Scopes menus are being displayed even without any permissions. Please note that the API Manager 2.6.0 is using the org.wso2.carbon.identity.oauth.ui_6.0.53.jar which is given by the v6.0.53 tag of the https://github.com/wso2-extensions/identity-inbound-auth-oauth repository.

Suggested Labels:
N/A

Suggested Assignees:
N/A

Affected Product Version:
wso2am-2.6.0

OS, DB, other environment details and versions:
N/A

Steps to reproduce:

  1. Create a role only with the login permission
  2. Assign the role to a user
  3. Login to Carbon Management Console with that user
  4. OIDC Scopes menus can be seen in the carbon console

Related Issues:
N/A

Remove unique key constraint of scopes

Description:

When multiple versions of the same resource need to use the same scope, it needs to be duplicated to avoid changes on one affecting the other. So this[1] constraint should be removed. When issuing tokens, Scope Issuer can decide how to deal with duplicate scopes.

[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/5.6.x/components/org.wso2.carbon.identity.oauth/src/test/resources/dbScripts/scope.sql#L79

Suggested Labels:

Priority/High

Affected Product Version:
IS 5.5.0

Related Issues:
wso2/product-apim#2978

JWTTokenIssuer does not work correctly with aliases

Once I enabled the JWTTokenIssuer in identity.xml, the tokens get generated as JWT tokens but even with PersistAccessTokenAlias set to true, they are always stored in the database as the access token itself rather than the alias.

This is a problem since for OpenID validation, libraries touching userinfo endpoint will fail since during validation the query use jti component to query the table as shown below while the table has the full jwt token.

SELECT CONSUMER_KEY, AUTHZ_USER, ACCESS_TOKEN_TABLE.TENANT_ID, USER_DOMAIN, TOKEN_SCOPE, TIME_CREATED,
REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD, USER_TYPE, REFRESH_TOKEN,
ACCESS_TOKEN_TABLE.TOKEN_ID, GRANT_TYPE, SUBJECT_IDENTIFIER FROM (SELECT TOKEN_ID, CONSUMER_KEY,
AUTHZ_USER, IDN_OAUTH2_ACCESS_TOKEN.TENANT_ID AS TENANT_ID, IDN_OAUTH2_ACCESS_TOKEN.USER_DOMAIN
AS USER_DOMAIN,TIME_CREATED,REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD,
USER_TYPE, REFRESH_TOKEN, IDN_OAUTH2_ACCESS_TOKEN.GRANT_TYPE AS GRANT_TYPE,SUBJECT_IDENTIFIER
FROM (SELECT * FROM IDN_OAUTH2_ACCESS_TOKEN WHERE ACCESS_TOKEN='4fbba8b7-95a6-4b49-a0ab-01092baa484f'
AND TOKEN_STATE='ACTIVE') IDN_OAUTH2_ACCESS_TOKEN JOIN IDN_OAUTH_CONSUMER_APPS ON CONSUMER_KEY_ID
= ID) ACCESS_TOKEN_TABLE LEFT JOIN IDN_OAUTH2_ACCESS_TOKEN_SCOPE ON ACCESS_TOKEN_TABLE.TOKEN_ID
= IDN_OAUTH2_ACCESS_TOKEN_SCOPE.TOKEN_ID

Bottom line, the issues is that with JwtTokenIssues IdentityOAuthTokenGenerator regardless of PersistAccessTokenAlias settings the persistence is done with the full token rather than its alias.

Customized SQL Queries to ecrypt externalId value

We are using Identity Server to store information about users and we are trying to encrypt the value of externalId on the database level. Using the column encryption feature of PostgreSQL.

But to do so we have to make WSO2IS understand how to encrypt and decrypt the value of externalId.

I have searched for a way to customize the queries and I have found this link: Configuring a JDBCUserStore Properties used in JDBC userstore manager but this one does not seem to have queries about the externalId or maybe because its just a sample of the queries. anyway my search pointed me to this repository as I think the externalId means this attribute EXTERNAL_CLAIM_ID inside this table IDN_OIDC_SCOPE_CLAIM_MAPPING and according to this file SQLQueries.java it seems that all queries that contains EXTERNAL_CLAIM_ID needs to be modified in order to make use of the column encryption feature.

  • Is this applicable by customizing through the JDBC User Properties only ?
  • Or We have to customize the code of this repository by making a fork and use it ?
  • What else do we need to make this possible ?
  • Is there a better way to do it ?

Note: I don't want to encrypt the disk or the volume itself.

OAuth Scope validator names have to configurable rather than showing class name

Description:
In the UI of this implementation currently, we are showing only the class name of the registered validators. If there are two scope validators with the same class name registered in two different packages. Then the UI will show mixed up with duplicate values.

Suggested Labels:
Type/Improvement

Suggested Assignees:

Affected Product Version:
IS 5.5.0-alpha2

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

OAuth 2.0 fails with MySQL and maria-db-java-client-2.4.1.jar

Description:
WSO2 IS 5.7.25 raises following error with MySQL 5.7 database and maria-db-java-client.jar:
org.wso2.carbon.identity.oauth2.IdentityOAuth2Exception: Error occurred while trying to retrieve latest 'ACTIVE' access token for Client ID : awUI98s3ZZkn10bfW_VFcgu7eXga, User ID : ******, and Scope : read at org.wso2.carbon.identity.oauth2.dao.AccessTokenDAOImpl.getLatestAccessToken(AccessTokenDAOImpl.java:473)
...
Caused by: java.sql.SQLException: Every derived table must have its own alias at org.mariadb.jdbc.internal.protocol.AbstractQueryProtocol.readErrorPacket(AbstractQueryProtocol.java:1594)

Full stacktrace is added.
full-trace.txt

While configuring the secondary user store I have faced the 'SSLException Unsupported record version Unknown-0.0' issue with mysql JDBC driver (see https://stackoverflow.com/questions/48947926/jdbc-to-mysql-5-7-21-with-java-1-8-0-162-unsupported-record-version-unknown-0). Changed my driver jar to maria-db-java-client-2.4.1.jar as suggested. As stated here MariaDB Connector/J is developed for use with MariaDB and MySQL database servers. Version compatibility seems satisfied.

Enabled the SQL trace logs for mariadb and investigated the issue, and found out that the something amiss with the query executed at line: 395

Here is the query causing the error:
SELECT * FROM (SELECT ACCESS_TOKEN, REFRESH_TOKEN, TIME_CREATED, REFRESH_TOKEN_TIME_CREATED, VALIDITY_PERIOD, REFRESH_TOKEN_VALIDITY_PERIOD,TOKEN_STATE, USER_TYPE, TOKEN_ID, SUBJECT_IDENTIFIER FROM IDN_OAUTH2_ACCESS_TOKEN WHERE CONSUMER_KEY_ID=(SELECT ID FROM IDN_OAUTH_CONSUMER_APPS WHERE CONSUMER_KEY = 'awUI98s3ZZkn10bfW_VFcgu7eXga') AND LOWER(AUTHZ_USER)='mahitaptokpinar' AND TENANT_ID=-1234 AND USER_DOMAIN='BOYKOT-USERSTORE' AND TOKEN_SCOPE_HASH='ecae13117d6f0584c25a9da6c8f8415e' AND TOKEN_STATE='ACTIVE' ORDER BY TIME_CREATED DESC) WHERE ROWNUM < 2

Regarding to the MySQL query syntax, the inner SELECT statement has to have a table alias ('T' or 'T1', etc..).

As digging out, I guess the code hits the 'else' statement at line 363 failing to detect the actual JDBC driver name. Thus, query targets Oracle, instead of MySQL as actual JDBC driver name returns: MariaDB Connector/J

Affected Product Version:
WSO2 IS 5.7.25

OS, DB, other environment details and versions:
OS: CentOS 7.6
DB: MySQL 5.7

Steps to reproduce:

  1. Configure IDENTITY_DB to use MySQL 5.7 and add maria-db-java-client-2.4.1.jar to <PRODUCT_HOME>/repository/components/lib folder.
  2. Follow steps in: https://www.youtube.com/watch?v=xipHJSW93KI
  3. curl -v -X POST --basic -u $CLIENTID:$CLIENTSECRET -H "Content-Type: application/x-www-form-urlencoded;charset=UTF-8" -k -d "grant_type=password&username=$USERNAME&password=$PASSWORD&scope=$SCOPE" $TOKEN_EP

Improve the audit logs for printing token revocation details

Description:
Enhancement for adding audit logs for token revocation

Suggested Labels:
Type/Improvement

Affected Product Version:
wso2is-km-5.3.0

OS, DB, other environment details and versions:

Steps to reproduce:

  • Start IS-KM server, and create a SP
  • Generate a token using password grant type
  • Now revoke the token
  • Check the audit log - it should print the revocation details something similar as below token generation details
[2019-01-02 15:05:25,663]  INFO {AUDIT_LOG}-  Initiator : admin | Action : PostTokenIssue | Target : PasswordGrantAuditLogger | Data : { "AuthenticatedUser" : "admin","AuthenticatedUserStoreDomain" : "PRIMARY","AuthenticatedUserTenantDomain" : "carbon.super","ServiceProvider" : "testSP1","RequestType" : "oauth2","RelyingParty" : "5q7fNvd5JiBAVbPcEW7B5Ws_9PMa" } | Result : Success

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.