Closed arvindk25 closed 1 year ago
Can you please provide your CURL command (or equivalent)?
You should be calling the DCR endpoint with https://sso.data-holder.local as the base URL. That's how the solution is configured (to be called via PingAccess).
@ttranatping we should be able to call the DCR endpoint without PingAccess as well, it should process the 'aud' validation basis the list of 'audiences' in the DCR Policy, seems some issue in validation logic under com.pingidentity.ps.cdr.pf.clientregistration.CDRAUPlugin
here is the cURL where we replaced sso.data-holder.local with pingfederate:9031 at the DCR step of Consent Postman collection (S001.T001.007 - Call Pingfederate DCR POST)
curl --location 'https://pingfederate:9031/as/clients.oauth2' \ --header 'Content-Type: application/jwt' \ --header 'X-Certificate;' \ --data '{{software-dcr-requestjwt}}
You can configure it to work with https://pingfederate:9031, but it may not be compliant with CDR and won’t be cohesive with the rest of the solution. The CDR IK requires PingAccess in front of PingFederate to deal with some of the nuances of CDR, and it’s important to maintain consistency when setting expected issuers/audiences throughout the solution. We cannot guarantee it to work (and expect it not to) if you circumvent it.
if you wish to continue using DCR using https://pingfederate:9031, then you will need to
this is going against our advice and we won’t be able to support you from here. I will close the comments and please proceed through Ping support if you wish to take the matter further.
@ttranatping
There seems to be some issue validating DCR 'aud' value against the expected 'audiences' in DCR Policy with below setup:
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Testing Postman Collection part of "manual-deploy"
CDR Integration Kit: 1.4.0 (pf-cdr-au-modules-1.4.0.jar)
Dynamic Client Reg Policy Params:
PF Server Settings:
When providing value aud=https://pingfederate:9031 during Dynamic Client Registration
Rejected due to invalid claims or other invalid content. Additional details: [[8] Audience (aud) claim [https://pingfederate:9031] doesn't contain an acceptable identifier. Expected one of [https://sso.data-holder.local, https://sso.data-holder.local:3000] as an aud value.]
When providing value aud=https://sso.data-holder.local during Dynamic Client Registration
ERROR [com.pingidentity.ps.cdr.pf.clientregistration.CDRAUPlugin] Invalid audience: https://sso.data-holder.local, Expected: https://pingfederate:9031
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++