Open RivinduM opened 6 months ago
Hello,
I'm currently developing a sample Open Banking Toolkit based on the UK Specification on top of APIM 4.3.0 and IS 7.0.0. I have a situation where I need to call the Identity Server DCR endpoint from the APIM manager to create a Service Provider as part of the Open Banking DCR flow. I am attaching the Basic Auth header to the request before it reaches the Identity Server. Despite including this header, the Identity Server runs into this same issue.
The problem seems to be related to the APIM sending its certificate to the Identity Server when making the request. When I send the request through Postman without specifying any certificates, it works as expected.
I see there are no updates posted regarding this issue since it was opened. Since, this is impacting our development, could you please prioritize this issue and provide any updates or guidance?
Hello again,
I believe I have some new information that would be helpful to this. The problem seems to be in the authenticate()
function in the AuthenticationManager
class. When it calls the getFirstPriorityHandler()
function in the HandlerManager
class, it returns a ClientCertificateBasedAuthenticationHandler
instance as the authentication handler when the client TLS certificate is set. This is because the getAuthenticationHandlers()
returns a authentication handler array list with a ClientCertificateBasedAuthenticationHandler
instance as the first element and getFirstPriorityHandler()
returns the first handler in the list that returns true
for the canHandle()
function. (Please refer the following screenshot.)
ClientCertificateBasedAuthenticationHandler
class set the username returned from the WSO2-Identity-User
http header.
If we didn't send this header, the cert based auth handler will not set the user in the PrivilegedCarbonContext
which then will cause the applicationOwner
to be null in the DCRMService
, which will cause the above issue.
I believe using ClientCertificateBasedAuthenticationHandler
whenever the client certs are set, is the intended behavior for most use cases. But for DCR since we need an authenticated user, we shouldn't rely on a http header to retrieve the username. The DCR flow should have a way to figure out the authenticated user from the OAuth2 token or the basic Auth header as mentioned in the DCR documentation.
For my use case, I can temporary set the username in the WSO2-Identity-User
header. I don't know if there is a way to configure the order of the authentication handlers from a config file (If there is please let me know). But sending the header is the only workaround I could find at the moment. Hope this get fixed soon.
The debug sessions shown in the screenshots are conducted on the https://github.com/wso2-extensions/identity-carbon-auth-rest/ repository and on the v1.9.4 tag.
P.S. You can reduce the priority of the ClientCertificateBasedAuthenticationHandler
by changing the event.default_listener.client_certificate_authentication_handler.priority
in the default.json
file in the IS, or you can entirely disable the ClientCertificateBasedAuthenticationHandler
by setting event.default_listener.client_certificate_authentication_handler.enable
to false
. (You can also override the default setting from the deployment.toml
as well)
Hi @NiTR0-CH4RG3R
We can configure the certificate based authentication handler to use the "CN" of the certificate as the authenticated user [1].
The below sample toml config can be used if required.
[intermediate_cert_validation]
enable=true
cert_cns=['wso2isintcert', 'localhost']
Describe the issue: When sending the transport certificates with DCR POST call, it fails with a 500 internal server error with the below error log.
The reason for the issue is, we are setting the application owner by retrieving the username from the ThreadLocalCarbonContext[1], which is null when the MTLS authenticator is engaged.
Since the user is not present when the MTLS authenticator is engaged, [2] fails to set the username to the context.
When the basic auth is used, this works fine.
[1] https://github.com/wso2-extensions/identity-inbound-auth-oauth/blob/master/components/org.wso2.carbon.identity.oauth.dcr/src/main/java/org/wso2/carbon/identity/oauth/dcr/service/DCRMService.java#L446 [2] https://github.com/wso2-extensions/identity-carbon-auth-rest/blob/master/components/org.wso2.carbon.identity.auth.service/src/main/java/org/wso2/carbon/identity/auth/service/handler/AuthenticationHandler.java#L108
How to reproduce:
--header 'Content-Type: application/json' \ --header 'Authorization: Basic YWRtaW46YWRtaW4=' \ --data '{ "redirect_uris": [ "https://abc/redirect1", "https://abc/redirect2" ], "client_name": "FAPI DCR app2", "grant_types": [ "client_credentials", "authorization_code" ] }'