X509 Certificate Authentication Fails with Tenants and/ or Sub Oraganizations - Githubissues

wso2 / product-is

Welcome to the WSO2 Identity Server source code! For info on working with the WSO2 Identity Server repository and contributing code, click the link below.

http://wso2.github.io/

Apache License 2.0

746 stars 724 forks source link

X509 Certificate Authentication Fails with Tenants and/ or Sub Oraganizations #19918

Open dhaura opened 7 months ago

dhaura commented 7 months ago

Describe the issue: X509 certificate authenticator fails for tenanted and/ or B2B users.

How to reproduce:

Setup X509 certificate authenticator in WSO2 IS [1].
Create a new tenant/ B2B organization.
Create a traditional web app for the tenant/ suborg. (for suborgs, an app can be created in the super tenant and shared it with the suborg)
Configure basic authentication as the first step and X509 certificate authenticator as the second step for the newly created application.
Create a new user in the tenant/ suborg.
Create a x509 certificate for the created user following the steps in [2].
Upload the certificate into the browser.
Try login into the application with the tenanted/ suborg user.

Expected behavior: Successful authentication when a valid x509 certificate is passed for tenanted/ suborg users.

Environment information:

Product Version: IS 7.0.0
OS: macos
Database: default
Userstore: default

Related issues:

[1] - https://is.docs.wso2.com/en/7.0.0/guides/authentication/mfa/add-x509-login [2] - https://is.docs.wso2.com/en/7.0.0/guides/authentication/mfa/add-x509-login/#configure-x509-certificate-authenticator

dhaura commented 7 months ago

Root Cause Analysis - Tenanted Scenario

When validating the certificate, it checks whether the associated user's account is disabled in [1] and calls the method createLocalAuthenticatedUserFromSubjectIdentifier() to get the authenticated user with the related username.
Moreover, there was a change [2] done to the method createLocalAuthenticatedUserFromSubjectIdentifier() in order to fix the issue [3], where instead of getting the tenant domain of the user from the username itself, it is implemented to extract it from the thread local carbon context [4].
But this returns carbon.super even for a tenanted user since the commonauth url returned [5] by the x509 certificate servlet is not tenanted.
Therefore, isAccountDisabled method [6] fails due to the invalid tenant domain of the user.

[1] - https://github.com/wso2-extensions/identity-outbound-auth-x509/blob/2f12dcfb92bb147379efff6cf491f7d2c5cb18f4/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateAuthenticator.java#L366 [2] - https://github.com/wso2/carbon-identity-framework/pull/5374 [3] - https://github.com/wso2/product-is/issues/18795 [4] - https://github.com/wso2/carbon-identity-framework/blob/c2722c245ac8088bc4e0f7535caa678043c4de75/components/authentication-framework/org.wso2.carbon.identity.application.authentication.framework/src/main/java/org/wso2/carbon/identity/application/authentication/framework/model/AuthenticatedUser.java#L168-L169 [5] - https://github.com/wso2-extensions/identity-outbound-auth-x509/blob/2f12dcfb92bb147379efff6cf491f7d2c5cb18f4/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateServlet.java#L84 [6] - https://github.com/wso2-extensions/identity-outbound-auth-x509/blob/2f12dcfb92bb147379efff6cf491f7d2c5cb18f4/component/authenticator/src/main/java/org/wso2/carbon/identity/authenticator/x509Certificate/X509CertificateUtil.java#L468