Mutual TLS with client id and secret using OIDC


How to use Mutual TLS with client id and client secret In wso2 IS 5.5.0

This authenticator has the same architecture as the mutual authenticator,  https://docs.wso2.com/display/IS550/Mutual+TLS+for+OAuth+Clients.

The only difference is we need to pass the client secret as an query param in the token request. In order to consume the request we need to follow the steps as below.

1.  Verify whether the org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret-1.0.7.jar exists in <IS_Home/repository/components/dropins

2. To enable this feature put following configurations in identity.xml which is located in <IS_HOME>/repository/conf/identity
  
<EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name="org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret.MutualTLSWithIdSecretAuthenticator" orderId="200" enable="true">

</EventListener>


3. In order to get a successful authentication, the certificate which is imported to the client-truststore.jks and the certificate which is available in the token request and the service provider certificate should be equal. If we need to skip the validation of the service provider certificate we need to disable the MandateMutualSSL property as below.

  <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name="org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret.MutualTLSWithIdSecretAuthenticator" orderId="200" enable="false">
            <Property name="MandateMutualSSL">true</Property>
  </EventListener>


4. Create a service provider and generate a client id and client secret.

5. Generate a certificate and import it to the client-truststore.jks which is located in <IS_Home>/repository/resources/security

6. Use the following commands to generate certificate and get private key in pem format.

Generate a private RSA key
openssl genrsa -out cert.key 2048

Create a X509 certificate     
openssl req -x509 -new -nodes -key cert.key  -sha256 -days 1024 -out cert.pem

Create a PKCS12 keystore from provate key and public certificate
openssl pkcs12 -export -name server-cert -in cert.pem -inkey cert.key -out serverkeystore.p12

Export the private key as a PEM file
openssl pkcs12 -in serverkeystore.p12 -out key.pem

Sample Request :
curl -k -d "grant_type=password&username=admin&password=admin&client_id=2fjjjsCfTlLqptsj_goJcplgTyka&client_secret=dSw8sxIFG83N8gmLDqz5HPwrKT4a" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token -i  --cert cert.pem --key key.pem

Sample Response :
{"access_token":"ad25a42e-1a54-35a4-bc8b-4da5c9122ecc","refresh_token":"3b7cf936-4143-3539-b0fb-e11856ea5b46","token_type":"Bearer","expires_in":188} 

Comments

  1. Mr Ben Lee is absolutely incredible. He’s been so responsive, so patient & honest, and just wonderful at his job as a loan officer. I will buy every future house with him if I ever move in DC. He’s just the absolute best.”  
    I will recommend anyone here looking for loan to contact a loan officer Ben Lee on Email...  247officedept@gmail.comThen whats-App as well....  +1-989-394-3740

    ReplyDelete

Post a Comment

Popular posts from this blog

Applying CORS Filter to wso2 Identity Server

JWKS endpoint of wso2 IS

Start WSO2 Identity Server 5.1 as windows Service