Mutual TLS with client id and secret using OIDC
How to use Mutual TLS with client id and client secret In wso2 IS 5.5.0
This authenticator has the same architecture as the mutual authenticator, https://docs.wso2.com/display/IS550/Mutual+TLS+for+OAuth+Clients.
The only difference is we need to pass the client secret as an query param in the token request. In order to consume the request we need to follow the steps as below.
1. Verify whether the org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret-1.0.7.jar exists in <IS_Home/repository/components/dropins
2. To enable this feature put following configurations in identity.xml which is located in <IS_HOME>/repository/conf/identity
<EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name="org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret.MutualTLSWithIdSecretAuthenticator" orderId="200" enable="true">
</EventListener>
<EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name="org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret.MutualTLSWithIdSecretAuthenticator" orderId="200" enable="false">
<Property name="MandateMutualSSL">true</Property>
</EventListener>
5. Generate a certificate and import it to the client-truststore.jks which is located in <IS_Home>/repository/resources/security
6. Use the following commands to generate certificate and get private key in pem format.
Generate a private RSA key
openssl genrsa -out cert.key 2048
Create a X509 certificate
openssl req -x509 -new -nodes -key cert.key -sha256 -days 1024 -out cert.pem
Create a PKCS12 keystore from provate key and public certificate
openssl pkcs12 -export -name server-cert -in cert.pem -inkey cert.key -out serverkeystore.p12
Export the private key as a PEM file
openssl pkcs12 -in serverkeystore.p12 -out key.pem
openssl pkcs12 -export -name server-cert -in cert.pem -inkey cert.key -out serverkeystore.p12
Export the private key as a PEM file
openssl pkcs12 -in serverkeystore.p12 -out key.pem
Sample Request :
curl -k -d "grant_type=password&username=admin&password=admin&client_id=2fjjjsCfTlLqptsj_goJcplgTyka&client_secret=dSw8sxIFG83N8gmLDqz5HPwrKT4a" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token -i --cert cert.pem --key key.pem
Sample Response :{"access_token":"ad25a42e-1a54-35a4-bc8b-4da5c9122ecc","refresh_token":"3b7cf936-4143-3539-b0fb-e11856ea5b46","token_type":"Bearer","expires_in":188}
Mr Ben Lee is absolutely incredible. He’s been so responsive, so patient & honest, and just wonderful at his job as a loan officer. I will buy every future house with him if I ever move in DC. He’s just the absolute best.”
ReplyDeleteI will recommend anyone here looking for loan to contact a loan officer Ben Lee on Email... 247officedept@gmail.comThen whats-App as well.... +1-989-394-3740