Mutual TLS with client id and secret using OIDC


How to use Mutual TLS with client id and client secret In wso2 IS 5.5.0

This authenticator has the same architecture as the mutual authenticator,  https://docs.wso2.com/display/IS550/Mutual+TLS+for+OAuth+Clients.

The only difference is we need to pass the client secret as an query param in the token request. In order to consume the request we need to follow the steps as below.

1.  Verify whether the org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret-1.0.7.jar exists in <IS_Home/repository/components/dropins

2. To enable this feature put following configurations in identity.xml which is located in <IS_HOME>/repository/conf/identity
  
<EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name="org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret.MutualTLSWithIdSecretAuthenticator" orderId="200" enable="true">

</EventListener>


3. In order to get a successful authentication, the certificate which is imported to the client-truststore.jks and the certificate which is available in the token request and the service provider certificate should be equal. If we need to skip the validation of the service provider certificate we need to disable the MandateMutualSSL property as below.

  <EventListener type="org.wso2.carbon.identity.core.handler.AbstractIdentityHandler" name="org.wso2.carbon.identity.oauth2.token.handler.clientauth.tlswithidsecret.MutualTLSWithIdSecretAuthenticator" orderId="200" enable="false">
            <Property name="MandateMutualSSL">true</Property>
  </EventListener>


4. Create a service provider and generate a client id and client secret.

5. Generate a certificate and import it to the client-truststore.jks which is located in <IS_Home>/repository/resources/security

6. Use the following commands to generate certificate and get private key in pem format.

Generate a private RSA key
openssl genrsa -out cert.key 2048

Create a X509 certificate     
openssl req -x509 -new -nodes -key cert.key  -sha256 -days 1024 -out cert.pem

Create a PKCS12 keystore from provate key and public certificate
openssl pkcs12 -export -name server-cert -in cert.pem -inkey cert.key -out serverkeystore.p12

Export the private key as a PEM file
openssl pkcs12 -in serverkeystore.p12 -out key.pem

Sample Request :
curl -k -d "grant_type=password&username=admin&password=admin&client_id=2fjjjsCfTlLqptsj_goJcplgTyka&client_secret=dSw8sxIFG83N8gmLDqz5HPwrKT4a" -H "Content-Type: application/x-www-form-urlencoded" https://localhost:9443/oauth2/token -i  --cert cert.pem --key key.pem
Sample Response :
{"access_token":"ad25a42e-1a54-35a4-bc8b-4da5c9122ecc","refresh_token":"3b7cf936-4143-3539-b0fb-e11856ea5b46","token_type":"Bearer","expires_in":188} 

Comments

  1. Ron SantiagoSeptember 21, 2020 at 8:56 AM

    Mr Ben Lee is absolutely incredible. He’s been so responsive, so patient & honest, and just wonderful at his job as a loan officer. I will buy every future house with him if I ever move in DC. He’s just the absolute best.”  
    I will recommend anyone here looking for loan to contact a loan officer Ben Lee on Email...  247officedept@gmail.comThen whats-App as well....  +1-989-394-3740

    ReplyDelete

Post a Comment

Popular posts from this blog

Applying CORS Filter to wso2 Identity Server

When we are invoking an endpoint in oauth2 war from a javascript of a web app which is located in a different domain than identity server domain we are getting "No 'Access-Control-Allow-Origin' header is present on the requested resource. Origin 'http://XXXXXXX is therefore not allowed access." The issue is occurring as the script on your page is running from a specifc domain and would try to request the resource via an XmlHttpRequest or XDomainRequst from a different domain as this is a cross -origin request. In order to get rid of this we need to enable this by sending below header using a custom filter.  Access-Control-Allow-Origin: http: //example.com   (Here  http://example.com is the domain name of where page with that script is hosted) Invoking UserInfo endpoint of wso2 Identity Server from JavaScript We have two possible solutions to apply the CORS header.  1. Customizing OpenIDConnectUserEndpoint.java as below and replacing the oau...
Read more

Secure Wso2 ESB REST APIs using Kerberos

Image
When a consumer attempts to consume a REST API, if the API is secured using some authentication protocol (e.g Basic , Kerberos, NTLM) the consumer has to prove his authentication to the API by sending credentials or relevant token through authorization headers. By default ESB REST APIs does not include any security and from this blog post I will speak about how to make the APIs secured using kerberos. I have used main 3 components ;  Active Directory as the KDC , ESB server as the resource server and a C#.net client to invoke the rest APIs in ESB server. The design of the implementation is as below. The Design of the Kerberos Communication 1. Client tries to invoke the ESB proxy 2. The server responds with 401 unauthorized 3. Client requests a kerberos service ticket from active directory 4. If user is identified by the KDC (AD) it will send the SGT to the client 5. Client wraps the SPENEGO token in the request HTTP header and resend to ESB 6. ESB sees the HTTP head...
Read more

DCR VS DCRM with WSO2 Identity server

Image
What is DCR (Dynamic Client Registration) Dynamic Client registration is a protocol which allows OAuth clients to register applications in an authorization server. Before this mechanism which is introduced from the spec [1] the client registration happened manually. With this implementation the client registration could be done in two ways.  - A client can be registered dynamically with the authorization server itself  - A programmer can register a client programmatically. Following is the protocol flow of DCR 1. A client sends a registration request with as follows. This should be a post request. 2. Server sends information response with 201 created. Request : POST   https://localhost:9443/api/identity/oauth2/dcr/v1.0/register HTTP/1.1 Authorization : Basic   YWRtaW46YWRtaW4= Content-Type :   application/json Content -Length :   114 Host: localhost :9443 {    "redirect_uris" : [    ...
Read more