1. 技术文章
  2. Issuer mismatch with OpenID Connect discovery on WSO2 Identity Server

Issuer mismatch with OpenID Connect discovery on WSO2 Identity Server

给你一囗甜甜゛ 提交于 2019-12-13 07:00:31

问题


I'm working on a small proof-of-concept implementation involving OpenID Connect and WSO2 Identity Server 5.3.0.

On the client side, I'm using python with the oic library to attempt to get the discovery mechanism working. I'm executing the following code, based on the oic documentation:

from oic.oic import Client

oic_client = Client(verify_ssl=False)

uid = "admin@172.22.0.2"
issuer = oic_client.discover(uid)
provider_info = oic_client.provider_config(issuer)

This results in the following error:

oic.exception.IssuerMismatch: 'https://172.22.0.2:443/oauth2/oidcdiscovery' != 'https://172.22.0.2:443/oauth2/token'

The problem here is that with the default configuration, the discover() step will return an issuer value of https://172.22.0.2:443/oauth2/oidcdiscovery, but the subsequent provider_config() step will return a document containing an issuer value of https://172.22.0.2:443/oauth2/token.

The oic library seems to be correct in reporting this mismatch as an error, as the OpenID Connect Discovery specification states the following about the issuer value presented in the provider metadata (emphasis mine):

REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

So, my question is the following:

  1. Am I correct in concluding that (at least with the default configuration) WSO2 Identity Server does not behave conform to the OpenID Connect specification, at least as far as discovery is concerned?
  2. Is it possible to configure WSO2 Identity Server in such a way that will conform to the spec? I have tried specifying various combinations of OIDCDiscoveryEPUrl and IDTokenIssuerID in the identity.xml file, but no luck so far.

For now, after reading through the oic source code, I'm using the following workaround to ignore the issuer mismatch:

oic_client.allow["issuer_mismatch"] = True

I would, however, much prefer to find a solution in which WSO2 Identity Server is made to behave according to spec.


回答1:


I got this around by setting IDTokenIssuerID of identity.xml to discovery url (https://172.22.0.2:443/oauth2/oidcdiscovery as with yours). But eventually run into another mismatch in idtoken's iss field where it is always "https://localhost:9443/oauth2/token" and expected to be the discovery url as well by OIDC spec.



来源:https://stackoverflow.com/questions/42060839/issuer-mismatch-with-openid-connect-discovery-on-wso2-identity-server

标签
python
wso2is
openid-connect
易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!