Hi Kavitha, By going through your configurations in travelocity.properties , I noticed few missing and incorrect configurations.
#OAuth2 token endpoint URL OAuth2.TokenURL=https://localhost:9443/oauth2/token?tenantDomain=test.com #Additional request parameters QueryParams=tenantDomain=test.com Please add these properties and check your user case works. Thanks, Maduranga. On Thu, Sep 24, 2015 at 3:17 PM, Kavitha Subramaniyam <[email protected]> wrote: > Hi team, > > I have tried SAML bearer in tenant mode and it is failing for signature > validation. I have followed below steps to produce this: > > - SP created for travelocity.com and an app for oauth(here myapp2) > - Exported public certificate of the private key used at webapp side (here > wso2carbon.cer) and imported this to tenant keystore. > - Imported public key of tenant (here test.com) to webapp's keystore. > - Modified travelocity.properties according to configurations. > > and the error log shows [2] > > Find the SAML configuration in attachment and jira has been raised for > this [1] > > I could not get the point why this is failing and appreciate if anyone can > clarify this issue. > > [1] https://wso2.org/jira/browse/IDENTITY-3625 > > [2] --------- > > [2015-09-24 14:21:59,074] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > Received a request : /oauth2/token > [2015-09-24 14:21:59,074] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > ----------logging request headers.---------- > [2015-09-24 14:21:59,074] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > content-type : application/x-www-form-urlencoded > [2015-09-24 14:21:59,075] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > authorization : Basic > bUdxWFNNdDd4RHhLNzEycjlHTEhMUFJMQUxRYTp4al9XWUdnb3F6cFN0VURKaTBNRDRnTm1QQ2Nh > [2015-09-24 14:21:59,075] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > cache-control : no-cache > [2015-09-24 14:21:59,075] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > pragma : no-cache > [2015-09-24 14:21:59,075] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > user-agent : Java/1.7.0_80 > [2015-09-24 14:21:59,075] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - host > : localhost:9443 > [2015-09-24 14:21:59,075] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > accept : text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 > [2015-09-24 14:21:59,075] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > connection : keep-alive > [2015-09-24 14:21:59,076] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > content-length : 4437 > [2015-09-24 14:21:59,076] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > ----------logging request parameters.---------- > [2015-09-24 14:21:59,076] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > grant_type - urn:ietf:params:oauth:grant-type:saml2-bearer > [2015-09-24 14:21:59,076] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > client_id - null > [2015-09-24 14:21:59,076] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - code > - null > [2015-09-24 14:21:59,076] DEBUG > {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - > redirect_uri - null > [2015-09-24 14:21:59,077] DEBUG > {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request > received for Client ID mGqXSMt7xDxK712r9GLHLPRLALQa, User ID null, Scope : > [] and Grant Type : urn:ietf:params:oauth:grant-type:saml2-bearer > [2015-09-24 14:21:59,077] DEBUG > {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} > - Can authenticate with client ID and Secret. Client ID: > mGqXSMt7xDxK712r9GLHLPRLALQa > [2015-09-24 14:21:59,077] DEBUG > {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} > - Grant type : urn:ietf:params:oauth:grant-type:saml2-bearer Strict client > validation set to : null > [2015-09-24 14:21:59,078] DEBUG > {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials > were available in the cache for client id : mGqXSMt7xDxK712r9GLHLPRLALQa > [2015-09-24 14:21:59,079] DEBUG > {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully > authenticated the client with client id : mGqXSMt7xDxK712r9GLHLPRLALQa > [2015-09-24 14:21:59,080] DEBUG > {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} > - Received SAML assertion : <?xml version="1.0" > encoding="UTF-8"?><saml2:Assertion > xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" > ID="ceenhgjbpllaoakdoelhcanhedoappakdianaohb" > IssueInstant="2015-09-24T08:51:18.439Z" Version="2.0"><saml2:Issuer > Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature > xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference > URI="#ceenhgjbpllaoakdoelhcanhedoappakdianaohb"><ds:Transforms><ds:Transform > Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform > Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod > Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>ujddpzz54/lv07FWlH4BnDux0a0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>R+oV4MGmMJSQTEA8W7Z+MzgoTHQ0gT14wSfu6y2BwpaJ4A6a52C2VV88+6Ux/z6D+eD/vk+rPKdSa6m/rrktZ5/LlGIcoUOfm+GKISA5sF8hMWOMlN5zsGqBAEd1FXoDDOjH61v0YZqwaPHe+6Tjur37Ns+Qe0ij+y676PbvYsk=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICBTCCAW6gAwIBAgIElJ+ePTANBgkqhkiG9w0BAQQFADBHMREwDwYDVQQDEwh0ZXN0LmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTUwODIxMTEzMzAxWhcNMjUwOTE3MTEzMzAxWjBHMREwDwYDVQQDEwh0ZXN0LmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALApNnyqzdZrbJzG12idPOjuqsKe0wrLiPie24Wx5qjQlEuUfeNtt3BWd8vs4Wi85p9GQaJbmkGqcU07PynPFGk6jvpSEk42tJJsNfbnsNjBoAuc2RFCDGta/xHQGiEER95yfRRvvYxhv5WHIYw8h9qhTGe8y+JrXIjUusgiG81BAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAJhTyFmm7Y1xVCKCFdI/kaElCV//FOiCiXMck1IfuIpQz/jc2TXQ+CwvCWfKJawx+4D2m+oVnl3gTsW1ytIuOlZJWF5AS7+K8iCpeR5Hd9Tklr/p1WpTYBU7CQL2eNTvJerYT5aUf0i04C/O1aEy12ZZO/50l7azTF+c+YEelbhg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID > Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> > [email protected]</saml2:NameID><saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData > InResponseTo="blheebejpbnhmdnddkhpcokdlfghacojjiiembop" > NotOnOrAfter="2015-09-24T08:56:18.439Z" Recipient=" > http://localhost:8080/travelocity.com/home.jsp"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation > Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData > InResponseTo="blheebejpbnhmdnddkhpcokdlfghacojjiiembop" > NotOnOrAfter="2015-09-24T08:56:18.439Z" Recipient=" > https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions > NotBefore="2015-09-24T08:51:18.439Z" > NotOnOrAfter="2015-09-24T08:56:18.439Z"><saml2:AudienceRestriction><saml2:Audience> > [email protected]</saml2:Audience><saml2:Audience> > https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement > AuthnInstant="2015-09-24T08:51:18.440Z" > SessionIndex="2c923d0f-a827-4647-9157-39dbeaca57d2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion> > [2015-09-24 14:21:59,090] ERROR > {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} > - Error while validating the signature. > org.opensaml.xml.validation.ValidationException: Signature did not > validate against the credential's key > at > org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) > at > org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler.validateGrant(SAML2BearerGrantHandler.java:436) > at > org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:145) > at > org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:195) > at > org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.getAccessToken(OAuth2TokenEndpoint.java:252) > at > org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:116) > at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) > at > sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) > at > sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) > at java.lang.reflect.Method.invoke(Method.java:606) > at > org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180) > at > org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) > at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:194) > at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100) > at > org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) > at > org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) > at > org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) > at > org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) > at > org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) > at > org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:203) > at > org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137) > at > org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:159) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) > at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) > at > org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) > at > org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) > at > org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) > at > org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) > at > org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) > at > org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) > at > org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) > at > org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) > at > org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) > at > org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) > at > org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) > at > org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) > at > org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) > at > org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) > at > org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) > at > org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) > at > org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) > at > org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) > at > org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) > at > org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) > at > org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698) > at > java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) > at > java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) > at > org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) > at java.lang.Thread.run(Thread.java:745) > [2015-09-24 14:21:59,092] DEBUG > {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - > OAuthCallbackHandler was found for the callback. Class Name : > org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource > Owner : [email protected] Client Id : mGqXSMt7xDxK712r9GLHLPRLALQa Scope : > null > [2015-09-24 14:21:59,092] DEBUG > {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - > OAuthCallbackHandler was found for the callback. Class Name : > org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource > Owner : [email protected] Client Id : mGqXSMt7xDxK712r9GLHLPRLALQa Scope : > null > [2015-09-24 14:21:59,093] DEBUG > {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Invalid Grant > provided by the client, id=mGqXSMt7xDxK712r9GLHLPRLALQa, user-name= > [email protected] to application=myapp2 > [2015-09-24 14:21:59,093] DEBUG > {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - > OAuth-Error-Code=invalid_grant client-id=mGqXSMt7xDxK712r9GLHLPRLALQa > grant-type=urn:ietf:params:oauth:grant-type:saml2-bearer scope= > > > > Thanks & Kind regards, > > -- > Kavitha.S > *Software Engineer -QA* > Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> > [email protected] <[email protected]> > > _______________________________________________ > Dev mailing list > [email protected] > http://wso2.org/cgi-bin/mailman/listinfo/dev > > -- Maduranga Siriwardena Software Engineer WSO2 Inc. email: [email protected] mobile: +94718990591
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
