Hi Maduranga, I have been checked with adding tenant domain at travelocity.properties as you mentioned above and access token has generated now. Appreciated for your help!
Thanks & Kind regards, On Thu, Sep 24, 2015 at 9:51 PM, Maduranga Siriwardena <[email protected]> wrote: > Hi Kavitha, > > By going through your configurations in travelocity.properties , I noticed > few missing and incorrect configurations. > > #OAuth2 token endpoint URL > OAuth2.TokenURL=https://localhost:9443/oauth2/token?tenantDomain=test.com > > #Additional request parameters > QueryParams=tenantDomain=test.com > > Please add these properties and check your user case works. > > Thanks, > Maduranga. > > On Thu, Sep 24, 2015 at 3:17 PM, Kavitha Subramaniyam <[email protected]> > wrote: > >> Hi team, >> >> I have tried SAML bearer in tenant mode and it is failing for signature >> validation. I have followed below steps to produce this: >> >> - SP created for travelocity.com and an app for oauth(here myapp2) >> - Exported public certificate of the private key used at webapp side >> (here wso2carbon.cer) and imported this to tenant keystore. >> - Imported public key of tenant (here test.com) to webapp's keystore. >> - Modified travelocity.properties according to configurations. >> >> and the error log shows [2] >> >> Find the SAML configuration in attachment and jira has been raised for >> this [1] >> >> I could not get the point why this is failing and appreciate if anyone >> can clarify this issue. >> >> [1] https://wso2.org/jira/browse/IDENTITY-3625 >> >> [2] --------- >> >> [2015-09-24 14:21:59,074] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> Received a request : /oauth2/token >> [2015-09-24 14:21:59,074] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> ----------logging request headers.---------- >> [2015-09-24 14:21:59,074] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> content-type : application/x-www-form-urlencoded >> [2015-09-24 14:21:59,075] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> authorization : Basic >> bUdxWFNNdDd4RHhLNzEycjlHTEhMUFJMQUxRYTp4al9XWUdnb3F6cFN0VURKaTBNRDRnTm1QQ2Nh >> [2015-09-24 14:21:59,075] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> cache-control : no-cache >> [2015-09-24 14:21:59,075] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> pragma : no-cache >> [2015-09-24 14:21:59,075] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> user-agent : Java/1.7.0_80 >> [2015-09-24 14:21:59,075] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - host >> : localhost:9443 >> [2015-09-24 14:21:59,075] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> accept : text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 >> [2015-09-24 14:21:59,075] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> connection : keep-alive >> [2015-09-24 14:21:59,076] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> content-length : 4437 >> [2015-09-24 14:21:59,076] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> ----------logging request parameters.---------- >> [2015-09-24 14:21:59,076] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> grant_type - urn:ietf:params:oauth:grant-type:saml2-bearer >> [2015-09-24 14:21:59,076] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> client_id - null >> [2015-09-24 14:21:59,076] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - code >> - null >> [2015-09-24 14:21:59,076] DEBUG >> {org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint} - >> redirect_uri - null >> [2015-09-24 14:21:59,077] DEBUG >> {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request >> received for Client ID mGqXSMt7xDxK712r9GLHLPRLALQa, User ID null, Scope : >> [] and Grant Type : urn:ietf:params:oauth:grant-type:saml2-bearer >> [2015-09-24 14:21:59,077] DEBUG >> {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} >> - Can authenticate with client ID and Secret. Client ID: >> mGqXSMt7xDxK712r9GLHLPRLALQa >> [2015-09-24 14:21:59,077] DEBUG >> {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} >> - Grant type : urn:ietf:params:oauth:grant-type:saml2-bearer Strict client >> validation set to : null >> [2015-09-24 14:21:59,078] DEBUG >> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials >> were available in the cache for client id : mGqXSMt7xDxK712r9GLHLPRLALQa >> [2015-09-24 14:21:59,079] DEBUG >> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully >> authenticated the client with client id : mGqXSMt7xDxK712r9GLHLPRLALQa >> [2015-09-24 14:21:59,080] DEBUG >> {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} >> - Received SAML assertion : <?xml version="1.0" >> encoding="UTF-8"?><saml2:Assertion >> xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" >> ID="ceenhgjbpllaoakdoelhcanhedoappakdianaohb" >> IssueInstant="2015-09-24T08:51:18.439Z" Version="2.0"><saml2:Issuer >> Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature >> xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference >> URI="#ceenhgjbpllaoakdoelhcanhedoappakdianaohb"><ds:Transforms><ds:Transform >> Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform >> Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/></ds:Transforms><ds:DigestMethod >> Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>ujddpzz54/lv07FWlH4BnDux0a0=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>R+oV4MGmMJSQTEA8W7Z+MzgoTHQ0gT14wSfu6y2BwpaJ4A6a52C2VV88+6Ux/z6D+eD/vk+rPKdSa6m/rrktZ5/LlGIcoUOfm+GKISA5sF8hMWOMlN5zsGqBAEd1FXoDDOjH61v0YZqwaPHe+6Tjur37Ns+Qe0ij+y676PbvYsk=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICBTCCAW6gAwIBAgIElJ+ePTANBgkqhkiG9w0BAQQFADBHMREwDwYDVQQDEwh0ZXN0LmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwHhcNMTUwODIxMTEzMzAxWhcNMjUwOTE3MTEzMzAxWjBHMREwDwYDVQQDEwh0ZXN0LmNvbTENMAsGA1UECxMETm9uZTEUMBIGA1UEChMLTm9uZSBMPU5vbmUxDTALBgNVBAYTBE5vbmUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALApNnyqzdZrbJzG12idPOjuqsKe0wrLiPie24Wx5qjQlEuUfeNtt3BWd8vs4Wi85p9GQaJbmkGqcU07PynPFGk6jvpSEk42tJJsNfbnsNjBoAuc2RFCDGta/xHQGiEER95yfRRvvYxhv5WHIYw8h9qhTGe8y+JrXIjUusgiG81BAgMBAAEwDQYJKoZIhvcNAQEEBQADgYEAJhTyFmm7Y1xVCKCFdI/kaElCV//FOiCiXMck1IfuIpQz/jc2TXQ+CwvCWfKJawx+4D2m+oVnl3gTsW1ytIuOlZJWF5AS7+K8iCpeR5Hd9Tklr/p1WpTYBU7CQL2eNTvJerYT5aUf0i04C/O1aEy12ZZO/50l7azTF+c+YEelbhg=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID >> Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"> >> [email protected]</saml2:NameID><saml2:SubjectConfirmation >> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData >> InResponseTo="blheebejpbnhmdnddkhpcokdlfghacojjiiembop" >> NotOnOrAfter="2015-09-24T08:56:18.439Z" Recipient=" >> http://localhost:8080/travelocity.com/home.jsp"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation >> Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData >> InResponseTo="blheebejpbnhmdnddkhpcokdlfghacojjiiembop" >> NotOnOrAfter="2015-09-24T08:56:18.439Z" Recipient=" >> https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions >> NotBefore="2015-09-24T08:51:18.439Z" >> NotOnOrAfter="2015-09-24T08:56:18.439Z"><saml2:AudienceRestriction><saml2:Audience> >> [email protected]</saml2:Audience><saml2:Audience> >> https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement >> AuthnInstant="2015-09-24T08:51:18.440Z" >> SessionIndex="2c923d0f-a827-4647-9157-39dbeaca57d2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement></saml2:Assertion> >> [2015-09-24 14:21:59,090] ERROR >> {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} >> - Error while validating the signature. >> org.opensaml.xml.validation.ValidationException: Signature did not >> validate against the credential's key >> at >> org.opensaml.xml.signature.SignatureValidator.validate(SignatureValidator.java:78) >> at >> org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler.validateGrant(SAML2BearerGrantHandler.java:436) >> at >> org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer.issue(AccessTokenIssuer.java:145) >> at >> org.wso2.carbon.identity.oauth2.OAuth2Service.issueAccessToken(OAuth2Service.java:195) >> at >> org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.getAccessToken(OAuth2TokenEndpoint.java:252) >> at >> org.wso2.carbon.identity.oauth.endpoint.token.OAuth2TokenEndpoint.issueAccessToken(OAuth2TokenEndpoint.java:116) >> at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) >> at >> sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) >> at >> sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) >> at java.lang.reflect.Method.invoke(Method.java:606) >> at >> org.apache.cxf.service.invoker.AbstractInvoker.performInvocation(AbstractInvoker.java:180) >> at >> org.apache.cxf.service.invoker.AbstractInvoker.invoke(AbstractInvoker.java:96) >> at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:194) >> at org.apache.cxf.jaxrs.JAXRSInvoker.invoke(JAXRSInvoker.java:100) >> at >> org.apache.cxf.interceptor.ServiceInvokerInterceptor$1.run(ServiceInvokerInterceptor.java:57) >> at >> org.apache.cxf.interceptor.ServiceInvokerInterceptor.handleMessage(ServiceInvokerInterceptor.java:93) >> at >> org.apache.cxf.phase.PhaseInterceptorChain.doIntercept(PhaseInterceptorChain.java:271) >> at >> org.apache.cxf.transport.ChainInitiationObserver.onMessage(ChainInitiationObserver.java:121) >> at >> org.apache.cxf.transport.http.AbstractHTTPDestination.invoke(AbstractHTTPDestination.java:239) >> at >> org.apache.cxf.transport.servlet.ServletController.invokeDestination(ServletController.java:223) >> at >> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:203) >> at >> org.apache.cxf.transport.servlet.ServletController.invoke(ServletController.java:137) >> at >> org.apache.cxf.transport.servlet.CXFNonSpringServlet.invoke(CXFNonSpringServlet.java:159) >> at >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.handleRequest(AbstractHTTPServlet.java:286) >> at >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.doPost(AbstractHTTPServlet.java:206) >> at javax.servlet.http.HttpServlet.service(HttpServlet.java:646) >> at >> org.apache.cxf.transport.servlet.AbstractHTTPServlet.service(AbstractHTTPServlet.java:262) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) >> at >> org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241) >> at >> org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208) >> at >> org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220) >> at >> org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122) >> at >> org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504) >> at >> org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170) >> at >> org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103) >> at >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99) >> at >> org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47) >> at >> org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57) >> at >> org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47) >> at >> org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62) >> at >> org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159) >> at >> org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950) >> at >> org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57) >> at >> org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116) >> at >> org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421) >> at >> org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074) >> at >> org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611) >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739) >> at >> org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698) >> at >> java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145) >> at >> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:615) >> at >> org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61) >> at java.lang.Thread.run(Thread.java:745) >> [2015-09-24 14:21:59,092] DEBUG >> {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - >> OAuthCallbackHandler was found for the callback. Class Name : >> org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource >> Owner : [email protected] Client Id : mGqXSMt7xDxK712r9GLHLPRLALQa Scope : >> null >> [2015-09-24 14:21:59,092] DEBUG >> {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - >> OAuthCallbackHandler was found for the callback. Class Name : >> org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource >> Owner : [email protected] Client Id : mGqXSMt7xDxK712r9GLHLPRLALQa Scope : >> null >> [2015-09-24 14:21:59,093] DEBUG >> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Invalid Grant >> provided by the client, id=mGqXSMt7xDxK712r9GLHLPRLALQa, user-name= >> [email protected] to application=myapp2 >> [2015-09-24 14:21:59,093] DEBUG >> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - >> OAuth-Error-Code=invalid_grant client-id=mGqXSMt7xDxK712r9GLHLPRLALQa >> grant-type=urn:ietf:params:oauth:grant-type:saml2-bearer scope= >> >> >> >> Thanks & Kind regards, >> >> -- >> Kavitha.S >> *Software Engineer -QA* >> Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> >> [email protected] <[email protected]> >> >> _______________________________________________ >> Dev mailing list >> [email protected] >> http://wso2.org/cgi-bin/mailman/listinfo/dev >> >> > > > -- > Maduranga Siriwardena > Software Engineer > WSO2 Inc. > > email: [email protected] > mobile: +94718990591 > -- Kavitha.S *Software Engineer -QA* Mobile : +94 (0) 771538811 <%2B94%20%280%29%20773%20451194> [email protected] <[email protected]>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
