Hello,
I tried to implement a way to retrieve OAuth token from a SAML2 response
but this exception appears and I don't know what to do because I don't
"sign" anything (and maybe that is the problem):
[2017-06-13 11:22:04,602] ERROR
{org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler}
- Error while validating the signature.
org.opensaml.xml.validation.ValidationException: Signature did not validate
agai
nst the credential's key
Here is what I do:
I configured my Identity Server to return the SAML response to a custom
webapp. So from here, I extract the value of the param SAMLResponse, decode
it and extract the Assertion element by using the OpenSAML library (so get
the Assertion object)
Then, I do the funky things like marshalling the assertion into a string,
removing every break line characters from this string and encode it to base
64.
The assertion is something like (I removed some element and replaced some
values to display in this email so if you try to check the signature, it
sure will be wrong):
<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion"
ID="_f91978670da945183285231e76caa6cd"
IssueInstant="2017-06-13T09:54:35.012Z" Version="2.0" xmlns:xs="
http://www.w3.org/2001/XMLSchema";><saml2:Issuer
Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature
xmlns:ds="http://www.w3.org/2000/09/xmldsig#";><ds:SignedInfo><ds:CanonicalizationMethod
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod
Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference
URI="#_f91978670da945183285231e76caa6cd"><ds:Transforms><ds:Transform
Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform
Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#";><ec:InclusiveNamespaces
xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#";
PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="
http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LdDexQOXKnsLOjksxW8/1kR5oPo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WlzAFmtV3L4kQG7fF/79ITsGH17FMoKUjTEDThX/eCLnKsR1YUmw9NdrqA62RORt8cm+2H3nd9A5CwXdK/MgOx1FfVb6lf+vxKkKU3ElP4G9L8lGnYDu1CUcqQ7qaqyCu1XCvLmUled9FPpbhaw+P10l++Qmd/QftUU6eTj8wlU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID
Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username</saml2:NameID><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="
http://localhost:8080/sniffer-web/Sniff"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation
Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData
InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="
https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions
NotBefore="2017-06-13T09:54:35.012Z"
NotOnOrAfter="2017-06-13T09:59:35.012Z"><saml2:AudienceRestriction><saml2:Audience>toto</saml2:Audience><saml2:Audience>
https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement
AuthnInstant="2017-06-13T09:54:35.012Z"
SessionIndex="0e543ae2-11f9-4ef0-9419-9352e09b89e2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute
Name="role"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
xsi:type="xs:string">rolly
role</saml2:AttributeValue></saml2:Attribute><saml2:Attribute
Name="username"
NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"; xsi:type="xs:string">
[email protected]
</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>
Then, I send it as the value of the POST param "assertion" to the URL which
should tell the IS to generate my OAuth token. Something like that:
https://localhost:9443/oauth2/token
The content of the body should be something like that:
grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ENCODED_ASSERTION_HERE>
But but but... BOOM. I have this exception so, can you point me what I do
miss, please? I am completely confused.
Regards,
Thomas
_______________________________________________
Dev mailing list
[email protected]
http://wso2.org/cgi-bin/mailman/listinfo/dev
