Noted, We're running a FAPI test suite[1] against the WSO2 Open Banking solution and just wanted to test out all the methods, On a live environment, this probably might not happen.
[1] - https://openbanking.atlassian.net/wiki/spaces/DZ/pages/23856067/OB+OIDC+Conformance+Suite cheers, Kaveen Rodrigo On Fri, Jan 18, 2019 at 5:05 PM Hasintha Indrajee <[email protected]> wrote: > If you need to use Basic Client Authentication + mTLS for authentication, > you need to turn off basic authenticator. IIRC, clients should not use more > than one method for authentication as per specification. > > The given request meets two client authenticator criteria. Basic client > authenticator and Basic + mTLS client authenticator. > > On Fri, Jan 18, 2019 at 4:43 PM Kaveen Rodrigo <[email protected]> wrote: > >> Hey Farasath, >> >> I tried it without the client_secret and it works out, And then I >> realized probably the *" Allow authentication without the client secret"* >> is causing the problem (we use this as we validate transport layer >> certificates on the gateway) Now it works :-) >> >> We'll have to take a look at it from our end. >> >> Thanks, Have a nice weekend, >> Kaveen Rodrigo >> >> On Fri, Jan 18, 2019 at 4:17 PM Farasath Ahamed <[email protected]> >> wrote: >> >>> Hi Kaveen, >>> >>> Can you try the same request without sending the client_secret in the >>> request (send only the client_id) ? >>> >>> On Friday, January 18, 2019, Kaveen Rodrigo <[email protected]> wrote: >>> >>>> Hey all, >>>> >>>> I'm having some trouble getting a token with *client_credentials *grant >>>> and mutual TLS where it fails with the error message *"**The client >>>> MUST NOT use more than one authentication method in each" *refer >>>> request below >>>> >>>> curl -k -d >>>> "grant_type=client_credentials&scope=accounts&client_id=<CLIENT_ID>&client_secret=<CLIENT_SECRET>" >>>> >>>> \ -H "Content-Type: application/x-www-form-urlencoded" >>>> >>>> \ --cert cert.crt --key key.key -X POST >>>> https://203.94.95.194:8243/token >>>> >>>> I'm using *wso2ob-km 5.7.0 (WSO2 Identity Server 5.7.0)* with OAuth >>>> logs enabled, and I get the following output. >>>> >>>> TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Executing OAuth client authenticators. >>>> TID: [-1234] [] [2019-01-18 02:51:54,108] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Retrieving registered OAuth client authenticator list. >>>> TID: [-1234] [] [2019-01-18 02:51:54,112] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Evaluating canAuthenticate of authenticator : >>>> PrivateKeyJWTClientAuthenticator >>>> TID: [-1234] [] [2019-01-18 02:51:54,113] DEBUG >>>> {org.wso2.carbon.identity.oauth2.token.handler.clientauth.jwt.PrivateKeyJWTClientAuthenticator} >>>> - Authenticate Requested with clientAssertionType : null*TID: [-1234] [] >>>> [2019-01-18 02:51:54,114] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - PrivateKeyJWTClientAuthenticator authenticator cannot handle this >>>> request. >>>> *TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Evaluating canAuthenticate of authenticator : >>>> BasicOAuthClientCredAuthenticator >>>> TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} >>>> - Basic auth credentials present as body params. Hence returning true >>>> TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - BasicOAuthClientCredAuthenticator authenticator can handle incoming >>>> request. >>>> TID: [-1234] [] [2019-01-18 02:51:54,115] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Authenticator BasicOAuthClientCredAuthenticator can authenticate the >>>> client request. Hence trying to evaluate authentication*TID: [-1234] [] >>>> [2019-01-18 02:51:54,115] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.BasicAuthClientAuthenticator} >>>> - Authenticating client : <CLIENT_ID>with client secret. >>>> *TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >>>> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials >>>> were fetched from the database.*TID: [-1234] [] [2019-01-18 02:51:54,139] >>>> DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully >>>> authenticated the client with client id : <CLIENT_ID> >>>> *TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >>>> {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials >>>> were added to the cache for client id : <CLIENT_ID> >>>> TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Authentication result from OAuth client authenticator >>>> BasicOAuthClientCredAuthenticator is : true >>>> TID: [-1234] [] [2019-01-18 02:51:54,139] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Evaluating canAuthenticate of authenticator : PublicClientAuthenticator >>>> TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - PublicClientAuthenticator authenticator can handle incoming request. >>>> TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Previously an authenticator is evaluated. Hence authenticator >>>> PublicClientAuthenticator is not evaluating >>>> TID: [-1234] [] [2019-01-18 02:51:54,160] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Authenticator PublicClientAuthenticator can authenticate the client >>>> request. Hence trying to evaluate authentication*TID: [-1234] [] >>>> [2019-01-18 02:51:54,161] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - 2 Authenticators were executed previously. Hence failing client >>>> authentication >>>> TID: [-1234] [] [2019-01-18 02:51:54,161] DEBUG >>>> {org.wso2.carbon.identity.oauth2.client.authentication.OAuthClientAuthnService} >>>> - Setting error to client authentication context : Error code : >>>> invalid_request, Error message : The client MUST NOT use more than one >>>> authentication method in each >>>> *TID: [-1234] [] [2019-01-18 02:51:54,184] DEBUG >>>> {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request >>>> received for Client ID <CLIENT_ID>, User ID null, Scope : [accounts] and >>>> Grant Type : client_credentials >>>> TID: [-1234] [] [2019-01-18 02:51:54,192] INFO >>>> {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The >>>> default OAuth token issuer will be used. No custom token generator is set. >>>> TID: [-1234] [] [2019-01-18 02:51:54,192] INFO >>>> {org.wso2.carbon.identity.oauth.config.OAuthServerConfiguration} - The >>>> default Identity OAuth token issuer will be used. No custom token >>>> generator is set. >>>> TID: [-1234] [] [2019-01-18 02:51:54,315] DEBUG >>>> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Successfully >>>> created AppInfoCache under OAuthCacheManager >>>> TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG >>>> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Triggering >>>> access token pre issuer listeners for client: <CLIENT_ID> >>>> TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG >>>> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - >>>> OAuth-Error-Code=invalid_request >>>> client-id=<CLIENT_ID>grant-type=client_credentials scope=accounts >>>> TID: [-1234] [] [2019-01-18 02:51:54,316] DEBUG >>>> {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Triggering >>>> access token post issuer listeners for client: <CLIENT_ID> >>>> >>>> How can I mitigate this behavior? Disable some of the authenticators? >>>> set priority? >>>> Please give your input, >>>> >>>> Thanks In advance, >>>> Kaveen Rodrigo >>>> >>>> -- >>>> *Kaveen Rodrigo * >>>> Software Engineer | WS02 >>>> >>>> Email : [email protected] >>>> Mobile : +94779684749 >>>> Web : http://www.wso2.com >>>> >>>> <http://goog_953536661> >>>> [image: http://wso2.com/signature] <http://wso2.com/signature> >>>> >>> >>> >>> -- >>> Farasath Ahamed >>> Senior Software Engineer, WSO2 Inc.; http://wso2.com >>> Mobile: +94777603866 >>> Blog: blog.farazath.com >>> Twitter: @farazath619 <https://twitter.com/farazath619> >>> <http://wso2.com/signature> >>> >>> >>> >>> >>> >> >> -- >> *Kaveen Rodrigo * >> Software Engineer | WS02 >> >> Email : [email protected] >> Mobile : +94779684749 >> Web : http://www.wso2.com >> >> <http://goog_953536661> >> [image: http://wso2.com/signature] <http://wso2.com/signature> >> > > > -- > Hasintha Indrajee > WSO2, Inc. > Mobile:+94 771892453 > > -- *Kaveen Rodrigo * Software Engineer | WS02 Email : [email protected] Mobile : +94779684749 Web : http://www.wso2.com <http://goog_953536661> [image: http://wso2.com/signature] <http://wso2.com/signature>
_______________________________________________ Dev mailing list [email protected] http://wso2.org/cgi-bin/mailman/listinfo/dev
