WSO2 身份服务器端口配置
[英]WSO2 Identity Server port configuration
问题描述
I'm using WSO2 Identity Server 5.10.0.
我正在使用 WSO2 身份服务器 5.10.0。 I have a very classical scenario represented in this image我在这张图片中有一个非常经典的场景
Basically I have on the DMZ an Apache Web Server responding in SSL on port 443;基本上我在 DMZ 上有一个 Apache Web 服务器在端口 443 上响应 SSL; in the secure zone i have my WSO2 IS server responding on port 9443. I need to support OAuth Open ID authentication (but I have the same issue in the SAML case).在安全区域中,我的 WSO2 IS 服务器在端口 9443 上响应。我需要支持 OAuth 开放 ID 身份验证(但在 SAML 案例中我有同样的问题)。
I configured my deployment.toml file in this way:我以这种方式配置了我的deployment.toml文件:
[server]
hostname = "IAM01"
node_ip = "10.xxxx.yyyy.zzzz"
base_path = "https://$ref{server.hostname}:${carbon.management.port}"
Now when I make a call to the URL https://mydomain/oauth2/token/.well-known/openid-configuration in order to get all the OAuth information, the request is passed to the Web Server and from the Web Server to WSO2. Now when I make a call to the URL https://mydomain/oauth2/token/.well-known/openid-configuration in order to get all the OAuth information, the request is passed to the Web Server and from the Web Server to WSO2。 The full WSO2 JSON response is here完整的 WSO2 JSON 响应在这里
As you can see, in this JSON WSO2 responds to me by giving this kind of URLs: https://IAM01:9443/oauth2/authorize .如您所见,在此 JSON WSO2 通过提供此类 URL 来回应我: https://IAM01:9443/oauth2/authorize 。 This because in my deployment.toml I told him these paramaters.这是因为在我的deployment.toml中我告诉了他这些参数。 Sure I can change the hostname in mydomain but it remains the port problem.当然我可以更改 mydomain 中的主机名,但它仍然是端口问题。 In fact my clients will fail on matching oauth issuer because they check for an issuer without port.事实上,我的客户将无法匹配 oauth 发行者,因为他们检查没有端口的发行者。 What I would like to do is to configure WSO2 IS in order to tell him to generate all tokens information by using my specification and I con't want to run WSO2 IS server on port 443 (as root user moreover).我想做的是配置 WSO2 IS 以告诉他使用我的规范生成所有令牌信息,我不想在端口 443 上运行 WSO2 IS 服务器(此外,作为 root 用户)。 I tried to configure the resident identity provider by using its interface as showed in the following我尝试使用其界面配置常驻身份提供者,如下所示
Also in this way I can't tell WSO2 to generate all the information by using just the https://mydomain/ without adding port and other stuffs.同样通过这种方式,我不能告诉 WSO2 仅使用https://mydomain/来生成所有信息而不添加端口和其他内容。
How can I make this configuration?如何进行此配置? Moreover, for security policies, I can't run WSO2 IS on port 443.此外,对于安全策略,我无法在端口 443 上运行 WSO2 IS。
Thank you谢谢
Angelo安杰洛
1 个解决方案
解决方案1
0 2020-04-22 07:11:50
I solved my issues.我解决了我的问题。 I had to investigate more deeply into WSO2 IS documentation.我不得不更深入地调查 WSO2 IS 文档。
First of all, as @Pubci said in my deployment.toml I had to add:首先,正如@Pubci 在我的 deployment.toml 中所说,我必须添加:
#https://is.docs.wso2.com/en/latest/administer/deployment-checklist/
[transport.https.properties]
proxyhost="you.proxy.host"
proxyPort="443"
Then, in order to use my Identity Provider Entity ID as issuer in JWT tokens, I had to add also然后,为了在 JWT 令牌中使用我的身份提供者实体 ID 作为颁发者,我还必须添加
#https://is.docs.wso2.com/en/latest/learn/openid-connect-discovery/#openid-connect-discovery
[oauth]
use_entityid_as_issuer_in_oidc_discovery = true
By using these settings all worked pretty good.通过使用这些设置,一切都很好。 I was able in starting WSO2 IS with a normal user on port 9443.我能够在端口 9443 上与普通用户一起启动 WSO2 IS。
Angelo安杰洛
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.