[英]WSO2 Identity Server 5.10.0 - Unable to achieve EmailOTP based MFA
I have enabled EmailOTP Identity Provider, using WSO2 Identity Server as Email Provider.我已启用 EmailOTP 身份提供程序,使用 WSO2 身份服务器作为 Email 提供程序。
In my Service PRovider, I have enabled EmailOTP as the second step of Authentication.在我的 Service PROvider 中,我已启用 EmailOTP 作为身份验证的第二步。
Angular UI application is my front end, when I provide username/password on the login page (user OpenId Connect), the authorization code is getting generated, but the second step is not being invoked, ie, OTP page is not being displayed and Email is not being sent to the recipient with OTP. Angular UI应用程序是我的前端,当我在登录页面(用户OpenId Connect)上提供用户名/密码时,正在生成授权码,但没有调用第二步,即没有显示OTP页面和Email没有通过 OTP 发送给收件人。
I have followed the steps mentioned here, except making Gmail as Identity Provider.除了将 Gmail 作为身份提供者之外,我已按照此处提到的步骤进行操作。
OpenIdConnect Configuration: OpenIdConnect 配置:
Local and Outbound Authentication Configuration:本地和出站身份验证配置:
EmailOTP IDP Configuration (did not use Gmail or SendGrid): EmailOTP IDP 配置(未使用 Gmail 或 SendGrid):
EMail Adapter and Authenticator Configuration: EMail 适配器和验证器配置:
[output_adapter.email]
from_address= "sender@domain.com"
username= "username@domain.com"
password= "password"
hostname= "smpt.hostname"
port= 25
enable_start_tls= false
enable_authentication= true
[authentication.authenticator.basic.parameters]
showAuthFailureReason = true
[authentication.authenticator.email_otp]
name ="EmailOTP"
enable=true
[authentication.authenticator.email_otp.parameters]
EMAILOTPAuthenticationEndpointURL = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotp.jsp"
EmailOTPAuthenticationEndpointErrorPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotpError.jsp"
EmailAddressRequestPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailAddress.jsp"
usecase = "local"
secondaryUserstore = "primary"
EMAILOTPMandatory = false
sendOTPToFederatedEmailAttribute = false
federatedEmailAttributeKey = "email"
EmailOTPEnableByUserClaim = true
CaptureAndUpdateEmailAddress = true
showEmailAddressInUI = true
useEventHandlerBasedEmailSender = true
Script based authentication Configuration:基于脚本的身份验证配置:
var onLoginRequest = function(context) {
executeStep(1);
executeStep(2);
};
OpenId Connect Configuration. OpenId 连接配置。
https://is.docs.wso2.com/en/5.10.0/learn/configuring-email-otp/#configuring-email-otp https://is.docs.wso2.com/en/5.10.0/learn/configuring-email-otp/#configuring-email-otp
Endpoint details:端点详细信息:
https://localhost:5004/oauth2/authorize?response_type=code&scope=openid&redirect_uri=http://localhost&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256§oken=<sec_token>
Tenant Domain Error:租户域错误:
The tenant domain user is being treated as a user of carbon.super domain.租户域用户被视为 carbon.super 域的用户。
TID: [-1234] [] [2021-02-01 17:13:47,683] [85d31877-3090-4139-9efb-d40f85c2e2eb] DEBUG {org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator}
- OTP Expiration Time not specified default value will be used
TID: [-1234] [] [2021-02-01 17:13:47,684] [85d31877-3090-4139-9efb-d40f85c2e2eb] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Exception in Authentication Framework java.lang.NullPointerException
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.publishAuthenticationStepAttempt(AbstractApplicationAuthenticator.java:170)
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:94)
at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.process(EmailOTPAuthenticator.java:139)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:506)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:480)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:179)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185) er} -
Error occurred while getting claims for user: tanoj123@carbon.super from userstore. org.wso2.carbon.user.core.UserStoreException: 30007 - UserNotFound:
User tanoj123 does not exist in: PRIMARY
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:205)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValues(AbstractUserStoreManager.java:1758)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInLocalDialect(DefaultOIDCClaimsCallbackHandler.java:466)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:420)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.retrieveClaimsForLocalUser(DefaultOIDCClaimsCallbackHandler.java:296)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:146)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.handleCustomClaims(DefaultOIDCClaimsCallbackHandler.java:85)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims_aroundBody4(APIMJWTGenerator.java:166)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims(APIMJWTGenerator.java:156)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody_aroundBody2(APIMJWTGenerator.java:95)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody(APIMJWTGenerator.java:92)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT_aroundBody0(APIMJWTGenerator.java:69)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT(APIMJWTGenerator.java:60)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken_aroundBody4(APIMTokenIssuerUtil.java:210)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken(APIMTokenIssuerUtil.java:173)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken_aroundBody0(APIMTokenIssuer.java:102)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken(APIMTokenIssuer.java:51)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.getNewAccessToken(AbstractAuthorizationGrantHandler.java:491)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.createNewTokenBean(AbstractAuthorizationGrantHandler.java:390)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.generateNewAccessToken(AbstractAuthorizationGrantHandler.java:344)
In the shared logs, the following line can be observed.在共享日志中,可以观察到以下行。
BasicAuthRequestPathAuthenticator can handle the request
It means canHandle()
method of the BasicAuthRequestPathAuthenticator has returned true
since sectoken
query parameter is defined.这意味着BasicAuthRequestPathAuthenticator的canHandle()
方法已返回true
,因为定义了sectoken
查询参数。 Then, the request path authentication has taken place.然后,请求路径认证已经发生。
BasicAuth RequestPathAuthentication does not support MFA and it is like the password grant. BasicAuth RequestPathAuthentication不支持 MFA,它就像密码授权一样。 The user gets authenticated by just validating the passed credentials.用户只需验证传递的凭据即可获得身份验证。
If your goal is to have the login page on your client application (Angular SPA), you can pass the username and password as two different parameters (POST OR GET; POST is recommended since the password will not be passed in the URL) in the oauth2/authorize
request and get into the default basic authenticator instead of the RequestPathAuthenticator.如果您的目标是在客户端应用程序(Angular SPA)上拥有登录页面,您可以在oauth2/authorize
请求并进入默认的基本身份验证器而不是 RequestPathAuthenticator。 Then MFA will work as expected.然后 MFA 将按预期工作。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.