[英]Authorize the Service Provider token with using the username and password in WSO2IS?
Hy Everyone, I was stuck while authorizing the service provider after its successful creation.大家好,创建成功后授权服务商的时候卡住了。 Let me explain to you I created the service provider using this API set(
https://is.docs.wso2.com/en/latest/apis/application-rest-api/#/Applications/createApplication
).让我向您解释一下,我使用此 API 集创建了服务提供者(
https://is.docs.wso2.com/en/latest/apis/application-rest-api/#/Applications/createApplication
)
I added users to it.我向它添加了用户。 Once the successful creation of the service provider I get the clientId and secret key.
成功创建服务提供者后,我将获得 clientId 和密钥。 After that I use that clientId and secret key to get the access and refresh token (cool so far), to get the access token and refresh token I use this curl request.
之后,我使用该 clientId 和密钥来获取访问和刷新令牌(到目前为止很酷),为了获取访问令牌和刷新令牌,我使用这个 curl 请求。
curl -u <client_id>:<secret_id> -k -d "grant_type=password&username=admin@easybazaar.co&password=admin" -H "Content-Type:application/x-www-form-urlencoded" https://<ip>/oauth2/token
once I have the access token I give it to the user (frontend team) to store it in his/her storage session.一旦我有了访问令牌,我就将其提供给用户(前端团队)以将其存储在他/她的存储 session 中。 Now user wants to access some resources like the list of activities, he/she also sends that access token in the header of that request as a bearer token like;
现在用户想要访问一些资源,例如活动列表,他/她还在该请求的 header 中发送该访问令牌作为不记名令牌,例如;
curl -k http://localhost:8080/activities -H "Authorization: Bearer <access-token>
Now I want to authenticate that access token and check its validation and expiry.现在我想验证该访问令牌并检查其验证和到期。 I explore the introspection API which requires the username and password, but the client doesn't provide it in each request.
我探索了需要用户名和密码的内省 API,但客户端并未在每个请求中提供它。
curl -k -u <USERNAME>@<TENAND_DOMAIN>:<PASSWORD> -H 'Content-Type: application/x-www-form-urlencoded' -X POST --data 'token=<ACCESS_TOKEN>' https://<IS_HOST>:<IS_PORT>/t/<TENANT_DOMAIN>/oauth2/introspect
So How can, I achieve it, is there any set of APIs available for this task?那么,我怎样才能实现它,是否有任何 API 集可用于此任务? Any help will be appreciated.
任何帮助将不胜感激。
I am not taking any username and password from the user to apply introspect APIs, should I take email in the token while creating the service Provider, so by using this email I will look into user inside my database and fetch the credentials and then hit the introspection APIs.我没有从用户那里获取任何用户名和密码来应用自省 API,我是否应该在创建服务提供程序时在令牌中使用 email,所以通过使用这个 email,我将在我的数据库中查看用户并获取凭据然后点击自省 API。
Seems like this is not there in older versions of IS and was introduced from IS 6.0.0 onwards.似乎这在旧版本的 IS 中不存在,并且是从 IS 6.0.0 开始引入的。 Found this migration issue .
发现这个迁移问题。
If you are unable to migrate to IS 6.0.0, what I could recommend you is that, create a user with the permissions to introspect tokens only (this user will only be used for token introspection) and use that username and password to authenticate the introspect request.如果您无法迁移到 IS 6.0.0,我建议您创建一个仅具有自省令牌权限的用户(该用户将仅用于令牌自省)并使用该用户名和密码来验证内省请求。
Edit: For IS 6.0.0 you can use the following basic config.编辑:对于 IS 6.0.0,您可以使用以下基本配置。
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
secure = "true"
http_method = "all"
cross_tenant = true
allowed_auth_handlers="BasicClientAuthentication"
Or you can use the advanced configurations as follows.或者您可以使用如下高级配置。
[[resource.access_control]]
context="(.*)/oauth2/introspect(.*)"
secure = "true"
http_method = "all"
cross_tenant = true
cross_access_allowed_tenants="carbon.super"
allowed_auth_handlers="BasicClientAuthentication"
permissions=["/permission/admin/manage/identity/applicationmgt/view"]
scopes=["internal_application_mgt_view"]
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.