[英]WSO2 Identity Server 5.10.0 - Unable to achieve EmailOTP based MFA
我已啟用 EmailOTP 身份提供程序,使用 WSO2 身份服務器作為 Email 提供程序。
在我的 Service PROvider 中,我已啟用 EmailOTP 作為身份驗證的第二步。
Angular UI應用程序是我的前端,當我在登錄頁面(用戶OpenId Connect)上提供用戶名/密碼時,正在生成授權碼,但沒有調用第二步,即沒有顯示OTP頁面和Email沒有通過 OTP 發送給收件人。
除了將 Gmail 作為身份提供者之外,我已按照此處提到的步驟進行操作。
OpenIdConnect 配置:
本地和出站身份驗證配置:
EmailOTP IDP 配置(未使用 Gmail 或 SendGrid):
EMail 適配器和驗證器配置:
[output_adapter.email]
from_address= "sender@domain.com"
username= "username@domain.com"
password= "password"
hostname= "smpt.hostname"
port= 25
enable_start_tls= false
enable_authentication= true
[authentication.authenticator.basic.parameters]
showAuthFailureReason = true
[authentication.authenticator.email_otp]
name ="EmailOTP"
enable=true
[authentication.authenticator.email_otp.parameters]
EMAILOTPAuthenticationEndpointURL = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotp.jsp"
EmailOTPAuthenticationEndpointErrorPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotpError.jsp"
EmailAddressRequestPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailAddress.jsp"
usecase = "local"
secondaryUserstore = "primary"
EMAILOTPMandatory = false
sendOTPToFederatedEmailAttribute = false
federatedEmailAttributeKey = "email"
EmailOTPEnableByUserClaim = true
CaptureAndUpdateEmailAddress = true
showEmailAddressInUI = true
useEventHandlerBasedEmailSender = true
基於腳本的身份驗證配置:
var onLoginRequest = function(context) {
executeStep(1);
executeStep(2);
};
OpenId 連接配置。
https://is.docs.wso2.com/en/5.10.0/learn/configuring-email-otp/#configuring-email-otp
端點詳細信息:
https://localhost:5004/oauth2/authorize?response_type=code&scope=openid&redirect_uri=http://localhost&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256§oken=<sec_token>
租戶域錯誤:
租戶域用戶被視為 carbon.super 域的用戶。
TID: [-1234] [] [2021-02-01 17:13:47,683] [85d31877-3090-4139-9efb-d40f85c2e2eb] DEBUG {org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator}
- OTP Expiration Time not specified default value will be used
TID: [-1234] [] [2021-02-01 17:13:47,684] [85d31877-3090-4139-9efb-d40f85c2e2eb] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Exception in Authentication Framework java.lang.NullPointerException
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.publishAuthenticationStepAttempt(AbstractApplicationAuthenticator.java:170)
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:94)
at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.process(EmailOTPAuthenticator.java:139)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:506)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:480)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:179)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185) er} -
Error occurred while getting claims for user: tanoj123@carbon.super from userstore. org.wso2.carbon.user.core.UserStoreException: 30007 - UserNotFound:
User tanoj123 does not exist in: PRIMARY
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:205)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValues(AbstractUserStoreManager.java:1758)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInLocalDialect(DefaultOIDCClaimsCallbackHandler.java:466)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:420)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.retrieveClaimsForLocalUser(DefaultOIDCClaimsCallbackHandler.java:296)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:146)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.handleCustomClaims(DefaultOIDCClaimsCallbackHandler.java:85)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims_aroundBody4(APIMJWTGenerator.java:166)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims(APIMJWTGenerator.java:156)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody_aroundBody2(APIMJWTGenerator.java:95)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody(APIMJWTGenerator.java:92)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT_aroundBody0(APIMJWTGenerator.java:69)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT(APIMJWTGenerator.java:60)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken_aroundBody4(APIMTokenIssuerUtil.java:210)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken(APIMTokenIssuerUtil.java:173)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken_aroundBody0(APIMTokenIssuer.java:102)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken(APIMTokenIssuer.java:51)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.getNewAccessToken(AbstractAuthorizationGrantHandler.java:491)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.createNewTokenBean(AbstractAuthorizationGrantHandler.java:390)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.generateNewAccessToken(AbstractAuthorizationGrantHandler.java:344)
在共享日志中,可以觀察到以下行。
BasicAuthRequestPathAuthenticator can handle the request
這意味着BasicAuthRequestPathAuthenticator的canHandle()方法已返回true ,因為定義了sectoken查詢參數。 然后,請求路徑認證已經發生。
BasicAuth RequestPathAuthentication不支持 MFA,它就像密碼授權一樣。 用戶只需驗證傳遞的憑據即可獲得身份驗證。
如果您的目標是在客戶端應用程序(Angular SPA)上擁有登錄頁面,您可以在oauth2/authorize請求並進入默認的基本身份驗證器而不是 RequestPathAuthenticator。 然后 MFA 將按預期工作。
WSO2 IdentitiServer 5.10.0:如何將路由移動短信提供商與 Wso2 身份服務器 MFA 集成
[英]WSO2 IdentitiServer 5.10.0 :How to integrate route mobile SMS Provider with Wso2 Identity server MFA
用戶帳戶暫停在 WSO2 Identity Server 5.10.0 中不起作用
[英]User Account Suspension is not working in WSO2 Identity Server 5.10.0
在 WSO2 身份服務器 5.10.0 中將本地用戶帳戶鏈接到聯合用戶的正確方法是什么
[英]What is the correct way of linking local user account to federated user in WSO2 Identity server 5.10.0
wso2 身份服務器 5.10.0 在設置 JDBC 用戶存儲時出現錯誤
[英]wso2 identity server 5.10.0 while setting up with JDBC userstore getting error
WSO2 身份服務器 5.10.0 - 創建現有用戶時,IS 管理控制台中未顯示錯誤消息
[英]WSO2 Identity Server 5.10.0 - Error message not shown in IS Management Console while creating already existing User
無法訪問wso2身份服務器中的UserIdentityManagementService
[英]Unable to access UserIdentityManagementService in wso2 Identity server
聲明:本站的技術帖子網頁,遵循CC BY-SA 4.0協議,如果您需要轉載,請注明本站網址或者原文地址。任何問題請咨詢:yoyou2525@163.com.