WSO2 IS:如何允许对 OIDC 的匿名请求。well-known/openid-configuration
WSO2 IS: how to allow anonymous request to OIDC .well-known/openid-configuration
通常对于 OIDC 发现,可以匿名请求 .well-known URI。 WSO2 5.3.0 文档中的示例声明必须为请求提供 admin-level 凭据:
https://docs.wso2.com/display/IS530/OpenID+Connect+Discovery
curl -v -k --user admin:admin https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration
(下划线不是拼写错误,而是绕过 URL 计数限制)
我可以确认导致 curl -v -k https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration returns 401 未授权。
(下划线不是拼写错误,而是绕过 URL 计数限制)
我试图在注册表中为 /_system/config/oidc 配置 "SYSTEM/wso2.anonymous.role is ALLOWed to READ" 的权限,但我仍然得到 401。Adiing 的权利 "SYSTEM/wso2.anonymous.role is ALLOWed to AUTHORIZE" returns一个 200 但空 body.
关于如何解决 OIDC 发现(获取 OIDC 配置)而无需提供任何信用(匿名)的任何建议?
谢谢
JF
您可以使用 Apache2 Reverse Proxy to an end-point that requires BasicAuth but want to hide this from user 之类的东西反向代理到该端点,或者考虑到数据相对静态,您可以只下载数据并从其他地方未受保护的端点提供它。
但我想最好找到关闭基本身份验证的配置设置,因为它没有任何用处。
经过多次试验,可以通过在 {WSO2_base_path}/repository/conf/identity/identity.xml :
中注释 .well-know 行来提供匿名访问
<ResourceAccessControl>
<Resource context="(.*)/api/identity/user/(.*)" secured="true" http-method="all"/>
<Resource context="(.*)/api/identity/recovery/(.*)" secured="true" http-method="all"/>
<!--<Resource context="(.*)/.well-known(.*)" secured="true" http-method="all"/>-->
<Resource context="(.*)/identity/register(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
</Resource>
<Resource context="(.*)/identity/connect/register(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
</Resource>
<Resource context="(.*)/oauth2/introspect(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
</Resource>
<Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/pep</Permissions>
</Resource>
</ResourceAccessControl>
通常对于 OIDC 发现,可以匿名请求 .well-known URI。 WSO2 5.3.0 文档中的示例声明必须为请求提供 admin-level 凭据:
https://docs.wso2.com/display/IS530/OpenID+Connect+Discovery
curl -v -k --user admin:admin https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration
(下划线不是拼写错误,而是绕过 URL 计数限制)
我可以确认导致 curl -v -k https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration returns 401 未授权。
(下划线不是拼写错误,而是绕过 URL 计数限制)
我试图在注册表中为 /_system/config/oidc 配置 "SYSTEM/wso2.anonymous.role is ALLOWed to READ" 的权限,但我仍然得到 401。Adiing 的权利 "SYSTEM/wso2.anonymous.role is ALLOWed to AUTHORIZE" returns一个 200 但空 body.
关于如何解决 OIDC 发现(获取 OIDC 配置)而无需提供任何信用(匿名)的任何建议?
谢谢
JF
您可以使用 Apache2 Reverse Proxy to an end-point that requires BasicAuth but want to hide this from user 之类的东西反向代理到该端点,或者考虑到数据相对静态,您可以只下载数据并从其他地方未受保护的端点提供它。
但我想最好找到关闭基本身份验证的配置设置,因为它没有任何用处。
经过多次试验,可以通过在 {WSO2_base_path}/repository/conf/identity/identity.xml :
中注释 .well-know 行来提供匿名访问 <ResourceAccessControl>
<Resource context="(.*)/api/identity/user/(.*)" secured="true" http-method="all"/>
<Resource context="(.*)/api/identity/recovery/(.*)" secured="true" http-method="all"/>
<!--<Resource context="(.*)/.well-known(.*)" secured="true" http-method="all"/>-->
<Resource context="(.*)/identity/register(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
</Resource>
<Resource context="(.*)/identity/connect/register(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
</Resource>
<Resource context="(.*)/oauth2/introspect(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
</Resource>
<Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
<Permissions>/permission/admin/manage/identity/pep</Permissions>
</Resource>
</ResourceAccessControl>