WSO2 Identity Server 5.10.0 - 无法实现基于 EmailOTP 的 MFA
WSO2 Identity Server 5.10.0 - Unable to achieve EmailOTP based MFA
我启用了 EmailOTP 身份提供程序,使用 WSO2 身份服务器作为电子邮件提供程序。
在我的服务提供商中,我启用了 EmailOTP 作为身份验证的第二步。
Angular UI 应用程序是我的前端,当我在登录页面(用户 OpenId Connect)上提供 username/password 时,正在生成授权码,但是第二步未被调用,即未显示 OTP 页面并且未使用 OTP 将电子邮件发送给收件人。
除了将 Gmail 作为身份提供者之外,我已按照此处提到的步骤进行操作。
OpenIdConnect 配置:
本地和出站身份验证配置:
EmailOTP IDP 配置(未使用 Gmail 或 SendGrid):
电子邮件适配器和验证器配置:
[output_adapter.email]
from_address= "sender@domain.com"
username= "username@domain.com"
password= "password"
hostname= "smpt.hostname"
port= 25
enable_start_tls= false
enable_authentication= true
[authentication.authenticator.basic.parameters]
showAuthFailureReason = true
[authentication.authenticator.email_otp]
name ="EmailOTP"
enable=true
[authentication.authenticator.email_otp.parameters]
EMAILOTPAuthenticationEndpointURL = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotp.jsp"
EmailOTPAuthenticationEndpointErrorPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotpError.jsp"
EmailAddressRequestPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailAddress.jsp"
usecase = "local"
secondaryUserstore = "primary"
EMAILOTPMandatory = false
sendOTPToFederatedEmailAttribute = false
federatedEmailAttributeKey = "email"
EmailOTPEnableByUserClaim = true
CaptureAndUpdateEmailAddress = true
showEmailAddressInUI = true
useEventHandlerBasedEmailSender = true
基于脚本的身份验证配置:
var onLoginRequest = function(context) {
executeStep(1);
executeStep(2);
};
OpenId 连接配置。
https://is.docs.wso2.com/en/5.10.0/learn/configuring-email-otp/#configuring-email-otp
端点详细信息:
https://localhost:5004/oauth2/authorize?response_type=code&scope=openid&redirect_uri=http://localhost&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256§oken=<sec_token>
租户域错误:
租户域用户被视为 carbon.super 域的用户。
TID: [-1234] [] [2021-02-01 17:13:47,683] [85d31877-3090-4139-9efb-d40f85c2e2eb] DEBUG {org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator}
- OTP Expiration Time not specified default value will be used
TID: [-1234] [] [2021-02-01 17:13:47,684] [85d31877-3090-4139-9efb-d40f85c2e2eb] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Exception in Authentication Framework java.lang.NullPointerException
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.publishAuthenticationStepAttempt(AbstractApplicationAuthenticator.java:170)
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:94)
at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.process(EmailOTPAuthenticator.java:139)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:506)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:480)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:179)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185) er} -
Error occurred while getting claims for user: tanoj123@carbon.super from userstore. org.wso2.carbon.user.core.UserStoreException: 30007 - UserNotFound:
User tanoj123 does not exist in: PRIMARY
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:205)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValues(AbstractUserStoreManager.java:1758)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInLocalDialect(DefaultOIDCClaimsCallbackHandler.java:466)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:420)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.retrieveClaimsForLocalUser(DefaultOIDCClaimsCallbackHandler.java:296)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:146)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.handleCustomClaims(DefaultOIDCClaimsCallbackHandler.java:85)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims_aroundBody4(APIMJWTGenerator.java:166)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims(APIMJWTGenerator.java:156)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody_aroundBody2(APIMJWTGenerator.java:95)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody(APIMJWTGenerator.java:92)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT_aroundBody0(APIMJWTGenerator.java:69)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT(APIMJWTGenerator.java:60)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken_aroundBody4(APIMTokenIssuerUtil.java:210)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken(APIMTokenIssuerUtil.java:173)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken_aroundBody0(APIMTokenIssuer.java:102)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken(APIMTokenIssuer.java:51)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.getNewAccessToken(AbstractAuthorizationGrantHandler.java:491)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.createNewTokenBean(AbstractAuthorizationGrantHandler.java:390)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.generateNewAccessToken(AbstractAuthorizationGrantHandler.java:344)
在共享日志中,可以观察到以下行。
BasicAuthRequestPathAuthenticator can handle the request
这意味着 BasicAuthRequestPathAuthenticator 的 canHandle() 方法返回了 true,因为定义了 sectoken 查询参数。那么,请求路径认证就完成了。
BasicAuth RequestPathAuthentication 不支持MFA,类似于密码授予。用户只需验证传递的凭据即可获得身份验证。
如果您的目标是在您的客户端应用程序 (Angular SPA) 上拥有登录页面,您可以将用户名和密码作为两个不同的参数传递 (POST OR GET; POST 是推荐的,因为密码不会在 oauth2/authorize 请求中的 URL) 中传递,并进入默认的基本身份验证器而不是 RequestPathAuthenticator。然后 MFA 将按预期工作。
我启用了 EmailOTP 身份提供程序,使用 WSO2 身份服务器作为电子邮件提供程序。
在我的服务提供商中,我启用了 EmailOTP 作为身份验证的第二步。
Angular UI 应用程序是我的前端,当我在登录页面(用户 OpenId Connect)上提供 username/password 时,正在生成授权码,但是第二步未被调用,即未显示 OTP 页面并且未使用 OTP 将电子邮件发送给收件人。
除了将 Gmail 作为身份提供者之外,我已按照此处提到的步骤进行操作。
OpenIdConnect 配置:
本地和出站身份验证配置:
EmailOTP IDP 配置(未使用 Gmail 或 SendGrid):
电子邮件适配器和验证器配置:
[output_adapter.email]
from_address= "sender@domain.com"
username= "username@domain.com"
password= "password"
hostname= "smpt.hostname"
port= 25
enable_start_tls= false
enable_authentication= true
[authentication.authenticator.basic.parameters]
showAuthFailureReason = true
[authentication.authenticator.email_otp]
name ="EmailOTP"
enable=true
[authentication.authenticator.email_otp.parameters]
EMAILOTPAuthenticationEndpointURL = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotp.jsp"
EmailOTPAuthenticationEndpointErrorPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailotpError.jsp"
EmailAddressRequestPage = "https://10.201.8.13:5004/emailotpauthenticationendpoint/emailAddress.jsp"
usecase = "local"
secondaryUserstore = "primary"
EMAILOTPMandatory = false
sendOTPToFederatedEmailAttribute = false
federatedEmailAttributeKey = "email"
EmailOTPEnableByUserClaim = true
CaptureAndUpdateEmailAddress = true
showEmailAddressInUI = true
useEventHandlerBasedEmailSender = true
基于脚本的身份验证配置:
var onLoginRequest = function(context) {
executeStep(1);
executeStep(2);
};
OpenId 连接配置。
端点详细信息:
https://localhost:5004/oauth2/authorize?response_type=code&scope=openid&redirect_uri=http://localhost&client_id=<client_id>&code_challenge=<code_challenge>&code_challenge_method=S256§oken=<sec_token>
租户域错误:
租户域用户被视为 carbon.super 域的用户。
TID: [-1234] [] [2021-02-01 17:13:47,683] [85d31877-3090-4139-9efb-d40f85c2e2eb] DEBUG {org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator}
- OTP Expiration Time not specified default value will be used
TID: [-1234] [] [2021-02-01 17:13:47,684] [85d31877-3090-4139-9efb-d40f85c2e2eb] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator}
- Exception in Authentication Framework java.lang.NullPointerException
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.publishAuthenticationStepAttempt(AbstractApplicationAuthenticator.java:170)
at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:94)
at org.wso2.carbon.identity.authenticator.emailotp.EmailOTPAuthenticator.process(EmailOTPAuthenticator.java:139)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:506)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:480)
at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:179)
at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:185) er} -
Error occurred while getting claims for user: tanoj123@carbon.super from userstore. org.wso2.carbon.user.core.UserStoreException: 30007 - UserNotFound:
User tanoj123 does not exist in: PRIMARY
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.callSecure(AbstractUserStoreManager.java:205)
at org.wso2.carbon.user.core.common.AbstractUserStoreManager.getUserClaimValues(AbstractUserStoreManager.java:1758)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInLocalDialect(DefaultOIDCClaimsCallbackHandler.java:466)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:420)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.retrieveClaimsForLocalUser(DefaultOIDCClaimsCallbackHandler.java:296)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.getUserClaimsInOIDCDialect(DefaultOIDCClaimsCallbackHandler.java:146)
at org.wso2.carbon.identity.openidconnect.DefaultOIDCClaimsCallbackHandler.handleCustomClaims(DefaultOIDCClaimsCallbackHandler.java:85)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims_aroundBody4(APIMJWTGenerator.java:166)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.populateCustomClaims(APIMJWTGenerator.java:156)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody_aroundBody2(APIMJWTGenerator.java:95)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.buildBody(APIMJWTGenerator.java:92)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT_aroundBody0(APIMJWTGenerator.java:69)
at org.wso2.carbon.apimgt.keymgt.token.APIMJWTGenerator.generateJWT(APIMJWTGenerator.java:60)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken_aroundBody4(APIMTokenIssuerUtil.java:210)
at org.wso2.carbon.apimgt.keymgt.util.APIMTokenIssuerUtil.generateToken(APIMTokenIssuerUtil.java:173)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken_aroundBody0(APIMTokenIssuer.java:102)
at org.wso2.carbon.apimgt.keymgt.issuers.APIMTokenIssuer.accessToken(APIMTokenIssuer.java:51)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.getNewAccessToken(AbstractAuthorizationGrantHandler.java:491)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.createNewTokenBean(AbstractAuthorizationGrantHandler.java:390)
at org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler.generateNewAccessToken(AbstractAuthorizationGrantHandler.java:344)
在共享日志中,可以观察到以下行。
BasicAuthRequestPathAuthenticator can handle the request
这意味着 BasicAuthRequestPathAuthenticator 的 canHandle() 方法返回了 true,因为定义了 sectoken 查询参数。那么,请求路径认证就完成了。
BasicAuth RequestPathAuthentication 不支持MFA,类似于密码授予。用户只需验证传递的凭据即可获得身份验证。
如果您的目标是在您的客户端应用程序 (Angular SPA) 上拥有登录页面,您可以将用户名和密码作为两个不同的参数传递 (POST OR GET; POST 是推荐的,因为密码不会在 oauth2/authorize 请求中的 URL) 中传递,并进入默认的基本身份验证器而不是 RequestPathAuthenticator。然后 MFA 将按预期工作。