Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

WSO2 IS: how to allow anonymous request to OIDC .well-known/openid-configuration

Tags:

identity

server

wso2

Usually for the OIDC discovery the .well-known URI can be requested as anonymous. The example in WSO2 5.3.0 doc states that admin-level credentials must be provided for the request:

https://docs.wso2.com/display/IS530/OpenID+Connect+Discovery

curl -v -k --user admin:admin https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration

(underscore are not a typpo but a bypass of the URL count limitation)

I can confirm that cause a curl -v -k https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration returns a 401 not authorized.

(underscore are not a typpo but a bypass of the URL count limitation)

I tried to configure the permissions in the registry for /_system/config/oidc with "SYSTEM/wso2.anonymous.role is ALLOWed to READ" and I still get a 401. Adiing the right to "SYSTEM/wso2.anonymous.role is ALLOWed to AUTHORIZE" returns a 200 but with an empty body.

Any advice on how to tackle the OIDC discovery (getting the OIDC configuration) without having to provide any creds (Anonymously)?

Thanks

JF

like image 334
Jeff LOMBARDO Avatar asked Apr 17 '17 14:04

Jeff LOMBARDO

1 Answers

After many trials, anonymous access can be provided by commenting the .well-know line in {WSO2_base_path}/repository/conf/identity/identity.xml :

 <ResourceAccessControl>
    <Resource context="(.*)/api/identity/user/(.*)" secured="true" http-method="all"/>
    <Resource context="(.*)/api/identity/recovery/(.*)" secured="true" http-method="all"/>
    <!--<Resource context="(.*)/.well-known(.*)" secured="true" http-method="all"/>-->
    <Resource context="(.*)/identity/register(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
    </Resource>
    <Resource context="(.*)/identity/connect/register(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
    </Resource>
    <Resource context="(.*)/oauth2/introspect(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
    </Resource>
    <Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/pep</Permissions>
    </Resource>
</ResourceAccessControl>
like image 191
Jeff LOMBARDO Avatar answered Oct 15 '22 23:10

Jeff LOMBARDO
Sign in to Comment

Related questions

How to run the Python program in the background in Ubuntu server
Can't connect to postgres db from pgadmin (both running on docker)?
Could not get https:////dl.bintray.com/lukaville/maven/com/nbsp/library/1.09
Scaling Nodejs server to multiple systems?
Cronjob to detect last modified files
Side effects on a periodic git fetch
MySQL 5.7.9 on OS X El Capitan: ERROR The server quit without updating the PID file
Need to transfer multiple files from client to server
How do I set up a Stanford CoreNLP Server on Windows to return sentiment for text
ReactJS (create-react-app) run on port 80 [duplicate]
Server Architecture - Redis vs Socket server
Consul.io - how to run multiple servers on same machine
How to make use of variables in Wildfly configuration file?
Powershell 5.1 in Windows 2012 R2
WebPack devServer - localhost refused to connect
How to make OpenSSL C server only support TLS 1.3?
Could not publish to the server. java.lang.NullPointerException in Jboss7.1 Server
Composer escapeshellarg() has been disabled for security reasons
no apache2 folder under my etc folder, very confused? etc/apache2?
How to run a cron job on a CodeIgniter controller that all the URL does is run a query from an API, update the DB & send emails (from within CI)?

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!