Issuer mismatch with OpenID Connect discovery on WSO2 Identity Server

1
votes

I'm working on a small proof-of-concept implementation involving OpenID Connect and WSO2 Identity Server 5.3.0.

On the client side, I'm using python with the oic library to attempt to get the discovery mechanism working. I'm executing the following code, based on the oic documentation:

from oic.oic import Client

oic_client = Client(verify_ssl=False)

uid = "[email protected]"
issuer = oic_client.discover(uid)
provider_info = oic_client.provider_config(issuer)

This results in the following error:

oic.exception.IssuerMismatch: 'https://172.22.0.2:443/oauth2/oidcdiscovery' != 'https://172.22.0.2:443/oauth2/token'

The problem here is that with the default configuration, the discover() step will return an issuer value of https://172.22.0.2:443/oauth2/oidcdiscovery, but the subsequent provider_config() step will return a document containing an issuer value of https://172.22.0.2:443/oauth2/token.

The oic library seems to be correct in reporting this mismatch as an error, as the OpenID Connect Discovery specification states the following about the issuer value presented in the provider metadata (emphasis mine):

REQUIRED. URL using the https scheme with no query or fragment component that the OP asserts as its Issuer Identifier. If Issuer discovery is supported (see Section 2), this value MUST be identical to the issuer value returned by WebFinger. This also MUST be identical to the iss Claim value in ID Tokens issued from this Issuer.

So, my question is the following:

  1. Am I correct in concluding that (at least with the default configuration) WSO2 Identity Server does not behave conform to the OpenID Connect specification, at least as far as discovery is concerned?
  2. Is it possible to configure WSO2 Identity Server in such a way that will conform to the spec? I have tried specifying various combinations of OIDCDiscoveryEPUrl and IDTokenIssuerID in the identity.xml file, but no luck so far.

For now, after reading through the oic source code, I'm using the following workaround to ignore the issuer mismatch:

oic_client.allow["issuer_mismatch"] = True

I would, however, much prefer to find a solution in which WSO2 Identity Server is made to behave according to spec.

2
pythonwso2isopenid-connect

2 Answers

1
votes

I observed the below issue and was able to resolve by changing the resident Identity provider entity ID located in the WSO2-IS management console->Identity Providers-> Resident-> Inbound Authentication Configuration -> OAuth2/OpenID Connect Configuration. Check the hostname and port and change according to the IDP configuration.

This resolved my:

ERROR - Util Issuers do not match,
expected https://localhost:9444/oauth2/token
got https://localhost:9443/oauth2/token

0
votes

I got this around by setting IDTokenIssuerID of identity.xml to discovery url (https://172.22.0.2:443/oauth2/oidcdiscovery as with yours). But eventually run into another mismatch in idtoken's iss field where it is always "https://localhost:9443/oauth2/token" and expected to be the discovery url as well by OIDC spec.