WSO2 Identity server with multiple tenants and configure the application

0
votes

I have configured two tenants in my WSO2 Identity server(5.3).

mydomain.com-->tenant1
mydomain2.com--->tenant22

Each tenant has couple of users configured in them. In Tenant1(my domain.com) I have added application under service provider. Note: Saas check box is unchecked.

I tried to generate the OAuth access token via clientCredential and password grant types. I face issues below issues.

  1. client credentials grant:

curl -u LdTubNF7u1pxTeWa98Q46K2vqhUa:clx4UTH1h2DdXuSMhzWrfXPSBJga -k -d "grant_type=client_credentials" -H "Content-Type:application/x-www-form-urlencoded" http://10.37.2.XX:9763/oauth2/token

This generates the token for me. Ideally it should have failed as the application is configured for the specific tenant. I tried to access it by passing some domain name which is not listed still it works. e.g 

curl -u LdTubNF7u1pxTeWa98Q46K2vqhUa:clx4UTH1h2DdXuSMhzWrfXPSBJga -k -d "grant_type=client_credentials" -H  "Content-Type:application/x-www-form-urlencoded" http://10.37.2.XX:9763/oauth2/token?tenantDomain=mytrail.com

  1. password grant

    curl -v -X POST -H "Authorization: Basic TGRUdWJORjd1MXB4VGVXYTk4UTQ2SzJ2cWhVYTpjbHg0VVRIMWgyRGRYdVNNaHpXcmZYUFNCSmdh" -k -d "grant_type=password&username=xxx&password=xxxx" -H "Content-Type:application/x-www-form-urlencoded" http://10.37.2.xx:9763/oauth2/token

Here the username and password belongs to tenant mydomain.com and I get below error.

[2017-03-31 01:45:33,420] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} -  Non-SaaS service provider tenant domain is not same as user tenant domain; mydomain.com != carbon.super
[2017-03-31 01:45:33,420] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} -  Invalid Grant provided by the client Id: LdTubNF7u1pxTeWa98Q46K2vqhUa

Can any one tell me what I missed here? I want my application to be tenant specific.

thanks Rama

1
wso2wso2is

1 Answers

1
votes

These two scenarios can be described as below.

  1. In client credential grant type, token endpoint must be calculating the tenant domain information from the client id value you are sending (not by the query param) When you send the client credential grant token request, WSO2 Identity Server extracts Authorization header, gets the client Id value and finds the application. Since client Id and secret values are valid, it will return the token.

  2. When you try password grant type providing username and password, Identity Server first verifies users tenant domain. When you provide username without the tenant domain information, Identity Server assumes the super tenant domain (carbon.super) and checks whether it matches with the Oauth application tenant domain (application is identityfied by the client id). You get the error because those two attributes are different. This scenario should work fine if your username parameter contained tenant domain as well.

Say you have a user with username user1 in mydomain.com. Give [email protected] as the username parameter value in password grant token request. Then it should return the token.