WSO2 IS: how to allow anonymous request to OIDC .well-known/openid-configuration

6
votes

Usually for the OIDC discovery the .well-known URI can be requested as anonymous. The example in WSO2 5.3.0 doc states that admin-level credentials must be provided for the request:

https://docs.wso2.com/display/IS530/OpenID+Connect+Discovery

curl -v -k --user admin:admin https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration

(underscore are not a typpo but a bypass of the URL count limitation)

I can confirm that cause a curl -v -k https_:_//localhost:9443/oauth2/oidcdiscovery/.well-known/openid-configuration returns a 401 not authorized.

(underscore are not a typpo but a bypass of the URL count limitation)

I tried to configure the permissions in the registry for /_system/config/oidc with "SYSTEM/wso2.anonymous.role is ALLOWed to READ" and I still get a 401. Adiing the right to "SYSTEM/wso2.anonymous.role is ALLOWed to AUTHORIZE" returns a 200 but with an empty body.

Any advice on how to tackle the OIDC discovery (getting the OIDC configuration) without having to provide any creds (Anonymously)?

Thanks

JF

2
serverwso2identity

2 Answers

8
votes

After many trials, anonymous access can be provided by commenting the .well-know line in {WSO2_base_path}/repository/conf/identity/identity.xml :

 <ResourceAccessControl>
    <Resource context="(.*)/api/identity/user/(.*)" secured="true" http-method="all"/>
    <Resource context="(.*)/api/identity/recovery/(.*)" secured="true" http-method="all"/>
    <!--<Resource context="(.*)/.well-known(.*)" secured="true" http-method="all"/>-->
    <Resource context="(.*)/identity/register(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt/delete</Permissions>
    </Resource>
    <Resource context="(.*)/identity/connect/register(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt/create</Permissions>
    </Resource>
    <Resource context="(.*)/oauth2/introspect(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/applicationmgt/view</Permissions>
    </Resource>
    <Resource context="(.*)/api/identity/entitlement/(.*)" secured="true" http-method="all">
        <Permissions>/permission/admin/manage/identity/pep</Permissions>
    </Resource>
</ResourceAccessControl>
-1
votes

You may reverse proxy to that endpoint with something like Apache2 Reverse Proxy to an end-point that requires BasicAuth but want to hide this from user or, considering the data is relatively static, you could just download the data and serve it from an unprotected endpoint somewhere else.

But I guess it would be better to find the configuration setting that turns basic authentication off since it serves no purpose.