WSO2IS OAuth/OpenId Connect SSO Setup

0
votes

I'm trying to figure out how to setup my applications for SSO using WSO2 Identity Server. My use case is I have 2 applications secured by OAuth/OpenId Connect using WSO2IS. If I'm logged into application 1, then launching application 2 should automatically log me in. What should the flow be?

Currently, I have created 2 service providers, one for each application. Each service provider inbound authentication configuration is configured using OAuth/OpenId Connect. What else do I need to do?

I've followed https://docs.wso2.com/display/IS530/Configuring+OAuth2-OpenID+Connect+Single-Sign-On. I'm success on being redirected to IS for login and each application is able to obtain access token and JWT. However, I'm being asked to login for each application separately---no automatic login when I access application 2.

Thank you!

WSO2IS output when I login to application 1 then follow by application 2, within the same browser and tab.

<<< Application 1 >>>

[2017-07-27 21:30:17,117] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : L7c7Zqf9QpDKjyEtOQ74R__RSy0a and callback_uri http://[hostname]:[8080]/xxxx/ [2017-07-27 21:30:17,124] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : L7c7Zqf9QpDKjyEtOQ74R__RSy0a ,App Name : Application1, Callback URL : http://[hostname]:[8080]/xxxx/ [2017-07-27 21:30:30,506] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : [email protected], Client ID : L7c7Zqf9QpDKjyEtOQ74R__RSy0a, Authorization Response Type : code, Requested callback URI : http://[hostname]:[8080]/xxxx/, Requested Scope : email openid profile [2017-07-27 21:30:30,507] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal [2017-07-27 21:30:30,508] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler} - Issued Authorization Code to user : [email protected], Using the redirect url : http://[hostname]:[8080]/xxxx/, Scope : email openid profile, validity period : 300000 [2017-07-27 21:30:30,510] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext [2017-07-27 21:30:30,756] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID L7c7Zqf9QpDKjyEtOQ74R__RSy0a, User ID null, Scope : [] and Grant Type : authorization_code [2017-07-27 21:30:30,756] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: L7c7Zqf9QpDKjyEtOQ74R__RSy0a [2017-07-27 21:30:30,756] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : authorization_code Strict client validation set to : null [2017-07-27 21:30:30,757] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were fetched from the database. [2017-07-27 21:30:30,757] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : L7c7Zqf9QpDKjyEtOQ74R__RSy0a [2017-07-27 21:30:30,757] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler} - Authorization Code Info was not available in cache for client id : L7c7Zqf9QpDKjyEtOQ74R__RSy0a [2017-07-27 21:30:30,758] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler} - Found an Authorization Code, Client : L7c7Zqf9QpDKjyEtOQ74R__RSy0a, authorized user : [email protected], scope : email openid profile [2017-07-27 21:30:30,758] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthTokenReqMessageContext to threadlocal [2017-07-27 21:30:30,759] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Infinite lifetime Access Token c6d1b10e-cd51-379a-9162-4f5228aaa5dc found in cache [2017-07-27 21:30:30,759] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthTokenReqMessageContext [2017-07-27 21:30:30,759] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access token issued to client Id: L7c7Zqf9QpDKjyEtOQ74R__RSy0a username: [email protected] and scopes: email openid profile

<<< Application 2 >>>

[2017-07-27 21:30:42,014] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Validate Client information request for client_id : fwM8a593OUxufW2ZaBXYx9f1mREa and callback_uri http://[hostname]:[8090]/xxxx/ [2017-07-27 21:30:42,016] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Registered App found for the given Client Id : fwM8a593OUxufW2ZaBXYx9f1mREa ,App Name : Application2, Callback URL : http://[hostname]:[8090]/xxxx/ [2017-07-27 21:30:55,454] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Authorization Request received for user : [email protected], Client ID : fwM8a593OUxufW2ZaBXYx9f1mREa, Authorization Response Type : code, Requested callback URI : http://[hostname]:[8090]/xxxx/, Requested Scope : email openid profile [2017-07-27 21:30:55,455] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthAuthzReqMessageContext to threadlocal [2017-07-27 21:30:55,457] DEBUG {org.wso2.carbon.identity.oauth2.authz.handlers.CodeResponseTypeHandler} - Issued Authorization Code to user : [email protected], Using the redirect url : http://[hostname]:[8090]/xxxx/, Scope : email openid profile, validity period : 300000 [2017-07-27 21:30:55,458] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthAuthzReqMessageContext [2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID fwM8a593OUxufW2ZaBXYx9f1mREa, User ID null, Scope : [] and Grant Type : authorization_code [2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: fwM8a593OUxufW2ZaBXYx9f1mREa [2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : authorization_code Strict client validation set to : null [2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were fetched from the database. [2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : fwM8a593OUxufW2ZaBXYx9f1mREa [2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler} - Authorization Code Info was not available in cache for client id : fwM8a593OUxufW2ZaBXYx9f1mREa [2017-07-27 21:30:55,739] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AuthorizationCodeGrantHandler} - Found an Authorization Code, Client : fwM8a593OUxufW2ZaBXYx9f1mREa, authorized user : [email protected], scope : email openid profile [2017-07-27 21:30:55,740] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthTokenReqMessageContext to threadlocal [2017-07-27 21:30:55,740] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Infinite lifetime Access Token a01c94d9-c889-3a38-a67e-38a7f0350aa0 found in cache [2017-07-27 21:30:55,740] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthTokenReqMessageContext [2017-07-27 21:30:55,740] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access token issued to client Id: fwM8a593OUxufW2ZaBXYx9f1mREa username: [email protected] and scopes: email openid profile

1
oauth-2.0wso2single-sign-onwso2isopenid-connect
What about the outbound authenticators configured for each application?farasath
Are your apps running on localhost domain? Recently chrome has made a change that prevented cookies set for localhost being sent back. So one thing I can suggest is to set your apps in two domains like abc.com and xyz.com and try the same.farasath
docs.wso2.com/display/IS530/…farasath

1 Answers

1
votes

Next step is to setup your client application which will try to authenticate user with WSO2 using OpenID Connect. Follow these steps:

https://docs.wso2.com/display/IS530/OpenIDConnect

Once done, create a copy of your application and run on different port and play with SSO and SLO. An example is this:

https://docs.wso2.com/display/IS530/Configuring+OpenID+Connect+Single+Logout

You can learn about the mechanics of how WSO2 IS maintains a SSO session by reading Enabling Authentication Session Persistence.