WSO2 Custom claim handler not being called for password grant_type

3
votes

I have been using WSO2IS as OIDC provider. I have implemented a custom claim handler which is working fine and being invoked when WSO2 receives grant_type "Authorization_code". The problem started when a Service Provider sent a request with grant_type=password. In this case, WSO2 succesfully authenticated the user and returned the JWT but... without custom claim as WSO2 did not invoke the custom claim handler.

This is the configuration I did in file <IS_HOME>/repository/conf/identity/application-authentication.xml for custom claim handler which is being invoked for grant_type=authorization_code. 

<ClaimHandler>com.wso2.carbon.identity.custom.claim.handler.CustomClaimHandler</ClaimHandler>

this the debug log from WSO2:

TID: [-1234] [] [2018-04-06 11:34:38,199] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Created singleton instance for org.wso2.carbon.identity.auth.service.handler.HandlerManager TID: [-1234] [] [2018-04-06 11:34:38,200] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler for the given handler list. TID: [-1234] [] [2018-04-06 11:34:38,200] DEBUG {org.wso2.carbon.identity.auth.service.handler.HandlerManager} - Get first priority handler : DefaultAuthenticationManager(org.wso2.carbon.identity.auth.service.AuthenticationManager) TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG {org.wso2.carbon.identity.oauth2.OAuth2Service} - Access Token request received for Client ID EjQvbCf0pclp6eVO5lxTq23_lxQa, User ID userldap, Scope : [ openid, email] and Grant Type : password TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Can authenticate with client ID and Secret. Client ID: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,205] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.clientauth.AbstractClientAuthHandler} - Grant type : password Strict client validation set to : null TID: [-1234] [] [2018-04-06 11:34:38,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Client credentials were fetched from the database. TID: [-1234] [] [2018-04-06 11:34:38,206] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Successfully authenticated the client with client id : EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,207] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Oauth App validation success for consumer key: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,209] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - Pre authenticator is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,210] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,210] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.DefaultClaimMetadataStore} - Assigned mapped attribute : ref from user store domain : PRIMARY for claim : http://wso2.org/claims/identity/accountDisabled in tenant : -1234 TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - post get user claim values is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.governance.store.InMemoryIdentityDataStore} - Loaded UserIdentityClaimsDO from cache for user :userldap with claims: {} TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.recovery.handler.AdminForcedPasswordResetHandler} - Handling event : PRE_AUTHENTICATION TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.recovery.handler.AdminForcedPasswordResetHandler} - PreAuthenticate - AdminForcedPasswordResetHandler for user : [email protected] TID: [-1234] [] [2018-04-06 11:34:38,215] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,216] DEBUG {org.wso2.carbon.identity.recovery.handler.AccountConfirmationValidationHandler} - PreAuthenticate TID: [-1234] [] [2018-04-06 11:34:38,216] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,217] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.DefaultClaimMetadataStore} - Assigned mapped attribute : accountLock from user store domain : PRIMARY for claim : http://wso2.org/claims/identity/accountLocked in tenant : -1234 TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.claim.metadata.mgt.dao.CacheBackedLocalClaimDAO} - Cache hit for local claim list for tenant: -1234 TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - post get user claim values is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.governance.store.InMemoryIdentityDataStore} - Loaded UserIdentityClaimsDO from cache for user :userldap with claims: {} TID: [-1234] [] [2018-04-06 11:34:38,218] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,222] DEBUG {org.wso2.carbon.identity.governance.listener.IdentityMgtEventListener} - post authenticator is called in IdentityMgtEventListener TID: [-1234] [] [2018-04-06 11:34:38,222] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.PasswordGrantHandler} - Token request with Password Grant Type received. Username : [email protected] : email openid , Authentication State : true TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected] Client Id : EjQvbCf0pclp6eVO5lxTq23_lxQa Scope : email openid TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth.callback.OAuthCallbackHandlerRegistry} - OAuthCallbackHandler was found for the callback. Class Name : org.wso2.carbon.identity.oauth.callback.DefaultCallbackHandler Resource Owner : [email protected] Client Id : EjQvbCf0pclp6eVO5lxTq23_lxQa Scope : email openid TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Added OAuthTokenReqMessageContext to threadlocal TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,223] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - SP wise token expiry time feature is applied for tenant id : -1234and consumer key : EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Service Provider specific expiry time enabled for application : EjQvbCf0pclp6eVO5lxTq23_lxQa. Application access token expiry time : null, User access token expiry time : null, Refresh token expiry time : null TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - OAuth application id : EjQvbCf0pclp6eVO5lxTq23_lxQa, access token validity time in milliseconds : 3600000 TID: [-1234] [] [2018-04-06 11:34:38,224] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.token.handlers.grant.AbstractAuthorizationGrantHandler} - Infinite lifetime Access Token e88de89f-70d4-33d5-b447-5cd0135fd682 found in cache TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.util.OAuth2Util} - Cleared OAuthTokenReqMessageContext TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Access token issued to client Id: EjQvbCf0pclp6eVO5lxTq23_lxQa username: [email protected] and scopes: email openid TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.oauth2.token.AccessTokenIssuer} - Issuing ID token for client: EjQvbCf0pclp6eVO5lxTq23_lxQa TID: [-1234] [] [2018-04-06 11:34:38,230] DEBUG {org.wso2.carbon.identity.application.common.processors.RandomPasswordProcessor} - Cache Key not found for Random Password Container TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Loading Basic Application Data of AdministradorOmnicanalidad TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - ApplicationID: 21 ApplicationName: AdministradorOmnicanalidad UserName: userldap TenantDomain: carbon.super TID: [-1234] [] [2018-04-06 11:34:38,232] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Clients of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,233] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Steps of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,236] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Claim Mappings of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,237] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Role Mapping of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,241] DEBUG {org.wso2.carbon.identity.core.util.IdentityUtil} - Error while reading user store property CaseInsensitiveUsername. Considering as case sensitive. TID: [-1234] [] [2018-04-06 11:34:38,241] DEBUG {org.wso2.carbon.identity.oauth2.dao.TokenMgtDAO} - Retrieve access token for tokenId: e88de89f-70d4-33d5-b447-5cd0135fd682 with flag includeExpired: false TID: [-1234] [] [2018-04-06 11:34:38,244] DEBUG {org.wso2.carbon.identity.openidconnect.DefaultIDTokenBuilder} - Using issuer https://localhost:9445/oauth2/token Subject userldap ID Token life time 3600 Current time 1523032478 Nonce Value null Signature Algorithm RS256 TID: [-1234] [] [2018-04-06 11:34:38,244] DEBUG {org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback} - Adding claims for user [email protected] to id token. TID: [-1234] [] [2018-04-06 11:34:38,247] DEBUG {org.wso2.carbon.identity.openidconnect.SAMLAssertionClaimsCallback} - User attributes not found in cache. Trying to retrieve attribute for user [email protected] TID: [-1234] [] [2018-04-06 11:34:38,249] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Loading Basic Application Data of AdministradorOmnicanalidad TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - ApplicationID: 21 ApplicationName: AdministradorOmnicanalidad UserName: userldap TenantDomain: carbon.super TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Clients of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,251] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Steps of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,255] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Claim Mappings of Application 21 TID: [-1234] [] [2018-04-06 11:34:38,256] DEBUG {org.wso2.carbon.identity.application.mgt.dao.impl.ApplicationDAOImpl} - Reading Role Mapping of Application 21

If someone can point what did I miss, or what else I can try, It would be a great help.

Thanks.

2
wso2wso2is

2 Answers

1
votes

Claim Handlers are engaged as part of the authentications process in the authentication framework that resides within the Identity Server.

When you use the authorization grant type, user authentication is handled via the authentication framework. This also means that any claims added/modified using a custom claims handler will be engaged.

However, when you use the password grant type, user authentication and claim retrieval happens via the respective user store the user resides in. Since this authentication does not happen through the authentication framework your custom claim handler will not be engaged.

2
votes

Is there any specific reason write a custom claim handler for OIDC?

If you want to get custom claims with OIDC you could follow the below steps.

  1. Go to management console->claims->Add->Add external claims->select dialect URI as http://wso2.org/oidc/claim, give your custom claim URI as External Claim URI, map the appropriate local claim.

  2. Once you successfully added the custom claim under OIDC dialect, you have to mention the newly added custom claim URI in the registry under openid scope.The path is below. Registry->Browse->/_system/config/oidc and then click on Add button of the properties. There you could see the scope values.