WSO2 Federated IDP RefreshToken with invalid username

0
votes

community. I'm using WSO2 IS 5.7.0 to integrate an Angular app with an external IDP. The external IDP is configured with SAML2 and the service provider Inbound Authentication is set with Oauth/OpenID. The service provider uses Federated Authentication to comunicate with the IDP.

The user uid from the IDP is matched with the claim userid, so when I ask for an oauth token, I get the correct scopes (matching a local user with roles configured) to use the token with WSO2 AM. This is working well whe I get the initial oauth token using code grant. If I introspect this token, I can verify the token belongs to the username XXXXXXXX and the scopes are the ones to consume an API on WSO2 AM, based on the roles associated to the local user XXXXXXXX.

The problem is when the refresh token is used to get a new access token after expiration. The new access token comes with the same scopes, but I cannot consume the same API I was consuming with the first token. I get a 403 Forbidden on every call and the AM log shows: WARN - APIAuthenticationHandler API authentication failure due to Invalid Credentials (The first WARN appears only once) WARN - APIAuthenticationHandler API authentication failure due to The access token does not allow you to access the requested resource (this WARN appears on the subsequent calls)

If I introspect the receibed token, I can see the same scopes as the original access token, but the username is different: FEDERATED/[email protected].

I think this username change on the token information leads to the 403 error.

The problem is worst if I activate the Service Provider option "Use tenant domain in local subject identifier" on the Local & Outbound Authentication Configuration. In this case, every time I ask for a new token with refresh token, the tenant is appended to the username on an infinite loop: [email protected]@[email protected]@carbon.super On every token I get, the introspect shows me another @carbon.super is appended to the username of the actual token. In this case, the FEDERATED/ is not always present on the username.

I expect the username associated to the refreshtoken to be equal to the one on the first access token.

Is there a configuration to solve this or this is a bug? is resolved on new releases of WSO2 IS? (sorry for my english)

Thanks!

1
wso2wso2is
Welcome to SO. To get good answers, please review: How to create a Minimal, Reproducible Example When asking a question, people will be better able to provide help if you provide code that they can easily understand and use to reproduce the problem. This is called creating a minimal, reproducible example (reprex), a minimal, complete and verifiable example (mcve), or a minimal, workable example (mwe). - stackoverflow.com/help/minimal-reproducible-examplePaul Dawson

1 Answers

0
votes

Similar issue is reported[1] and fixed with PR[2].

[1] https://github.com/wso2/product-is/issues/4472

[2] https://github.com/wso2-extensions/identity-inbound-auth-oauth/pull/1022

If you don't have a WSO2 subscription, upgrading to the 5.8.0 will resolve the issue.