0
我正在使用OpenID Connect(OIDC)進行入站身份驗證並使用聯合身份提供程序(也使用OIDC)進行出站身份驗證的服務提供商評估WSO2 IS。服務提供商配置爲SaaS應用程序。WSO2 IS - 向註銷端點提供id_token_hint時無效的租戶域
到目前爲止登錄工作正常。註銷應首先在WSO2 IS上調用註銷端點,然後應通過爲post_logout_redirect_uri參數提供相應的值來重定向到身份提供商的註銷端點。
所以在服務提供商的以下網址被稱爲在WSO2註銷註銷時爲:
https://wso2-is.local:9443/oidc/logout?post_logout_redirect_uri=http%3A%2F%2Ffed-idp.local%2Flogout&client_id=R0XGj...&id_token_hint=eyJ4NXQ...
這將導致以下異常Invalid tenant domain:
[2017-10-16 14:41:16,327] ERROR {org.apache.catalina.core.StandardWrapperValve} - Servlet.service() for servlet [bridgeservlet] in context with path [/] threw exception
org.wso2.carbon.identity.base.IdentityRuntimeException: Invalid tenant domain mydomain.com
at org.wso2.carbon.identity.base.IdentityRuntimeException.error(IdentityRuntimeException.java:63)
at org.wso2.carbon.identity.core.util.IdentityTenantUtil.getTenantId(IdentityTenantUtil.java:242)
at org.wso2.carbon.identity.oidc.session.servlet.OIDCLogoutServlet.validateIdToken(OIDCLogoutServlet.java:226)
at org.wso2.carbon.identity.oidc.session.servlet.OIDCLogoutServlet.processLogoutRequest(OIDCLogoutServlet.java:174)
at org.wso2.carbon.identity.oidc.session.servlet.OIDCLogoutServlet.doGet(OIDCLogoutServlet.java:131)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:624)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:731)
at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.filters.HttpHeaderSecurityFilter.doFilter(HttpHeaderSecurityFilter.java:124)
at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218)
at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110)
at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:506)
at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:169)
at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
at org.wso2.carbon.identity.context.rewrite.valve.TenantContextRewriteValve.invoke(TenantContextRewriteValve.java:72)
at org.wso2.carbon.identity.authz.valve.AuthorizationValve.invoke(AuthorizationValve.java:91)
at org.wso2.carbon.identity.auth.valve.AuthenticationValve.invoke(AuthenticationValve.java:60)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:962)
at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:445)
at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1115)
at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:637)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1770)
at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1729)
at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
at java.lang.Thread.run(Thread.java:745)
的mydomain.com來自電子郵件用於在聯合身份提供者處登錄的地址,並且是ID令牌中的主題。在另一個域中使用電子郵件地址會相應地顯示錯誤消息。
對於我的用例,在WSO2 IS中爲所有可能的電子郵件地址域添加租戶是不可行的。
以下是服務和身份提供者在WSO2配置截圖如下:
Service provider config in WSO2 IS
Identity provider config in WSO2 IS
