We are trying to evaluate multiple identity providers. For POC setup a small Web app, using IdentityModel was written. It can successfully authenticate and authorize, when run locally against current identity provider (at least what I have been told). It works properly from developer laptop, using Visual Studio and IIS Express.
Problems starts, when I publish application outside of development environment into POC. Application sends username/password and successfully initiates session, but it does not receive authorization token. As a result web application stops with null token exception.
IIS runs the application on the same port and host as on development environment: https://localhost:44307, using same self signed SSL cert.
Where to dig further? What can be wrong IIS configuration or something in application?
With Keycloak we identified that the issue might be related to OAuth authorization credentials send by headers, but WSO2 seem to accept both body and header methods. I was able to validate identity service functionality using Postman and receive tokens, so identity service should work.
There are no errors on WSO2 logs. Log entries only shows that authorization code is issued for callback URL. Nothing about the token.
public async Task<RedirectResult> LoggedIn()
{
var authorizeResponse = new AuthorizeResponse(Request.RawUrl);
// Create the TokenClient
var client = new TokenClient(
TokenEndpoint,
ClientId,
ClientSecret);
// Request the access token
var response = await client.RequestAuthorizationCodeAsync(
authorizeResponse.Code,
RedirectUrl);
System.IO.File.AppendAllText(AppDomain.CurrentDomain.BaseDirectory + "\\log.txt", response.Raw + "\n");
var claims = ValidateLocally
? ValidateWithHmacOrRsa(response.AccessToken)
: await ValidateWithUserInfoEndpointAsync(response.AccessToken);
Session["claims"] = claims;
Session["identityToken"] = response.IdentityToken;
return Redirect("~/");
}
Expected to get authorization token for the OAuth client. Instead in the debug log of an application I do see:
Connection=close&Accept=text/html,application/xhtml xml,application/xml;q=0.9,*/*;q=0.8&Accept-Encoding=gzip, deflate, br&Accept-Language=en-US,en;q=0.5&Host=localhost:44307&Referer=https://wso2-1.wso.local:9443/authenticationendpoint/login.do?client_id=gfvUfDTN7bnfJkWW2Z4wXvAV9Dsa&commonAuthCallerPath=/oauth2/authorize&forceAuth=false&passiveAuth=false&redirect_uri=https://localhost:44307/auth/loggedin&response_type=code&scope=openid&tenantDomain=carbon.super&sessionDataKey=687f20cf-7224-4586-8a97-b11e466ac19d&relyingParty=gfvUfDTN7bnfJkWW2Z4wXvAV9Dsa&type=oidc&sp=hellome-local&isSaaSApp=false&authenticators=BasicAuthenticator:LOCAL&TE=trailers&User-Agent=Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0&upgrade-insecure-requests=1
Browser and Windows event log shows
Exception Details: System.ArgumentNullException: Value cannot be null.
Parameter name: token
...
Stack Trace:
[ArgumentNullException: Value cannot be null.
Parameter name: token]
IdentityModel.Client.<GetAsync>d__6.MoveNext() +795
System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw() +31
...
Case closed. And the issue was self signed Identity Manager Certificate. IIS Express happily ignored that, but IIS was more strict and somewhere internally silently refusing to process the request. However there were no signs of that in any logs!
Situation was resolved when self signed certificate for identity manager was imported into Trusted CA store and made to appear as valid cert.