A little problem with SAML2 exchange for an OAuth token :(

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

A little problem with SAML2 exchange for an OAuth token :(

Thomas LEGRAND
Hello,

I tried to implement a way to retrieve OAuth token from a SAML2 response but this exception appears and I don't know what to do because I don't "sign" anything (and maybe that is the problem): 

[2017-06-13 11:22:04,602] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} -  Error while validating the signature.
org.opensaml.xml.validation.ValidationException: Signature did not validate agai
nst the credential's key

Here is what I do:

I configured my Identity Server to return the SAML response to a custom webapp. So from here, I extract the value of the param SAMLResponse, decode it and extract the Assertion element by using the OpenSAML library (so get the Assertion object)

Then, I do the funky things like marshalling the assertion into a string, removing every break line characters from this string and encode it to base 64.

The assertion is something like (I removed some element and replaced some values to display in this email so if you try to check the signature, it sure will be wrong):

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f91978670da945183285231e76caa6cd" IssueInstant="2017-06-13T09:54:35.012Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_f91978670da945183285231e76caa6cd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LdDexQOXKnsLOjksxW8/1kR5oPo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WlzAFmtV3L4kQG7fF/79ITsGH17FMoKUjTEDThX/eCLnKsR1YUmw9NdrqA62RORt8cm+2H3nd9A5CwXdK/MgOx1FfVb6lf+vxKkKU3ElP4G9L8lGnYDu1CUcqQ7qaqyCu1XCvLmUled9FPpbhaw+P10l++Qmd/QftUU6eTj8wlU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="http://localhost:8080/sniffer-web/Sniff"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-13T09:54:35.012Z" NotOnOrAfter="2017-06-13T09:59:35.012Z"><saml2:AudienceRestriction><saml2:Audience>toto</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-13T09:54:35.012Z" SessionIndex="0e543ae2-11f9-4ef0-9419-9352e09b89e2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rolly role</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[hidden email]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>

Then, I send it as the value of the POST param "assertion" to the URL which should tell the IS to generate my OAuth token. Something like that:


The content of the body should be something like that:

grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ENCODED_ASSERTION_HERE>

But but but... BOOM. I have this exception so, can you point me what I do miss, please? I am completely confused.

Regards,

Thomas

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: A little problem with SAML2 exchange for an OAuth token :(

Farasath Ahamed
Hi Thomas,

Did you do a simply base64 encode the assertion or do a base64url encode on the assertion?
The correct way to prepare a SAML Assertion for SAML Bearer Grant is to url encode it. 

Can you compare the encoded value by you sent previously with the output you get from [1]?




Thanks,

Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Tue, Jun 13, 2017 at 3:29 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello,

I tried to implement a way to retrieve OAuth token from a SAML2 response but this exception appears and I don't know what to do because I don't "sign" anything (and maybe that is the problem): 

[2017-06-13 11:22:04,602] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} -  Error while validating the signature.
org.opensaml.xml.validation.ValidationException: Signature did not validate agai
nst the credential's key

Here is what I do:

I configured my Identity Server to return the SAML response to a custom webapp. So from here, I extract the value of the param SAMLResponse, decode it and extract the Assertion element by using the OpenSAML library (so get the Assertion object)

Then, I do the funky things like marshalling the assertion into a string, removing every break line characters from this string and encode it to base 64.

The assertion is something like (I removed some element and replaced some values to display in this email so if you try to check the signature, it sure will be wrong):

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f91978670da945183285231e76caa6cd" IssueInstant="2017-06-13T09:54:35.012Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_f91978670da945183285231e76caa6cd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LdDexQOXKnsLOjksxW8/1kR5oPo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WlzAFmtV3L4kQG7fF/79ITsGH17FMoKUjTEDThX/eCLnKsR1YUmw9NdrqA62RORt8cm+2H3nd9A5CwXdK/MgOx1FfVb6lf+vxKkKU3ElP4G9L8lGnYDu1CUcqQ7qaqyCu1XCvLmUled9FPpbhaw+P10l++Qmd/QftUU6eTj8wlU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="http://localhost:8080/sniffer-web/Sniff"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-13T09:54:35.012Z" NotOnOrAfter="2017-06-13T09:59:35.012Z"><saml2:AudienceRestriction><saml2:Audience>toto</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-13T09:54:35.012Z" SessionIndex="0e543ae2-11f9-4ef0-9419-9352e09b89e2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rolly role</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[hidden email]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>

Then, I send it as the value of the POST param "assertion" to the URL which should tell the IS to generate my OAuth token. Something like that:


The content of the body should be something like that:

grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ENCODED_ASSERTION_HERE>

But but but... BOOM. I have this exception so, can you point me what I do miss, please? I am completely confused.

Regards,

Thomas

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev



_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: A little problem with SAML2 exchange for an OAuth token :(

Farasath Ahamed


Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Tue, Jun 13, 2017 at 3:55 PM, Farasath Ahamed <[hidden email]> wrote:
Hi Thomas,

Did you do a simply base64 encode the assertion or do a base64url encode on the assertion?
The correct way to prepare a SAML Assertion for SAML Bearer Grant is to url encode it. 
*base64url encode 

Can you compare the encoded value by you sent previously with the output you get from [1]?




Thanks,

Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Tue, Jun 13, 2017 at 3:29 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello,

I tried to implement a way to retrieve OAuth token from a SAML2 response but this exception appears and I don't know what to do because I don't "sign" anything (and maybe that is the problem): 

[2017-06-13 11:22:04,602] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} -  Error while validating the signature.
org.opensaml.xml.validation.ValidationException: Signature did not validate agai
nst the credential's key

Here is what I do:

I configured my Identity Server to return the SAML response to a custom webapp. So from here, I extract the value of the param SAMLResponse, decode it and extract the Assertion element by using the OpenSAML library (so get the Assertion object)

Then, I do the funky things like marshalling the assertion into a string, removing every break line characters from this string and encode it to base 64.

The assertion is something like (I removed some element and replaced some values to display in this email so if you try to check the signature, it sure will be wrong):

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f91978670da945183285231e76caa6cd" IssueInstant="2017-06-13T09:54:35.012Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_f91978670da945183285231e76caa6cd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LdDexQOXKnsLOjksxW8/1kR5oPo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WlzAFmtV3L4kQG7fF/79ITsGH17FMoKUjTEDThX/eCLnKsR1YUmw9NdrqA62RORt8cm+2H3nd9A5CwXdK/MgOx1FfVb6lf+vxKkKU3ElP4G9L8lGnYDu1CUcqQ7qaqyCu1XCvLmUled9FPpbhaw+P10l++Qmd/QftUU6eTj8wlU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="http://localhost:8080/sniffer-web/Sniff"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-13T09:54:35.012Z" NotOnOrAfter="2017-06-13T09:59:35.012Z"><saml2:AudienceRestriction><saml2:Audience>toto</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-13T09:54:35.012Z" SessionIndex="0e543ae2-11f9-4ef0-9419-9352e09b89e2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rolly role</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[hidden email]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>

Then, I send it as the value of the POST param "assertion" to the URL which should tell the IS to generate my OAuth token. Something like that:


The content of the body should be something like that:

grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ENCODED_ASSERTION_HERE>

But but but... BOOM. I have this exception so, can you point me what I do miss, please? I am completely confused.

Regards,

Thomas

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev




_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: A little problem with SAML2 exchange for an OAuth token :(

Thomas LEGRAND
Hello Farasath,

Thank you for your answer. When I try to use the base64url decoder from the page you sent, nothing happens. But if I try to encode my string via the encoder of your page, I have a different code.

But, I tried to decode it from this page in [1] by using the URL decoder first and then the Base64 one. I can see my original XML. So, maybe something is wrong in my code.

Actually, I dumped a little code from your WSO2 project named identity-agent-sso in the SAML2GrantAccessTokenRequestor. Here is the code I dumped:


public static final String SAML2_BEARER_ASSERTION = "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=";

String tokenEndpoint = "https://localhost:9443/oauth2/token";
String keySecret = "<MY_SECRET_KEY_HERE>; // consumerKey + ":" + consumerSecret retrieved from the IS

String request = SAML2_BEARER_ASSERTION + URLEncoder.encode(Base64.encodeBytes(samlAssertionString.getBytes(Charset.forName("UTF-8"))).replaceAll("\r*\n*", ""));
System.out.println("URL params: " + request);

String accessTokenResponse = executePost(tokenEndpoint, request, Base64.encodeBytes(keySecret.replaceAll("\r*\n*", "").getBytes(Charset.forName("UTF-8"))).replaceAll("\r*\n*", ""));

Of course, I modified a little the code to remove everything line breaks like the Windows & UNIX ones. And I call the executePost method that I did not touch.

Now, to be clear: The URL encoding should be done before the base64 encoding? Or after?

Regards,

Thomas


2017-06-13 12:33 GMT+02:00 Farasath Ahamed <[hidden email]>:


Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Tue, Jun 13, 2017 at 3:55 PM, Farasath Ahamed <[hidden email]> wrote:
Hi Thomas,

Did you do a simply base64 encode the assertion or do a base64url encode on the assertion?
The correct way to prepare a SAML Assertion for SAML Bearer Grant is to url encode it. 
*base64url encode 

Can you compare the encoded value by you sent previously with the output you get from [1]?




Thanks,

Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Tue, Jun 13, 2017 at 3:29 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello,

I tried to implement a way to retrieve OAuth token from a SAML2 response but this exception appears and I don't know what to do because I don't "sign" anything (and maybe that is the problem): 

[2017-06-13 11:22:04,602] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} -  Error while validating the signature.
org.opensaml.xml.validation.ValidationException: Signature did not validate agai
nst the credential's key

Here is what I do:

I configured my Identity Server to return the SAML response to a custom webapp. So from here, I extract the value of the param SAMLResponse, decode it and extract the Assertion element by using the OpenSAML library (so get the Assertion object)

Then, I do the funky things like marshalling the assertion into a string, removing every break line characters from this string and encode it to base 64.

The assertion is something like (I removed some element and replaced some values to display in this email so if you try to check the signature, it sure will be wrong):

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f91978670da945183285231e76caa6cd" IssueInstant="2017-06-13T09:54:35.012Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_f91978670da945183285231e76caa6cd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LdDexQOXKnsLOjksxW8/1kR5oPo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WlzAFmtV3L4kQG7fF/79ITsGH17FMoKUjTEDThX/eCLnKsR1YUmw9NdrqA62RORt8cm+2H3nd9A5CwXdK/MgOx1FfVb6lf+vxKkKU3ElP4G9L8lGnYDu1CUcqQ7qaqyCu1XCvLmUled9FPpbhaw+P10l++Qmd/QftUU6eTj8wlU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="http://localhost:8080/sniffer-web/Sniff"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-13T09:54:35.012Z" NotOnOrAfter="2017-06-13T09:59:35.012Z"><saml2:AudienceRestriction><saml2:Audience>toto</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-13T09:54:35.012Z" SessionIndex="0e543ae2-11f9-4ef0-9419-9352e09b89e2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rolly role</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[hidden email]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>

Then, I send it as the value of the POST param "assertion" to the URL which should tell the IS to generate my OAuth token. Something like that:


The content of the body should be something like that:

grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ENCODED_ASSERTION_HERE>

But but but... BOOM. I have this exception so, can you point me what I do miss, please? I am completely confused.

Regards,

Thomas

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev





_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: A little problem with SAML2 exchange for an OAuth token :(

Farasath Ahamed


On Tue, Jun 13, 2017 at 5:32 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello Farasath,

Thank you for your answer. When I try to use the base64url decoder from the page you sent, nothing happens. But if I try to encode my string via the encoder of your page, I have a different code.

But, I tried to decode it from this page in [1] by using the URL decoder first and then the Base64 one. I can see my original XML. So, maybe something is wrong in my code.

Actually, I dumped a little code from your WSO2 project named identity-agent-sso in the SAML2GrantAccessTokenRequestor. Here is the code I dumped:


public static final String SAML2_BEARER_ASSERTION = "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=";

String tokenEndpoint = "https://localhost:9443/oauth2/token";
String keySecret = "<MY_SECRET_KEY_HERE>; // consumerKey + ":" + consumerSecret retrieved from the IS

String request = SAML2_BEARER_ASSERTION + URLEncoder.encode(Base64.encodeBytes(samlAssertionString.getBytes(Charset.forName("UTF-8"))).replaceAll("\r*\n*", ""));
System.out.println("URL params: " + request);

String accessTokenResponse = executePost(tokenEndpoint, request, Base64.encodeBytes(keySecret.replaceAll("\r*\n*", "").getBytes(Charset.forName("UTF-8"))).replaceAll("\r*\n*", ""));

Of course, I modified a little the code to remove everything line breaks like the Windows & UNIX ones. And I call the executePost method that I did not touch.

Now, to be clear: The URL encoding should be done before the base64 encoding? Or after?

base64encode first and then do the URL encode.

Ignore the URL i posted in the earlier reply. It doesn't seem to be working properly.


Plain Assertion,

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f91978670da945183285231e76caa6cd" IssueInstant="2017-06-13T09:54:35.012Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_f91978670da945183285231e76caa6cd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LdDexQOXKnsLOjksxW8/1kR5oPo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WlzAFmtV3L4kQG7fF/79ITsGH17FMoKUjTEDThX/eCLnKsR1YUmw9NdrqA62RORt8cm+2H3nd9A5CwXdK/MgOx1FfVb6lf+vxKkKU3ElP4G9L8lGnYDu1CUcqQ7qaqyCu1XCvLmUled9FPpbhaw+P10l++Qmd/QftUU6eTj8wlU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="http://localhost:8080/sniffer-web/Sniff"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-13T09:54:35.012Z" NotOnOrAfter="2017-06-13T09:59:35.012Z"><saml2:AudienceRestriction><saml2:Audience>toto</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-13T09:54:35.012Z" SessionIndex="0e543ae2-11f9-4ef0-9419-9352e09b89e2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rolly role</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[hidden email]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>


Step1: base64encode the assertion (I used https://www.base64encode.org/base64encode to base64encode the assertion )

PHNhbWwyOkFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il9mOTE5Nzg2NzBkYTk0NTE4MzI4NTIzMWU3NmNhYTZjZCIgSXNzdWVJbnN0YW50PSIyMDE3LTA2LTEzVDA5OjU0OjM1LjAxMloiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5sb2NhbGhvc3Q8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI19mOTE5Nzg2NzBkYTk0NTE4MzI4NTIzMWU3NmNhYTZjZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPkxkRGV4UU9YS25zTE9qa3N4VzgvMWtSNW9Qbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+V2x6QUZtdFYzTDRrUUc3ZkYvNzlJVHNHSDE3Rk1vS1VqVEVEVGhYL2VDTG5Lc1IxWVVtdzlOZHJxQTYyUk9SdDhjbSsySDNuZDlBNUN3WGRLL01nT3gxRmZWYjZsZit2eEtrS1UzRWxQNEc5TDhsR25ZRHUxQ1VjcVE3cWFxeUN1MVhDdkxtVWxlZDlGUHBiaGF3K1AxMGwrK1FtZC9RZnRVVTZlVGo4d2xVPTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ05UQ0NBWjZnQXdJQkFnSUVTMzQzZ2pBTkJna3Foa2lHOXcwQkFRVUZBREJWTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NRMEV4RmpBVUJnTlZCQWNNRFUxdmRXNTBZV2x1SUZacFpYY3hEVEFMQmdOVkJBb01CRmRUVHpJeEVqQVFCZ05WQkFNTUNXeHZZMkZzYUc5emREQWVGdzB4TURBeU1Ua3dOekF5TWpaYUZ3MHpOVEF5TVRNd056QXlNalphTUZVeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpEUVRFV01CUUdBMVVFQnd3TlRXOTFiblJoYVc0Z1ZtbGxkekVOTUFzR0ExVUVDZ3dFVjFOUE1qRVNNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUUNVcC9vVjF2V2M4L1RrUVNpQXZUb3VzTXpPTTRhc0IyaWx0cjJRS296bmk1YVZGdTgxOE1wT0xaSXI4TE1uVHpXbGxKdnZhQTVSQUFkcGJFQ2IrNDhGamJCZTBoc2VVZE41SHB3dm5IL0RXOFpjY0d2azUzSTZPcnE3aExDdjFaSHR1T0Nva2doei9BVHJoeVBxK1FrdE1mWG5SUzRIcktHSlR6eGFDY1U3T1FJREFRQUJveEl3RURBT0JnTlZIUThCQWY4RUJBTUNCUEF3RFFZSktvWklodmNOQVFFRkJRQURnWUVBVzV3UFI3Y3IxTEFkcStJclI0NGlRbFJHNUlUQ1pYWTloSTBQeWdMUDJySEFOaCtQWWZUbXhidU9ueWtOR3loTTZGakZMYlcydVpIUVRZMWpNclBwcmpPcm15SzVzakpSTzRkMURlR0hUL1luSWpzOUpvZ1JLdjRYSEVDd0x0SVZkQWJJZFdIRXRWWkp5TVNrdGN5eXNGY3Z1aFBRSzhRYy9FL1dxOHVIU0NvPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnVzZXJuYW1lPC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJsYWxhbGFsYSIgTm90T25PckFmdGVyPSIyMDE3LTA2LTEzVDA5OjU5OjM1LjAxMloiIFJlY2lwaWVudD0iaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NuaWZmZXItd2ViL1NuaWZmIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ibGFsYWxhbGEiIE5vdE9uT3JBZnRlcj0iMjAxNy0wNi0xM1QwOTo1OTozNS4wMTJaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDYtMTNUMDk6NTQ6MzUuMDEyWiIgTm90T25PckFmdGVyPSIyMDE3LTA2LTEzVDA5OjU5OjM1LjAxMloiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT50b3RvPC9zYW1sMjpBdWRpZW5jZT48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0My9vYXV0aDIvdG9rZW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM+PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wNi0xM1QwOTo1NDozNS4wMTJaIiBTZXNzaW9uSW5kZXg9IjBlNTQzYWUyLTExZjktNGVmMC05NDE5LTkzNTJlMDliODllMiI+PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9InJvbGUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5yb2xseSByb2xlPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXJuYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+bXl1c2VybmFtZUB0cnVjLmNvbTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+



Step2: URL encode followed by base64encode (I used https://www.samltool.com/url.php to URL encode )

PHNhbWwyOkFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il9mOTE5Nzg2NzBkYTk0NTE4MzI4NTIzMWU3NmNhYTZjZCIgSXNzdWVJbnN0YW50PSIyMDE3LTA2LTEzVDA5OjU0OjM1LjAxMloiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5sb2NhbGhvc3Q8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI19mOTE5Nzg2NzBkYTk0NTE4MzI4NTIzMWU3NmNhYTZjZCI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI%2BPGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM%2BPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8%2BPGRzOkRpZ2VzdFZhbHVlPkxkRGV4UU9YS25zTE9qa3N4VzgvMWtSNW9Qbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BV2x6QUZtdFYzTDRrUUc3ZkYvNzlJVHNHSDE3Rk1vS1VqVEVEVGhYL2VDTG5Lc1IxWVVtdzlOZHJxQTYyUk9SdDhjbSsySDNuZDlBNUN3WGRLL01nT3gxRmZWYjZsZit2eEtrS1UzRWxQNEc5TDhsR25ZRHUxQ1VjcVE3cWFxeUN1MVhDdkxtVWxlZDlGUHBiaGF3K1AxMGwrK1FtZC9RZnRVVTZlVGo4d2xVPTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJQ05UQ0NBWjZnQXdJQkFnSUVTMzQzZ2pBTkJna3Foa2lHOXcwQkFRVUZBREJWTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NRMEV4RmpBVUJnTlZCQWNNRFUxdmRXNTBZV2x1SUZacFpYY3hEVEFMQmdOVkJBb01CRmRUVHpJeEVqQVFCZ05WQkFNTUNXeHZZMkZzYUc5emREQWVGdzB4TURBeU1Ua3dOekF5TWpaYUZ3MHpOVEF5TVRNd056QXlNalphTUZVeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpEUVRFV01CUUdBMVVFQnd3TlRXOTFiblJoYVc0Z1ZtbGxkekVOTUFzR0ExVUVDZ3dFVjFOUE1qRVNNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUUNVcC9vVjF2V2M4L1RrUVNpQXZUb3VzTXpPTTRhc0IyaWx0cjJRS296bmk1YVZGdTgxOE1wT0xaSXI4TE1uVHpXbGxKdnZhQTVSQUFkcGJFQ2IrNDhGamJCZTBoc2VVZE41SHB3dm5IL0RXOFpjY0d2azUzSTZPcnE3aExDdjFaSHR1T0Nva2doei9BVHJoeVBxK1FrdE1mWG5SUzRIcktHSlR6eGFDY1U3T1FJREFRQUJveEl3RURBT0JnTlZIUThCQWY4RUJBTUNCUEF3RFFZSktvWklodmNOQVFFRkJRQURnWUVBVzV3UFI3Y3IxTEFkcStJclI0NGlRbFJHNUlUQ1pYWTloSTBQeWdMUDJySEFOaCtQWWZUbXhidU9ueWtOR3loTTZGakZMYlcydVpIUVRZMWpNclBwcmpPcm15SzVzakpSTzRkMURlR0hUL1luSWpzOUpvZ1JLdjRYSEVDd0x0SVZkQWJJZFdIRXRWWkp5TVNrdGN5eXNGY3Z1aFBRSzhRYy9FL1dxOHVIU0NvPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BPC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnVzZXJuYW1lPC9zYW1sMjpOYW1lSUQ%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJsYWxhbGFsYSIgTm90T25PckFmdGVyPSIyMDE3LTA2LTEzVDA5OjU5OjM1LjAxMloiIFJlY2lwaWVudD0iaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NuaWZmZXItd2ViL1NuaWZmIi8%2BPC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ibGFsYWxhbGEiIE5vdE9uT3JBZnRlcj0iMjAxNy0wNi0xM1QwOTo1OTozNS4wMTJaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIi8%2BPC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDYtMTNUMDk6NTQ6MzUuMDEyWiIgTm90T25PckFmdGVyPSIyMDE3LTA2LTEzVDA5OjU5OjM1LjAxMloiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT50b3RvPC9zYW1sMjpBdWRpZW5jZT48c2FtbDI6QXVkaWVuY2U%2BaHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0My9vYXV0aDIvdG9rZW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM%2BPHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wNi0xM1QwOTo1NDozNS4wMTJaIiBTZXNzaW9uSW5kZXg9IjBlNTQzYWUyLTExZjktNGVmMC05NDE5LTkzNTJlMDliODllMiI%2BPHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ%2BPHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9InJvbGUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5yb2xseSByb2xlPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXJuYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI%2BbXl1c2VybmFtZUB0cnVjLmNvbTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sMjpBc3NlcnRpb24%2B


 

2017-06-13 12:33 GMT+02:00 Farasath Ahamed <[hidden email]>:


Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Tue, Jun 13, 2017 at 3:55 PM, Farasath Ahamed <[hidden email]> wrote:
Hi Thomas,

Did you do a simply base64 encode the assertion or do a base64url encode on the assertion?
The correct way to prepare a SAML Assertion for SAML Bearer Grant is to url encode it. 
*base64url encode 

Can you compare the encoded value by you sent previously with the output you get from [1]?




Thanks,

Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Tue, Jun 13, 2017 at 3:29 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello,

I tried to implement a way to retrieve OAuth token from a SAML2 response but this exception appears and I don't know what to do because I don't "sign" anything (and maybe that is the problem): 

[2017-06-13 11:22:04,602] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} -  Error while validating the signature.
org.opensaml.xml.validation.ValidationException: Signature did not validate agai
nst the credential's key

Here is what I do:

I configured my Identity Server to return the SAML response to a custom webapp. So from here, I extract the value of the param SAMLResponse, decode it and extract the Assertion element by using the OpenSAML library (so get the Assertion object)

Then, I do the funky things like marshalling the assertion into a string, removing every break line characters from this string and encode it to base 64.

The assertion is something like (I removed some element and replaced some values to display in this email so if you try to check the signature, it sure will be wrong):

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f91978670da945183285231e76caa6cd" IssueInstant="2017-06-13T09:54:35.012Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_f91978670da945183285231e76caa6cd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LdDexQOXKnsLOjksxW8/1kR5oPo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WlzAFmtV3L4kQG7fF/79ITsGH17FMoKUjTEDThX/eCLnKsR1YUmw9NdrqA62RORt8cm+2H3nd9A5CwXdK/MgOx1FfVb6lf+vxKkKU3ElP4G9L8lGnYDu1CUcqQ7qaqyCu1XCvLmUled9FPpbhaw+P10l++Qmd/QftUU6eTj8wlU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="http://localhost:8080/sniffer-web/Sniff"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-13T09:54:35.012Z" NotOnOrAfter="2017-06-13T09:59:35.012Z"><saml2:AudienceRestriction><saml2:Audience>toto</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-13T09:54:35.012Z" SessionIndex="0e543ae2-11f9-4ef0-9419-9352e09b89e2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rolly role</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[hidden email]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>

Then, I send it as the value of the POST param "assertion" to the URL which should tell the IS to generate my OAuth token. Something like that:


The content of the body should be something like that:

grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ENCODED_ASSERTION_HERE>

But but but... BOOM. I have this exception so, can you point me what I do miss, please? I am completely confused.

Regards,

Thomas

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev






_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: A little problem with SAML2 exchange for an OAuth token :(

Thomas LEGRAND
Hello Farasath,

I am so silly because I removed the line break in the Assertion element I extracted :(. That was why the signature did not correpond. I removed this bug and now that works.

Sorry :s

Regards,

Thomas

2017-06-13 14:27 GMT+02:00 Farasath Ahamed <[hidden email]>:


On Tue, Jun 13, 2017 at 5:32 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello Farasath,

Thank you for your answer. When I try to use the base64url decoder from the page you sent, nothing happens. But if I try to encode my string via the encoder of your page, I have a different code.

But, I tried to decode it from this page in [1] by using the URL decoder first and then the Base64 one. I can see my original XML. So, maybe something is wrong in my code.

Actually, I dumped a little code from your WSO2 project named identity-agent-sso in the SAML2GrantAccessTokenRequestor. Here is the code I dumped:


public static final String SAML2_BEARER_ASSERTION = "grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=";

String tokenEndpoint = "https://localhost:9443/oauth2/token";
String keySecret = "<MY_SECRET_KEY_HERE>; // consumerKey + ":" + consumerSecret retrieved from the IS

String request = SAML2_BEARER_ASSERTION + URLEncoder.encode(Base64.encodeBytes(samlAssertionString.getBytes(Charset.forName("UTF-8"))).replaceAll("\r*\n*", ""));
System.out.println("URL params: " + request);

String accessTokenResponse = executePost(tokenEndpoint, request, Base64.encodeBytes(keySecret.replaceAll("\r*\n*", "").getBytes(Charset.forName("UTF-8"))).replaceAll("\r*\n*", ""));

Of course, I modified a little the code to remove everything line breaks like the Windows & UNIX ones. And I call the executePost method that I did not touch.

Now, to be clear: The URL encoding should be done before the base64 encoding? Or after?

base64encode first and then do the URL encode.

Ignore the URL i posted in the earlier reply. It doesn't seem to be working properly.


Plain Assertion,

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f91978670da945183285231e76caa6cd" IssueInstant="2017-06-13T09:54:35.012Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_f91978670da945183285231e76caa6cd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LdDexQOXKnsLOjksxW8/1kR5oPo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WlzAFmtV3L4kQG7fF/79ITsGH17FMoKUjTEDThX/eCLnKsR1YUmw9NdrqA62RORt8cm+2H3nd9A5CwXdK/MgOx1FfVb6lf+vxKkKU3ElP4G9L8lGnYDu1CUcqQ7qaqyCu1XCvLmUled9FPpbhaw+P10l++Qmd/QftUU6eTj8wlU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="http://localhost:8080/sniffer-web/Sniff"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-13T09:54:35.012Z" NotOnOrAfter="2017-06-13T09:59:35.012Z"><saml2:AudienceRestriction><saml2:Audience>toto</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-13T09:54:35.012Z" SessionIndex="0e543ae2-11f9-4ef0-9419-9352e09b89e2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rolly role</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[hidden email]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>


Step1: base64encode the assertion (I used https://www.base64encode.org/base64encode to base64encode the assertion )

PHNhbWwyOkFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il9mOTE5Nzg2NzBkYTk0NTE4MzI4NTIzMWU3NmNhYTZjZCIgSXNzdWVJbnN0YW50PSIyMDE3LTA2LTEzVDA5OjU0OjM1LjAxMloiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5sb2NhbGhvc3Q8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI19mOTE5Nzg2NzBkYTk0NTE4MzI4NTIzMWU3NmNhYTZjZCI+PGRzOlRyYW5zZm9ybXM+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8+PGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI+PGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM+PGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8+PGRzOkRpZ2VzdFZhbHVlPkxkRGV4UU9YS25zTE9qa3N4VzgvMWtSNW9Qbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU+V2x6QUZtdFYzTDRrUUc3ZkYvNzlJVHNHSDE3Rk1vS1VqVEVEVGhYL2VDTG5Lc1IxWVVtdzlOZHJxQTYyUk9SdDhjbSsySDNuZDlBNUN3WGRLL01nT3gxRmZWYjZsZit2eEtrS1UzRWxQNEc5TDhsR25ZRHUxQ1VjcVE3cWFxeUN1MVhDdkxtVWxlZDlGUHBiaGF3K1AxMGwrK1FtZC9RZnRVVTZlVGo4d2xVPTwvZHM6U2lnbmF0dXJlVmFsdWU+PGRzOktleUluZm8+PGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU+TUlJQ05UQ0NBWjZnQXdJQkFnSUVTMzQzZ2pBTkJna3Foa2lHOXcwQkFRVUZBREJWTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NRMEV4RmpBVUJnTlZCQWNNRFUxdmRXNTBZV2x1SUZacFpYY3hEVEFMQmdOVkJBb01CRmRUVHpJeEVqQVFCZ05WQkFNTUNXeHZZMkZzYUc5emREQWVGdzB4TURBeU1Ua3dOekF5TWpaYUZ3MHpOVEF5TVRNd056QXlNalphTUZVeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpEUVRFV01CUUdBMVVFQnd3TlRXOTFiblJoYVc0Z1ZtbGxkekVOTUFzR0ExVUVDZ3dFVjFOUE1qRVNNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUUNVcC9vVjF2V2M4L1RrUVNpQXZUb3VzTXpPTTRhc0IyaWx0cjJRS296bmk1YVZGdTgxOE1wT0xaSXI4TE1uVHpXbGxKdnZhQTVSQUFkcGJFQ2IrNDhGamJCZTBoc2VVZE41SHB3dm5IL0RXOFpjY0d2azUzSTZPcnE3aExDdjFaSHR1T0Nva2doei9BVHJoeVBxK1FrdE1mWG5SUzRIcktHSlR6eGFDY1U3T1FJREFRQUJveEl3RURBT0JnTlZIUThCQWY4RUJBTUNCUEF3RFFZSktvWklodmNOQVFFRkJRQURnWUVBVzV3UFI3Y3IxTEFkcStJclI0NGlRbFJHNUlUQ1pYWTloSTBQeWdMUDJySEFOaCtQWWZUbXhidU9ueWtOR3loTTZGakZMYlcydVpIUVRZMWpNclBwcmpPcm15SzVzakpSTzRkMURlR0hUL1luSWpzOUpvZ1JLdjRYSEVDd0x0SVZkQWJJZFdIRXRWWkp5TVNrdGN5eXNGY3Z1aFBRSzhRYy9FL1dxOHVIU0NvPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE+PC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnVzZXJuYW1lPC9zYW1sMjpOYW1lSUQ+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJsYWxhbGFsYSIgTm90T25PckFmdGVyPSIyMDE3LTA2LTEzVDA5OjU5OjM1LjAxMloiIFJlY2lwaWVudD0iaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NuaWZmZXItd2ViL1NuaWZmIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI+PHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ibGFsYWxhbGEiIE5vdE9uT3JBZnRlcj0iMjAxNy0wNi0xM1QwOTo1OTozNS4wMTJaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIi8+PC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDYtMTNUMDk6NTQ6MzUuMDEyWiIgTm90T25PckFmdGVyPSIyMDE3LTA2LTEzVDA5OjU5OjM1LjAxMloiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT50b3RvPC9zYW1sMjpBdWRpZW5jZT48c2FtbDI6QXVkaWVuY2U+aHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0My9vYXV0aDIvdG9rZW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM+PHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wNi0xM1QwOTo1NDozNS4wMTJaIiBTZXNzaW9uSW5kZXg9IjBlNTQzYWUyLTExZjktNGVmMC05NDE5LTkzNTJlMDliODllMiI+PHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY+dXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ+PHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9InJvbGUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5yb2xseSByb2xlPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXJuYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI+bXl1c2VybmFtZUB0cnVjLmNvbTwvc2FtbDI6QXR0cmlidXRlVmFsdWU+PC9zYW1sMjpBdHRyaWJ1dGU+PC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ+PC9zYW1sMjpBc3NlcnRpb24+



Step2: URL encode followed by base64encode (I used https://www.samltool.com/url.php to URL encode )

PHNhbWwyOkFzc2VydGlvbiB4bWxuczpzYW1sMj0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFzc2VydGlvbiIgSUQ9Il9mOTE5Nzg2NzBkYTk0NTE4MzI4NTIzMWU3NmNhYTZjZCIgSXNzdWVJbnN0YW50PSIyMDE3LTA2LTEzVDA5OjU0OjM1LjAxMloiIFZlcnNpb249IjIuMCIgeG1sbnM6eHM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hIj48c2FtbDI6SXNzdWVyIEZvcm1hdD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOm5hbWVpZC1mb3JtYXQ6ZW50aXR5Ij5sb2NhbGhvc3Q8L3NhbWwyOklzc3Vlcj48ZHM6U2lnbmF0dXJlIHhtbG5zOmRzPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjIj48ZHM6U2lnbmVkSW5mbz48ZHM6Q2Fub25pY2FsaXphdGlvbk1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIvPjxkczpTaWduYXR1cmVNZXRob2QgQWxnb3JpdGhtPSJodHRwOi8vd3d3LnczLm9yZy8yMDAwLzA5L3htbGRzaWcjcnNhLXNoYTEiLz48ZHM6UmVmZXJlbmNlIFVSST0iI19mOTE5Nzg2NzBkYTk0NTE4MzI4NTIzMWU3NmNhYTZjZCI%2BPGRzOlRyYW5zZm9ybXM%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNlbnZlbG9wZWQtc2lnbmF0dXJlIi8%2BPGRzOlRyYW5zZm9ybSBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyI%2BPGVjOkluY2x1c2l2ZU5hbWVzcGFjZXMgeG1sbnM6ZWM9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvMTAveG1sLWV4Yy1jMTRuIyIgUHJlZml4TGlzdD0ieHMiLz48L2RzOlRyYW5zZm9ybT48L2RzOlRyYW5zZm9ybXM%2BPGRzOkRpZ2VzdE1ldGhvZCBBbGdvcml0aG09Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvMDkveG1sZHNpZyNzaGExIi8%2BPGRzOkRpZ2VzdFZhbHVlPkxkRGV4UU9YS25zTE9qa3N4VzgvMWtSNW9Qbz08L2RzOkRpZ2VzdFZhbHVlPjwvZHM6UmVmZXJlbmNlPjwvZHM6U2lnbmVkSW5mbz48ZHM6U2lnbmF0dXJlVmFsdWU%2BV2x6QUZtdFYzTDRrUUc3ZkYvNzlJVHNHSDE3Rk1vS1VqVEVEVGhYL2VDTG5Lc1IxWVVtdzlOZHJxQTYyUk9SdDhjbSsySDNuZDlBNUN3WGRLL01nT3gxRmZWYjZsZit2eEtrS1UzRWxQNEc5TDhsR25ZRHUxQ1VjcVE3cWFxeUN1MVhDdkxtVWxlZDlGUHBiaGF3K1AxMGwrK1FtZC9RZnRVVTZlVGo4d2xVPTwvZHM6U2lnbmF0dXJlVmFsdWU%2BPGRzOktleUluZm8%2BPGRzOlg1MDlEYXRhPjxkczpYNTA5Q2VydGlmaWNhdGU%2BTUlJQ05UQ0NBWjZnQXdJQkFnSUVTMzQzZ2pBTkJna3Foa2lHOXcwQkFRVUZBREJWTVFzd0NRWURWUVFHRXdKVlV6RUxNQWtHQTFVRUNBd0NRMEV4RmpBVUJnTlZCQWNNRFUxdmRXNTBZV2x1SUZacFpYY3hEVEFMQmdOVkJBb01CRmRUVHpJeEVqQVFCZ05WQkFNTUNXeHZZMkZzYUc5emREQWVGdzB4TURBeU1Ua3dOekF5TWpaYUZ3MHpOVEF5TVRNd056QXlNalphTUZVeEN6QUpCZ05WQkFZVEFsVlRNUXN3Q1FZRFZRUUlEQUpEUVRFV01CUUdBMVVFQnd3TlRXOTFiblJoYVc0Z1ZtbGxkekVOTUFzR0ExVUVDZ3dFVjFOUE1qRVNNQkFHQTFVRUF3d0piRzlqWVd4b2IzTjBNSUdmTUEwR0NTcUdTSWIzRFFFQkFRVUFBNEdOQURDQmlRS0JnUUNVcC9vVjF2V2M4L1RrUVNpQXZUb3VzTXpPTTRhc0IyaWx0cjJRS296bmk1YVZGdTgxOE1wT0xaSXI4TE1uVHpXbGxKdnZhQTVSQUFkcGJFQ2IrNDhGamJCZTBoc2VVZE41SHB3dm5IL0RXOFpjY0d2azUzSTZPcnE3aExDdjFaSHR1T0Nva2doei9BVHJoeVBxK1FrdE1mWG5SUzRIcktHSlR6eGFDY1U3T1FJREFRQUJveEl3RURBT0JnTlZIUThCQWY4RUJBTUNCUEF3RFFZSktvWklodmNOQVFFRkJRQURnWUVBVzV3UFI3Y3IxTEFkcStJclI0NGlRbFJHNUlUQ1pYWTloSTBQeWdMUDJySEFOaCtQWWZUbXhidU9ueWtOR3loTTZGakZMYlcydVpIUVRZMWpNclBwcmpPcm15SzVzakpSTzRkMURlR0hUL1luSWpzOUpvZ1JLdjRYSEVDd0x0SVZkQWJJZFdIRXRWWkp5TVNrdGN5eXNGY3Z1aFBRSzhRYy9FL1dxOHVIU0NvPTwvZHM6WDUwOUNlcnRpZmljYXRlPjwvZHM6WDUwOURhdGE%2BPC9kczpLZXlJbmZvPjwvZHM6U2lnbmF0dXJlPjxzYW1sMjpTdWJqZWN0PjxzYW1sMjpOYW1lSUQgRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoxLjE6bmFtZWlkLWZvcm1hdDplbWFpbEFkZHJlc3MiPnVzZXJuYW1lPC9zYW1sMjpOYW1lSUQ%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb24gTWV0aG9kPSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6Y206YmVhcmVyIj48c2FtbDI6U3ViamVjdENvbmZpcm1hdGlvbkRhdGEgSW5SZXNwb25zZVRvPSJsYWxhbGFsYSIgTm90T25PckFmdGVyPSIyMDE3LTA2LTEzVDA5OjU5OjM1LjAxMloiIFJlY2lwaWVudD0iaHR0cDovL2xvY2FsaG9zdDo4MDgwL3NuaWZmZXItd2ViL1NuaWZmIi8%2BPC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjxzYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uIE1ldGhvZD0idXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmNtOmJlYXJlciI%2BPHNhbWwyOlN1YmplY3RDb25maXJtYXRpb25EYXRhIEluUmVzcG9uc2VUbz0ibGFsYWxhbGEiIE5vdE9uT3JBZnRlcj0iMjAxNy0wNi0xM1QwOTo1OTozNS4wMTJaIiBSZWNpcGllbnQ9Imh0dHBzOi8vbG9jYWxob3N0Ojk0NDMvb2F1dGgyL3Rva2VuIi8%2BPC9zYW1sMjpTdWJqZWN0Q29uZmlybWF0aW9uPjwvc2FtbDI6U3ViamVjdD48c2FtbDI6Q29uZGl0aW9ucyBOb3RCZWZvcmU9IjIwMTctMDYtMTNUMDk6NTQ6MzUuMDEyWiIgTm90T25PckFmdGVyPSIyMDE3LTA2LTEzVDA5OjU5OjM1LjAxMloiPjxzYW1sMjpBdWRpZW5jZVJlc3RyaWN0aW9uPjxzYW1sMjpBdWRpZW5jZT50b3RvPC9zYW1sMjpBdWRpZW5jZT48c2FtbDI6QXVkaWVuY2U%2BaHR0cHM6Ly9sb2NhbGhvc3Q6OTQ0My9vYXV0aDIvdG9rZW48L3NhbWwyOkF1ZGllbmNlPjwvc2FtbDI6QXVkaWVuY2VSZXN0cmljdGlvbj48L3NhbWwyOkNvbmRpdGlvbnM%2BPHNhbWwyOkF1dGhuU3RhdGVtZW50IEF1dGhuSW5zdGFudD0iMjAxNy0wNi0xM1QwOTo1NDozNS4wMTJaIiBTZXNzaW9uSW5kZXg9IjBlNTQzYWUyLTExZjktNGVmMC05NDE5LTkzNTJlMDliODllMiI%2BPHNhbWwyOkF1dGhuQ29udGV4dD48c2FtbDI6QXV0aG5Db250ZXh0Q2xhc3NSZWY%2BdXJuOm9hc2lzOm5hbWVzOnRjOlNBTUw6Mi4wOmFjOmNsYXNzZXM6UGFzc3dvcmQ8L3NhbWwyOkF1dGhuQ29udGV4dENsYXNzUmVmPjwvc2FtbDI6QXV0aG5Db250ZXh0Pjwvc2FtbDI6QXV0aG5TdGF0ZW1lbnQ%2BPHNhbWwyOkF0dHJpYnV0ZVN0YXRlbWVudD48c2FtbDI6QXR0cmlidXRlIE5hbWU9InJvbGUiIE5hbWVGb3JtYXQ9InVybjpvYXNpczpuYW1lczp0YzpTQU1MOjIuMDphdHRybmFtZS1mb3JtYXQ6YmFzaWMiPjxzYW1sMjpBdHRyaWJ1dGVWYWx1ZSB4bWxuczp4c2k9Imh0dHA6Ly93d3cudzMub3JnLzIwMDEvWE1MU2NoZW1hLWluc3RhbmNlIiB4c2k6dHlwZT0ieHM6c3RyaW5nIj5yb2xseSByb2xlPC9zYW1sMjpBdHRyaWJ1dGVWYWx1ZT48L3NhbWwyOkF0dHJpYnV0ZT48c2FtbDI6QXR0cmlidXRlIE5hbWU9InVzZXJuYW1lIiBOYW1lRm9ybWF0PSJ1cm46b2FzaXM6bmFtZXM6dGM6U0FNTDoyLjA6YXR0cm5hbWUtZm9ybWF0OmJhc2ljIj48c2FtbDI6QXR0cmlidXRlVmFsdWUgeG1sbnM6eHNpPSJodHRwOi8vd3d3LnczLm9yZy8yMDAxL1hNTFNjaGVtYS1pbnN0YW5jZSIgeHNpOnR5cGU9InhzOnN0cmluZyI%2BbXl1c2VybmFtZUB0cnVjLmNvbTwvc2FtbDI6QXR0cmlidXRlVmFsdWU%2BPC9zYW1sMjpBdHRyaWJ1dGU%2BPC9zYW1sMjpBdHRyaWJ1dGVTdGF0ZW1lbnQ%2BPC9zYW1sMjpBc3NlcnRpb24%2B


 

2017-06-13 12:33 GMT+02:00 Farasath Ahamed <[hidden email]>:


Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Tue, Jun 13, 2017 at 3:55 PM, Farasath Ahamed <[hidden email]> wrote:
Hi Thomas,

Did you do a simply base64 encode the assertion or do a base64url encode on the assertion?
The correct way to prepare a SAML Assertion for SAML Bearer Grant is to url encode it. 
*base64url encode 

Can you compare the encoded value by you sent previously with the output you get from [1]?




Thanks,

Farasath Ahamed
Software Engineer, WSO2 Inc.; http://wso2.com
Mobile: <a href="tel:%2B94777603866" value="+94713149860" style="font-size:12.8px;color:rgb(17,85,204)" target="_blank">+94777603866
Twitter: @farazath619




On Tue, Jun 13, 2017 at 3:29 PM, Thomas LEGRAND <[hidden email]> wrote:
Hello,

I tried to implement a way to retrieve OAuth token from a SAML2 response but this exception appears and I don't know what to do because I don't "sign" anything (and maybe that is the problem): 

[2017-06-13 11:22:04,602] ERROR {org.wso2.carbon.identity.oauth2.token.handlers.grant.saml.SAML2BearerGrantHandler} -  Error while validating the signature.
org.opensaml.xml.validation.ValidationException: Signature did not validate agai
nst the credential's key

Here is what I do:

I configured my Identity Server to return the SAML response to a custom webapp. So from here, I extract the value of the param SAMLResponse, decode it and extract the Assertion element by using the OpenSAML library (so get the Assertion object)

Then, I do the funky things like marshalling the assertion into a string, removing every break line characters from this string and encode it to base 64.

The assertion is something like (I removed some element and replaced some values to display in this email so if you try to check the signature, it sure will be wrong):

<saml2:Assertion xmlns:saml2="urn:oasis:names:tc:SAML:2.0:assertion" ID="_f91978670da945183285231e76caa6cd" IssueInstant="2017-06-13T09:54:35.012Z" Version="2.0" xmlns:xs="http://www.w3.org/2001/XMLSchema"><saml2:Issuer Format="urn:oasis:names:tc:SAML:2.0:nameid-format:entity">localhost</saml2:Issuer><ds:Signature xmlns:ds="http://www.w3.org/2000/09/xmldsig#"><ds:SignedInfo><ds:CanonicalizationMethod Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"/><ds:SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#rsa-sha1"/><ds:Reference URI="#_f91978670da945183285231e76caa6cd"><ds:Transforms><ds:Transform Algorithm="http://www.w3.org/2000/09/xmldsig#enveloped-signature"/><ds:Transform Algorithm="http://www.w3.org/2001/10/xml-exc-c14n#"><ec:InclusiveNamespaces xmlns:ec="http://www.w3.org/2001/10/xml-exc-c14n#" PrefixList="xs"/></ds:Transform></ds:Transforms><ds:DigestMethod Algorithm="http://www.w3.org/2000/09/xmldsig#sha1"/><ds:DigestValue>LdDexQOXKnsLOjksxW8/1kR5oPo=</ds:DigestValue></ds:Reference></ds:SignedInfo><ds:SignatureValue>WlzAFmtV3L4kQG7fF/79ITsGH17FMoKUjTEDThX/eCLnKsR1YUmw9NdrqA62RORt8cm+2H3nd9A5CwXdK/MgOx1FfVb6lf+vxKkKU3ElP4G9L8lGnYDu1CUcqQ7qaqyCu1XCvLmUled9FPpbhaw+P10l++Qmd/QftUU6eTj8wlU=</ds:SignatureValue><ds:KeyInfo><ds:X509Data><ds:X509Certificate>MIICNTCCAZ6gAwIBAgIES343gjANBgkqhkiG9w0BAQUFADBVMQswCQYDVQQGEwJVUzELMAkGA1UECAwCQ0ExFjAUBgNVBAcMDU1vdW50YWluIFZpZXcxDTALBgNVBAoMBFdTTzIxEjAQBgNVBAMMCWxvY2FsaG9zdDAeFw0xMDAyMTkwNzAyMjZaFw0zNTAyMTMwNzAyMjZaMFUxCzAJBgNVBAYTAlVTMQswCQYDVQQIDAJDQTEWMBQGA1UEBwwNTW91bnRhaW4gVmlldzENMAsGA1UECgwEV1NPMjESMBAGA1UEAwwJbG9jYWxob3N0MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCUp/oV1vWc8/TkQSiAvTousMzOM4asB2iltr2QKozni5aVFu818MpOLZIr8LMnTzWllJvvaA5RAAdpbECb+48FjbBe0hseUdN5HpwvnH/DW8ZccGvk53I6Orq7hLCv1ZHtuOCokghz/ATrhyPq+QktMfXnRS4HrKGJTzxaCcU7OQIDAQABoxIwEDAOBgNVHQ8BAf8EBAMCBPAwDQYJKoZIhvcNAQEFBQADgYEAW5wPR7cr1LAdq+IrR44iQlRG5ITCZXY9hI0PygLP2rHANh+PYfTmxbuOnykNGyhM6FjFLbW2uZHQTY1jMrPprjOrmyK5sjJRO4d1DeGHT/YnIjs9JogRKv4XHECwLtIVdAbIdWHEtVZJyMSktcyysFcvuhPQK8Qc/E/Wq8uHSCo=</ds:X509Certificate></ds:X509Data></ds:KeyInfo></ds:Signature><saml2:Subject><saml2:NameID Format="urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress">username</saml2:NameID><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="http://localhost:8080/sniffer-web/Sniff"/></saml2:SubjectConfirmation><saml2:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"><saml2:SubjectConfirmationData InResponseTo="lalalala" NotOnOrAfter="2017-06-13T09:59:35.012Z" Recipient="https://localhost:9443/oauth2/token"/></saml2:SubjectConfirmation></saml2:Subject><saml2:Conditions NotBefore="2017-06-13T09:54:35.012Z" NotOnOrAfter="2017-06-13T09:59:35.012Z"><saml2:AudienceRestriction><saml2:Audience>toto</saml2:Audience><saml2:Audience>https://localhost:9443/oauth2/token</saml2:Audience></saml2:AudienceRestriction></saml2:Conditions><saml2:AuthnStatement AuthnInstant="2017-06-13T09:54:35.012Z" SessionIndex="0e543ae2-11f9-4ef0-9419-9352e09b89e2"><saml2:AuthnContext><saml2:AuthnContextClassRef>urn:oasis:names:tc:SAML:2.0:ac:classes:Password</saml2:AuthnContextClassRef></saml2:AuthnContext></saml2:AuthnStatement><saml2:AttributeStatement><saml2:Attribute Name="role" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">rolly role</saml2:AttributeValue></saml2:Attribute><saml2:Attribute Name="username" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"><saml2:AttributeValue xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="xs:string">[hidden email]</saml2:AttributeValue></saml2:Attribute></saml2:AttributeStatement></saml2:Assertion>

Then, I send it as the value of the POST param "assertion" to the URL which should tell the IS to generate my OAuth token. Something like that:


The content of the body should be something like that:

grant_type=urn:ietf:params:oauth:grant-type:saml2-bearer&assertion=<ENCODED_ASSERTION_HERE>

But but but... BOOM. I have this exception so, can you point me what I do miss, please? I am completely confused.

Regards,

Thomas

_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev







_______________________________________________
Dev mailing list
[hidden email]
http://wso2.org/cgi-bin/mailman/listinfo/dev
Loading...