This is with version 5.2.0 of the identity server, and the Travelocity.com sample. When I tried to login using post binding and user credentials in the client form, I get the following exceptions in the wso2carbon.log

ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator} -  Exception in Authentication Framework 
java.lang.NoClassDefFoundError: org/apache/commons/lang/StringUtils
    at org.wso2.carbon.identity.application.authenticator.requestpath.basicauth.BasicAuthRequestPathAuthenticator.processAuthenticationResponse(BasicAuthRequestPathAuthenticator.java:91)
..
Caused by: java.lang.ClassNotFoundException: org.apache.commons.lang.StringUtils cannot be found by org.wso2.carbon.identity.application.authenticator.requestpath.basicauth_5.1.2
    at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:501)

The properties such as "user-portal.user.password.reset" that are coming from localization file is not picked up.

https://localhost:9292/user-portal/user/reset-password

When adding CustomClass to "identity.xml" the custom class is stated to be loaded in the logs, but finally the original implementation is still used.

Getting below error

fatal: https://github.com/wso2/product-is.git/info/refs not valid: is this a git repository?
error: Could not fetch origin

While trying to check out the code

Description:

1. Add Claim Dialect screen - add help text to explain the dialect URI "A unique URI identifying the dialect (for example, http://schema.openid.net/2007/05/claims)."

2. Add Local Claim screen - add help text for all the fields. Use the table in [1] as a guide.
   [1] https://docs.wso2.com/display/IS530/Adding+Claim+Mapping

3. Add Local Claim screen - The required fields have a black star. The star should be red.

4. The breadcrumbs after clicking "Add Local Claim" or "Add claim dialect" go in this format: 'add.new.claim.dialect'. The breadcrumb should instead be in this format: "Home>Identity>Claims>Add>Add New Claim Dialect".

5. Add External Claim screen- add help text for all the fields. Use the table in [1] as a guide.
   [1] https://docs.wso2.com/display/IS530/Adding+Claim+Mapping

Suggested Labels:
UX
Affected Product Version:
5.4.0

Getting the following errors while trying to run wso2isserver

Resources from res:features-extras/features.txt are loading.
............
The remote library from http://www.google.com/ig/lib/libanalytics.js cannot be retrieved

How can I avoid these errors during startup

Also I have tried deploying on server , I have changes the hostname to the server IP.

I am not able to login to dashboard using admin userid

https://XX.XXX.XX.67:8081/authenticationendpoint/samlsso_notification.do?status=Error+when+processing+the+authentication+request!&statusMsg=Please+try+login+again.

Following is error message :
SAML 2.0 based Single Sign-On
Error when processing the authentication request!
Please try login again.

Description:

Remember me functionality currently has been implemented for following user stores, but it should be available in all the UserStoreManager implementations.

• JDBCUserStoreManager
• ReadOnlyLDAPUserStoreManager

Remember me has to be handled in higher level than user store level and remember me cookies should be stored in database level, not in user store.

Suggested Labels:

Suggested Assignees:

Affected Product Version:
5.3.0

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:
#1347

The docs indicate that current hashing methods are PLAIN_TEXT, MD5 and SHA. All of these hashing methods are insecure and should not be used to store passwords.

Just installed the beta with postgres and apparently I get this error when creating/editing Service Providers.

Caused by: org.postgresql.util.PSQLException: ERROR: column "is_dumb_mode" does not exist
  Position: 39

I greped the included sql schemes (including the rest of the DB backends) and there is no mention of column "is_dumb_mode". I can't deduct immediately which table is missing this column.

Description:

1. Add new role screen - When we leave the role name field empty and click next, the error message is "Entered role name is not conforming to policy. Please enter a role name, which adheres to policy." We can change this to "Enter all required fields".

2. Add new role screen - Should have a guideline (help text) about role name policy ("cannot contain special characters by default", "should have xx number of characters" etc).
   -When we enter a special character with the role name, the error message can be given as "The
   role name you entered does not conform to the policy. Enter a valid role name."

3. Add role screen - "Step 2: Select permissions to add to Role" should have "role" starting with simple r and should be reworded to "Select permissions to add to the role"

4. Assign Users screen - There is a section called "UnAssigned Users". The A in UnAssigned should be a simple letter. Also, this is empty if there are no unassigned users. When this is empty, it should have a message saying "No unassigned users found".

Suggested Labels:
UX

Affected Product Version:
5.4.0

Description:
"kid" value shouldn't be hard coded in implementation level (ex: DefaultIDTokenBuilder, JwksEndpoint). "kid" value should be generated based on certificate "thumbprint".

Mail thread: "[Dev] [IS] Usage of "kid" JWT header parameter"

Suggested Labels:

Suggested Assignees:

Affected Product Version:
5.3.0

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

With WSO IS 5.3.0, reproducing steps as below:

1, create service provider with "Inbound Authentication Configuration"/"OAuth/OpenID Connect Configuration" to configure and have password granttype enabled.
2, in /opt/wso2/repository/conf/identity/identity.xml having this in OpenIDConnect element:
<IDTokenIssuerID>${carbon.protocol}://${carbon.host}:${carbon.management.port}/oauth2/oidcdiscovery/</IDTokenIssuerID>
3, get idtoken by running:
curl -H "Authorization: Basic X0FvMEozN2cxMlkzSEtiaU1tbWVYdHVvM2FFYTpCeVBZQUprQnZLWlNmOURHeDF0S2xvUTdKcGdh" -H "Content-Type: application/x-www-form-urlencoded" -k -d "grant_type=password&username=admin&password=admin&scope=openid" https://localhost:9443/oauth2/token
4, returned idtoken is partially something as below decoded:
{"exp":1487335376,"sub":"admin","azp":"Dibo_uMHzySCIxrf55uvMGWjGEUa","at_hash":"_8q5TmtJRsdEj4V_dL4-Zg","aud":["Dibo_uMHzySCIxrf55uvMGWjGEUa"],"iss":"https:\/\/localhost:9443\/oauth2\/token","iat":1487331776,"acr":"urn:mace:incommon:iap:silver"}

By openid connect spec, iss should be https://localhost:9443/oauth2/oidcdiscovery/. The mismatch will make validation of idtoken fail.

Hi,

I have created a new regular (non admin) user and then a new role (entitlement-manager) with the following permissions and assigned it to the user.

Despite of having a permission to create and remove policies, I didn't find a link to perform the functions being signed-in as another (entitlement-manager) user.

Above has been tested on wso2-is v5.3.0

Any ideas?

Many thanks.

We do not have facility to enter email id of newly created user. Need this functionality so that newly created user received email and can change his password by following the link.

Attaching screenshot of v 5.0 and v 5.1 'Add User'.

Description:

1. All instances of the word "Uri" and "Url" should be changed to caps - "URI" and "URL"

2. Most error messages say "Error is: ". Better not to put the "Error is:" part. For example "Could not add user PRIMARY/minoli. Error is: UserAlreadyExisting:Username already exists in the system. Please pick another username."

3. Wherever we have mentioned "Step 1 : xxxx", "Step 2 : xxx", the space between the number and the colon should be removed. So it should be "Step 1: xxx" instead of "Step 1 : xxx".

4. Wherever we have mentioned "select all on this page" and "unselect all on this page", the links can be shortened to "Select all" and "Unselect all"

Suggested Labels:
UX

Affected Product Version:
5.4.0

Hi,

As "admin" user I am not able to edit the policies under the policy editor's design view

even the context menu (according to the hint) upon right-click does not show any editing options.

Is there anything I should have enabled/configured to achieve the editing?

Cheers

It's better to have README s for each sample, describing steps to test the sample etc

Description:
TOTP Authenticator doesn't work when IS has multiple nodes fronted by a LB.(Clustered)

Suggested Labels:
TOTP

Affected Product Version:
TOTP 2.0.1 +

Steps to reproduce:
Create clustered IS with two nodes. Then configure TOTP. And try to login to a service provider with totp.
If sticky sessions are not enabled then this will be easily reproduced. If sticky sessions are enabled then after basic auth is succeeded, before get the verification code, stop the server that served the first request.

Related Issues:
Reason might be in totp authenticator getContextIdentifier returns jsessionID instead of sessionDataKey.

Description:
Oauth Cache is not invalidated when oauth app requested/subject claim get updated, ID token is retrieved with previously configured claims
Previously issued authorization codes/access token also not getting invalidated when updating an oauth app.

Suggested Labels:

Suggested Assignees:

Affected Product Version:
5.4.0 latest snapshot version

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

I'm using WSO2 Identity Server 5.1 for SSO. I'm trying to call WSO2 web services from my Spring boot application that uses spring-security-saml2 (built using Oracle JDK 1.7).

I hit my application URL, it takes me to WSO2 authentication. I see in browser the following:

WSO2 authenticates me but throws Axis2 error for any web service call. Here is stack trace:
org.apache.axis2.AxisFault: Connection has been shutdown: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
at org.apache.axis2.AxisFault.makeFault(AxisFault.java:430) ~[axis2-kernel-1.7.2.jar:1.7.2]
at org.apache.axis2.transport.http.SOAPMessageFormatter.writeTo(SOAPMessageFormatter.java:78) ~[axis2-kernel-1.7.2.jar:na]
at org.apache.axis2.transport.http.AxisRequestEntity.writeRequest(AxisRequestEntity.java:84) ~[axis2-1.6.1.wso2v12.jar:na]
at org.apache.commons.httpclient.methods.EntityEnclosingMethod.writeRequestBody(EntityEnclosingMethod.java:499) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodBase.writeRequest(HttpMethodBase.java:2114) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodBase.execute(HttpMethodBase.java:1096) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeWithRetry(HttpMethodDirector.java:398) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpMethodDirector.executeMethod(HttpMethodDirector.java:171) ~[commons-httpclient-3.1.jar:na]
at org.apache.commons.httpclient.HttpClient.executeMethod(HttpClient.java:397) ~[commons-httpclient-3.1.jar:na]
at org.apache.axis2.transport.http.AbstractHTTPSender.executeMethod(AbstractHTTPSender.java:630) ~[axis2-1.6.1.wso2v12.jar:na]
at org.apache.axis2.transport.http.HTTPSender.sendViaPost(HTTPSender.java:195) [axis2-1.6.1.wso2v12.jar:na]
at org.apache.axis2.transport.http.HTTPSender.send(HTTPSender.java:77) [axis2-1.6.1.wso2v12.jar:na]
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.writeMessageWithCommons(CommonsHTTPTransportSender.java:451) [axis2-1.6.1.wso2v12.jar:na]
at org.apache.axis2.transport.http.CommonsHTTPTransportSender.invoke(CommonsHTTPTransportSender.java:278) [axis2-1.6.1.wso2v12.jar:na]
at org.apache.axis2.engine.AxisEngine.send(AxisEngine.java:431) [axis2-kernel-1.7.2.jar:1.7.2]
at org.apache.axis2.description.OutInAxisOperationClient.send(OutInAxisOperation.java:399) [axis2-kernel-1.7.2.jar:1.7.2]
at org.apache.axis2.description.OutInAxisOperationClient.executeImpl(OutInAxisOperation.java:225) [axis2-kernel-1.7.2.jar:1.7.2]
at org.apache.axis2.client.OperationClient.execute(OperationClient.java:150) [axis2-kernel-1.7.2.jar:1.7.2]
at org.wso2.carbon.service.mgt.stub.ServiceAdminStub.getNumberOfActiveServices(ServiceAdminStub.java:4810) [org.wso2.carbon.service.mgt.stub-4.0.0.jar:na]_

I had created certificate using OpenSSL as well as using trial certificate from Comodo and face the same issue. I'd referred https://docs.wso2.com/display/IS510/Creating+New+Keystores for certificate creation and installation.

Any help is highly appreciated.

Description:

We need to prevent invoking JDBCUserStoreManager within the ReadOnlyLDAPUserStoreManager which is in [1] and [2] when login with "Rememeber Me".

The reason for calling ReadOnlyLDAPUserStoreManager here, is to store remember me cookie values in UM_HYBRID_REMEMBER_ME table which is as follows.
UM_ID | UM_USER_NAME | UM_COOKIE_VALUE | UM_CREATED_TIME | UM_TENANT_ID

[1] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ReadOnlyLDAPUserStoreManager.java#L2974
[2] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ReadOnlyLDAPUserStoreManager.java#L2988

Suggested Assignees:

Affected Product Version:
5.3.0

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

Description:
Like '%' are not allowed to put with the ACS URL.
Have to check each place where we do this validation.

Suggested Labels:
Type/Bug, Severity/Major, Priority/High, Affected/5.3.0, Component/OAuth

Suggested Assignees:

Affected Product Version:
5.3.0

OS, DB, other environment details and versions:

Steps to reproduce:
We can't have % char in ACS URL.

Related Issues:

i try to customize the samlsso redirect page following this doc: https://docs.wso2.com/display/IS530/Customizing+the+SSO+Redirection+Page

But it seems that the /repository/resources/identity/pages/samlsso_response.html is not used during idp initiated saml sso.

i have successfully customized login and logout page by customizting:
IS-HOME/repository/deployment/server/webapps/authenticationendpoint/login.jsp
IS-HOME/repository/deployment/server/webapps/authenticationendpoint/logout.jsp

so i also tried to customize the sso redirect page by updating:
IS-HOME/repository/deployment/server/webapps/authenticationendpoint/samlsso_redirect.jsp

but IS keeeps showing the original html.

Description:
Below is the schema definition of UM_USER_ROLE table in mysql.

CREATE TABLE UM_USER_ROLE (
             UM_ID INTEGER NOT NULL AUTO_INCREMENT,
             UM_ROLE_ID INTEGER NOT NULL,
             UM_USER_ID INTEGER NOT NULL,
             UM_TENANT_ID INTEGER DEFAULT 0,
             UNIQUE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID),
             FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_ROLE(UM_ID, UM_TENANT_ID),
             FOREIGN KEY (UM_USER_ID, UM_TENANT_ID) REFERENCES UM_USER(UM_ID, UM_TENANT_ID),
             PRIMARY KEY (UM_ID, UM_TENANT_ID)
)ENGINE INNODB;

But oracle has below schema definition.

CREATE TABLE UM_USER_ROLE (
		            UM_ID INTEGER,
                    UM_ROLE_ID INTEGER NOT NULL,
                    UM_USER_ID INTEGER NOT NULL,
                    UM_TENANT_ID INTEGER DEFAULT 0,
                    UNIQUE (UM_USER_ID, UM_ROLE_ID, UM_TENANT_ID),
                    FOREIGN KEY (UM_ROLE_ID, UM_TENANT_ID) REFERENCES UM_ROLE(UM_ID, UM_TENANT_ID) ON DELETE CASCADE,
                    FOREIGN KEY (UM_USER_ID, UM_TENANT_ID) REFERENCES UM_USER(UM_ID, UM_TENANT_ID) ON DELETE CASCADE,
                    PRIMARY KEY (UM_ID, UM_TENANT_ID))

Difference is mysql scripts does not have ON DELETE CASCADE for the foreign keys while oracle script has. This inconsistency is there in several database scripts.

Affected Product Version:
IS 5.3.0

OS, DB, other environment details and versions:
N/A

Steps to reproduce:
N/A

The SOAPAction "registerOAuthApplicationData" against the OAuthAdminService does not save the grantTypes.

Steps to Reproduce:

# Download
wget https://github.com/wso2/product-is/releases/download/v5.3.0-rc3/wso2is-5.3.0-rc3.zip
# Unzip
unzip wso2is-5.3.0-rc3.zip
cd wso2is-5.3.0
# Start
bin/wso2server.sh 
# Switch Console---
# Register the OAuthApplication
curl -k -X POST -H "Content-Type: text/xml" -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "SOAPAction: registerOAuthApplicationData" --data "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://org.apache.axis2/xsd\" xmlns:xsd1=\"http://dto.oauth.identity.carbon.wso2.org/xsd\"><soapenv:Header/><soapenv:Body><xsd:registerOAuthApplicationData><xsd:application><xsd1:OAuthVersion>Oauth-2.0</xsd1:OAuthVersion><xsd1:applicationName>TestApp</xsd1:applicationName><xsd1:callbackUrl>http://localhost:8080/essTournamentSystem/auth</xsd1:callbackUrl><xsd1:grantTypes>refresh_token urn:ietf:params:oauth:grant-type:saml2-bearer implicit password iwa:ntlm client_credentials authorization_code </xsd1:grantTypes></xsd:application></xsd:registerOAuthApplicationData></soapenv:Body></soapenv:Envelope>" https://localhost:9443/services/OAuthAdminService
# Get the OAuthApplication
curl -k -X POST -H "Content-Type: text/xml" -H "Authorization: Basic YWRtaW46YWRtaW4=" -H "SOAPAction: getOAuthApplicationDataByAppName" --data "<soapenv:Envelope xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\" xmlns:xsd=\"http://org.apache.axis2/xsd\"><soapenv:Header/><soapenv:Body><xsd:getOAuthApplicationDataByAppName><xsd:appName>TestApp</xsd:appName></xsd:getOAuthApplicationDataByAppName></soapenv:Body></soapenv:Envelope>" https://localhost:9443/services/OAuthAdminService > getOAuthApplicationDataByAppNameResponse.xml
# View the Rsponse:
vi getOAuthApplicationDataByAppNameResponse.xml

See Documentation: https://docs.wso2.com/display/IS530/Service+Provider+Configurations+used+with+APIs#ServiceProviderConfigurationsusedwithAPIs-ConfiguringOAuth/OpenIDConnect

In User Portal etc. the product name is used as IAM. We need to rename all the references to IS and Identity Server.

The dbscripts has the table names as IDM_*. That also need to change.

I've got the following exception with version 5.2.0 and MySQL version 5.7.12-log.

java.sql.SQLException: You can't specify target table 'IDN_AUTH_SESSION_STORE_DELETE' for update in FROM clause
	at com.mysql.jdbc.SQLError.createSQLException(SQLError.java:963)
	at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3966)
	at com.mysql.jdbc.MysqlIO.checkErrorPacket(MysqlIO.java:3902)
	at com.mysql.jdbc.MysqlIO.sendCommand(MysqlIO.java:2526)
	at com.mysql.jdbc.MysqlIO.sqlQueryDirect(MysqlIO.java:2673)
	at com.mysql.jdbc.ConnectionImpl.execSQL(ConnectionImpl.java:2549)
	at com.mysql.jdbc.PreparedStatement.executeInternal(PreparedStatement.java:1861)
	at com.mysql.jdbc.PreparedStatement.execute(PreparedStatement.java:1192)
	at org.wso2.carbon.identity.application.authentication.framework.store.SessionDataStore.deleteSTOREOperationsTask(SessionDataStore.java:468)
	at org.wso2.carbon.identity.application.authentication.framework.store.SessionDataStore.removeExpiredOperationData(SessionDataStore.java:347)
	at org.wso2.carbon.identity.application.authentication.framework.store.OperationCleanUpService$DatabaseOperationCleanUpTask.run(OperationCleanUpService.java:62)
	at java.util.concurrent.Executors$RunnableAdapter.call(Executors.java:511)
	at java.util.concurrent.FutureTask.runAndReset(FutureTask.java:308)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.access$301(ScheduledThreadPoolExecutor.java:180)
	at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFutureTask.run(ScheduledThreadPoolExecutor.java:294)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at java.lang.Thread.run(Thread.java:745)

I've checked the org.wso2.carbon.identity.application.authentication.framework.store.SessionDataStore class and find out the following SQL must be wrong:

private static final String SQL_DELETE_STORE_OPERATIONS_TASK_MYSQL = "DELETE IDN_AUTH_SESSION_STORE_DELETE FROM IDN_AUTH_SESSION_STORE IDN_AUTH_SESSION_STORE_DELETE WHERE OPERATION = 'STORE' AND SESSION_ID IN (SELECT SESSION_ID FROM (SELECT SESSION_ID FROM IDN_AUTH_SESSION_STORE WHERE OPERATION = 'DELETE' AND TIME_CREATED < ?) IDN_AUTH_SESSION_STORE_SELECT)";

This SQL use subquery SELECT and DELETE row from same table, that's not allowed in current MySQL.

Also, this SQL seems cannot delete anything. Why not doing like this:

DELETE IDN_AUTH_SESSION_STORE_DELETE
FROM
	IDN_AUTH_SESSION_STORE IDN_AUTH_SESSION_STORE_DELETE
WHERE
	IDN_AUTH_SESSION_STORE_DELETE.OPERATION = 'DELETE'
AND IDN_AUTH_SESSION_STORE_DELETE.TIME_CREATED < ?;

Hi,
I checkout the branch 6.0.x-C5 and package successfully.
After start carbon.bat, then access 'http://localhost:9090/user-portal/', but only head page, like this:

What functions this version(now) have?
Thanks.

hf

$subject. It should get redirected to its https page.

http://localhost:9090/user-portal/login

Description:
As per the FAPI spec http://openid.net/specs/openid-financial-api-part-2.html#introduction-3,the requirement for this endpoint is as below.

In an OIDC flow,the client may not want to send the request object by value, either because it is too large, or because it contains sensitive data and the client doesn't want to encrypt the request object. In such cases it is possible to send the request object by reference using a request_uri.The request URI can be hosted by the client or by the authorization server. The advantage of the authorization server hosting the request object is that it doesn't have to support outbound requests to a client specified request URI nor rely on the entropy of the URI for the confidentiality of the request object.

Suggested Labels:
Type/New Feature, Severity/Major, Priority/High, Affected/5.3.0, Component/OIDC

Suggested Assignees:
@isharak @madurangasiriwardena @mefarazath

Affected Product Version:
5.3.0

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

I am using WSO2 IS 5.2.0. I am trying to access custom claim mobile_verified . I have already created a mapping between "http://wso2.org/oidc/claim" dialect to "http://wso2.org/claims" dialect as mentioned on http://stackoverflow.com/questions/37074119/wso2-identity-server-not-returning-requested-claims-with-oauth-openid . Also, I have added this custom claim to openId scope in OIDC file using registry.

Is there any issue with 5.2 version, because it was working fine with 5.1?

I'm trying to set up the kerberos KDC on a WSO2 Identity Server, I'm following this tutorial

https://docs.wso2.com/display/IS530/FAQ#FAQ-HowcanIsetupWSO2ISasaKDC?

but I can't find the menu " Configure -> Kerberos KDC -> Service Principals" on the management console.

my environment:

• WSO2 version 5.3
• OS: Arch Linux
• java version "1.7.0_80" - Java(TM) SE Runtime Environment (build 1.7.0_80-b15) Java HotSpot(TM) 64-Bit Server VM (build 24.80-b11, mixed mode)

Description:
Right now we are showing the error notification page. It is great if we can redirect to relying party with the response and relay state. If the application cannot handle error response, there could be a configuration (could be at Service Provider level, or could be system wide) and if someone set that to false, then we can show error in our notification page.

Affected Product Version:
5.3.0

https://github.com/wso2/product-is/blob/master/portal/apps/org.wso2.carbon.iam.user-portal.app/pom.xml#L90

Description:
As per fapi read-write API security profile spec[1],it requires to initiate the authorization flow as a hybrid flow.Check 3) step of 5.2.2 section in [1].Additionally this specification describes having the authorization flow for financial APIs will avoid the attacks of IdP Mix-up attacks[8.3.3],Authorization Response parameter injection attacks[8.4.3].
[1] http://openid.net/specs/openid-financial-api-part-2.html

Suggested Labels:
Type/Improvement, Severity/Major, Priority/High, Affected/5.3.0, Component/OIDC

Suggested Assignees:
@isharak @madurangasiriwardena @mefarazath

Affected Product Version:
5.3.0

OS, DB, other environment details and versions:

Steps to reproduce:

Related Issues:

1. Lost some configuration file when copy conf floder
2. Should add a step to change the Version in repository/conf/carbon.xml

Is there any tentative date for IDentity Server 5.1.0 release?

How can I bulk export/query XACML policies from product-is? The aim is to query all or a subset of policies and keep in-sync (periodically) with the services (at the PEP side) to avoid network calls to the IS server.

When a session gets expired after a set idle time, user get redirected to the login page when trying to access it again. Then, after a successful login, user should get redirected to the previous page he was in.

NOTE: I also created a bug in jira for this issue: https://wso2.org/jira/browse/IDENTITY-5572

When I generate a CXF client for the EntitlementPolicyAdminService service using the WSDL published by WSO2 IS, it fails because the methods without return type (void) don't have wsdl:output tag. The error generating the client is:

cvc-complex-type.2.4.a: Invalid content was found starting with element 'wsdl:fault'. One of '{"http://
 schemas.xmlsoap.org/wsdl/":output}' is expected.

I fix this, generating the client using a modified WSDL, but I think it's not the right way.
One malformed method:

 <wsdl:operation name="addSubscriber">
            <wsdl:input message="tns:addSubscriberRequest" wsaw:Action="urn:addSubscriber"/>
            <wsdl:fault message="tns:EntitlementPolicyAdminServiceEntitlementException" name="EntitlementPolicyAdminServiceEntitlementException" wsaw:Action="urn:addSubscriberEntitlementPolicyAdminServiceEntitlementException"/>
        </wsdl:operation> 

My fix for the method:

  <!-- I define the void message -->
   <wsdl:message name="vacio"/>

   <!-- I change the method -->
        <wsdl:operation name="addSubscriber">
            <wsdl:input message="tns:addSubscriberRequest" wsaw:Action="urn:addSubscriber"/>
            <wsdl:output message="tns:vacio"/>
            <wsdl:fault message="tns:EntitlementPolicyAdminServiceEntitlementException" name="EntitlementPolicyAdminServiceEntitlementException" wsaw:Action="urn:addSubscriberEntitlementPolicyAdminServiceEntitlementException"/>
        </wsdl:operation> 

I think it could happen in all web services of WSO2. Can you fix this for all WSDLs generated?

I don't know if this is the right place, project or component to create this bug, I apologize.

Thanks

https://docs.wso2.com/display/IS520/Writing+a+Custom+User+Store+Manager

Please can a fully working JDBC example be provided? The example given doesn't specify that you need to build the JAR as an OSGI bundle, which seems to be a requirement according to other tutorials and the exceptions that are thrown if you try and deploy a simple JAR as described in the article.

Is there going to be 5.2.0 release or are you going straight to 5.3.0? We are waiting for a release that has working multi-tenancy and a non-broken OAuth userinfo endpoint - that eliminates 5.0 and 5.1...

With 5.2 beta those two features look OK but now you switched to 5.3? What is your release road map?

Description:

1. Add New User screen - Should have a guideline about password requirements (should be x number of characters etc). This only appears if there is an error and its not there on the UI itself.

2. Add New User screen - "Password repeat" field should be renamed to "Confirm Password".
   -Once this is done, the error message if the "password and password repeat do not match" should
   be also reworded to "password and confirm password does not match".

   • This should also be changed in other places like the Change Password screen.

3. Add New User screen - If you click Next without entering username, password etc the error message is "Username pattern policy violated". This can be reworded to "Enter all required fields".

4. Add New User screen - When a username that is already existing in the system is entered, the error message is "Could not add user PRIMARY/minoli. Error is: UserAlreadyExisting:Username already exists in the system. Pick another username."

Reword the error message to "Could not add user PRIMARY/minoli. The username already exists in the system. Enter another username".

5. Search Users screen - This field (Enter user name pattern) should be in title case and the word 'user name' should be one word.

6. Change Password screen - "New Password Repeat" field should be renamed to "Confirm New Password".

7. Change Password screen - When a wrong Current Password is entered, the error message is "Could not change password of admin. Error is: Error while updating password. Wrong old credential provided". This can be reworded to "Could not change the password of admin. The current password you entered is incorrect".

8. Assign Roles screen - There is a section called "Unassigned Roles". This is empty if there are no unassigned roles. When this is empty, it should have a message saying "No unassigned roles found".

9. Add new user screen - Step 2 - The main heading should be "Add New User" as it was in step 1.

Suggested Labels:
UX

Affected Product Version:
5.4.0

For a service provider we have activated signature validation for requests and responses in the configuration for SAML2 web SSO.

An AuthnRequest is correctly denied when only the SAMLRequest parameter is present in the redirect Url to the IdentityServer. It works well when additional parameters "SigAlg" and "Signature" are correctly set.

A LogoutRequest can pass successfully without having a deflated signature in the redirect Url.
The SPInitLogoutRequestProcessor seems to ignore the configured validation.

Description:

Setup: Two step authentication with multiple option in the 2nd step - TOTP/SMSOTP

When the authentication fails in one of the authentication method (TOTP), it redirects back to the multiple option page with the following error in the console.

[2017-08-22 12:53:23,006] ERROR {org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler} -  Authentication failed, user :  [email protected]
org.wso2.carbon.identity.application.authentication.framework.exception.AuthenticationFailedException: Authentication failed, user :  [email protected]
	at org.wso2.carbon.identity.application.authenticator.totp.TOTPAuthenticator.processAuthenticationResponse(TOTPAuthenticator.java:303)
	at org.wso2.carbon.identity.application.authentication.framework.AbstractApplicationAuthenticator.process(AbstractApplicationAuthenticator.java:66)
	at org.wso2.carbon.identity.application.authenticator.totp.TOTPAuthenticator.process(TOTPAuthenticator.java:120)
	at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.doAuthentication(DefaultStepHandler.java:443)
	at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handleResponse(DefaultStepHandler.java:417)
	at org.wso2.carbon.identity.application.authentication.framework.handler.step.impl.DefaultStepHandler.handle(DefaultStepHandler.java:121)
	at org.wso2.carbon.identity.application.authentication.framework.handler.sequence.impl.DefaultStepBasedSequenceHandler.handle(DefaultStepBasedSequenceHandler.java:171)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultAuthenticationRequestHandler.handle(DefaultAuthenticationRequestHandler.java:115)
	at org.wso2.carbon.identity.application.authentication.framework.handler.request.impl.DefaultRequestCoordinator.handle(DefaultRequestCoordinator.java:135)
	at org.wso2.carbon.identity.application.authentication.framework.servlet.CommonAuthenticationServlet.doPost(CommonAuthenticationServlet.java:53)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:646)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at org.eclipse.equinox.http.helper.ContextPathServletAdaptor.service(ContextPathServletAdaptor.java:37)
	at org.eclipse.equinox.http.servlet.internal.ServletRegistration.service(ServletRegistration.java:61)
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.processAlias(ProxyServlet.java:128)
	at org.eclipse.equinox.http.servlet.internal.ProxyServlet.service(ProxyServlet.java:60)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at org.wso2.carbon.tomcat.ext.servlet.DelegationServlet.service(DelegationServlet.java:68)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:303)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.wso2.carbon.ui.filters.CSRFPreventionFilter.doFilter(CSRFPreventionFilter.java:88)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.wso2.carbon.ui.filters.CRLFPreventionFilter.doFilter(CRLFPreventionFilter.java:59)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.wso2.carbon.tomcat.ext.filter.CharacterSetFilter.doFilter(CharacterSetFilter.java:61)
	at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:241)
	at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:208)
	at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:220)
	at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:122)
	at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:504)
	at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:170)
	at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:103)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.continueInvocation(CompositeValve.java:99)
	at org.wso2.carbon.tomcat.ext.valves.CarbonTomcatValve$1.invoke(CarbonTomcatValve.java:47)
	at org.wso2.carbon.webapp.mgt.TenantLazyLoaderValve.invoke(TenantLazyLoaderValve.java:57)
	at org.wso2.carbon.tomcat.ext.valves.TomcatValveContainer.invokeValves(TomcatValveContainer.java:47)
	at org.wso2.carbon.tomcat.ext.valves.CompositeValve.invoke(CompositeValve.java:62)
	at org.wso2.carbon.tomcat.ext.valves.CarbonStuckThreadDetectionValve.invoke(CarbonStuckThreadDetectionValve.java:159)
	at org.apache.catalina.valves.AccessLogValve.invoke(AccessLogValve.java:950)
	at org.wso2.carbon.tomcat.ext.valves.CarbonContextCreatorValve.invoke(CarbonContextCreatorValve.java:57)
	at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:116)
	at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:421)
	at org.apache.coyote.http11.AbstractHttp11Processor.process(AbstractHttp11Processor.java:1074)
	at org.apache.coyote.AbstractProtocol$AbstractConnectionHandler.process(AbstractProtocol.java:611)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.doRun(NioEndpoint.java:1739)
	at org.apache.tomcat.util.net.NioEndpoint$SocketProcessor.run(NioEndpoint.java:1698)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1142)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:617)
	at org.apache.tomcat.util.threads.TaskThread$WrappingRunnable.run(TaskThread.java:61)
	at java.lang.Thread.run(Thread.java:745)

Affected Product Version:
IS 5.1.0

OS, DB, other environment details and versions:
N/A

Steps to reproduce:

1. Enable two-step authentication - 1st step with basic - 2nd step with TOTP/SMSOTP
2. Try to log-in to an application and use TOTP in the second step.
3. Enter wrong credentials.

Hi,
I believe some e-mail regexps' (at least in documentation) needs to be reviewed to allow new top-domains, more types of characters to the local-part of the email address. I also believe 30 max characters is a bit low?

https://docs.wso2.com/display/IS530/Using+Email+Address+as+the+Username
^[a-zA-Z0-9.-]+@[a-zA-Z0-9.-]+.[a-zA-Z]{2,4}$
a-zA-Z0-9@.-{3,30}$

Description:

Noticed that we trim the username when performing authentication in LDAP and AD Userstore Managers[1]. But we do not do trim the username in JDBCUserStoreManager[2]?

IMO we should have the similar behaviour for all the user stores, ie. either we trim the username in each of them or we don't trim in any of them?

On the other hand, I think we shouldn't trim the username at all since it leads to issue like[3], where the authentication was successful because of trimming the spaces silently but claims retrieval etc. fails due to the incorrect username with extra spaces.

[1] https://github.com/wso2/carbon-kernel/blob/4.4.x/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/ldap/ReadOnlyLDAPUserStoreManager.java#L357

[2] https://github.com/wso2/carbon-kernel/blob/f551d3530300a43ca1afc2a56d62be34f2d72320/core/org.wso2.carbon.user.core/src/main/java/org/wso2/carbon/user/core/jdbc/JDBCUserStoreManager.java#L1152-L1235

[3] https://wso2.org/jira/browse/IDENTITY-5864

Please make sure to document the RFC 7662 OAuth2 token introspection endpoint URL. See via the web console Identity Providers/Resident Identity Provider/Inbound Authentication Configuration/OAuth2/OpenID Connect Configuration the introspection endpoint URL is not shown, but it exists and works just fine (in 5.3.0):

Identity Provider Entity Id:    https://localhost:9443/oauth2/token
Authorization Endpoint URL: https://localhost:9443/oauth2/authorize
Token Endpoint URL: https://localhost:9443/oauth2/token
Token Revocation Endpoint URL:  https://localhost:9443/oauth2/revoke
User Info Endpoint URL: https://localhost:9443/oauth2/userinfo

Thanks!